HitmanPro.ALERT Support and Discussion Thread

Hi erikloman

Many thanks once again to all the Devs of HitmanPro.[Alert].
Build 129 RC working without problems here.

Take Care
TheQuest

 

For the brief time I had the unactivated copy of HMP.A 3 RC Build 129 on my machine I could not open Internet Explorer 11. The free version of MBAE kept blocking an Exploit attempt.

HMP.A unactivated IS NOT yet compatible with the free version of MBAE, at least on my machine.

Norton Security with Backup v22.1 + MBAE free + HMP.A RC Build 129. Windows 7 x64 SP1.

Restoring a backup image pre HMP.A RC Build 129.

 

No problems installing build 129 (W7 64 bits).

 

Error adding Spywareblaster 5 to template OTHER (build 129/W7 64 bits).

Edit: Erik you need the Spywareblaster-dmpfile?

 

I can reproduce the issue.

Though as a rule of thumb: do not add security software to Alert

UPDATE: SpywareBlaster has an issue with the DEP mitigation. Uncheck DEP and it should start. Security software that cannot run with DEP enabled ...

UPDATE 2: SpywareBlaster also does not have ASLR enabled on the binary

 

I switched back into snapshot this morning, and the problem with the missing HMP scan was no longer evident. Also, I can update AVZ, too. However, I do run EIS in this snapshot, and I read
that there have been problems.

Spoiler: screenshot

 

Why do 125 users get the update later? Can we still download an install 129 over 125? Thanks

Pete is running an internet security suite.. whooooo !

Btw I am using ESET for ~2 weeks now and I like it a lot so far. There is room for improvement but it feels like it is the best security suite I have used so far.

 

Yes you can install 129 over 125. As a matter of fact I recommend updating to 129.

 

Confirmed.

 

I tried to install a pdf-x viewer update today with the liveupdateool.exe. HMPA blocked it but didn't alert me until I killed the update process via task manager (was waiting for the setup to finish at 99% for like 10 minutes ).

 

What was the mitigation that triggered the alert? (look in the Windows Event Log).
Can you point me to the update tool?

 

The update tool is build in with pdf-x change viewer (free to download): http://www.tracker-software.com/product/pdf-xchange-viewer

Is that the Info you need?

 

V 129 seems to have resolved the slow start up and browsing speed in Opera 26 and HPMA works fine..

However, addresses typed into address bar in IE11 are scrambled (search terms typed into Google are fine).

Using EIS, Appguard and HMPA.

 

Thanks. Are you running HMPA build 129?

 

It happend on 125, I am now running 129 and the following happend:

Setup stopped at 99% again, HMPA had no warning and no event log. Still I had to end the setup.exe via task manager :/

 

If you remove the Lockdown mitigation from the application and retry the update ...

 

Today during a scan, Emsisoft AM is detecting hmpnet.sys as Adware.BrowseFox.AO (B), two instances.

 

Further to my earlier post, I have completed an over the top install of the latest RC. A selection of screenshots, as you can see.

Spoiler: screenshots

 

Can you report these as false positives?

 

It is done.

 

Sorry for the delay in getting back.
I have Windows 7 SP1 x64 AMD operating system.
I have HMP running with HMP.Alert - Emsisoft IS - AppGuard - Sandboxie (but not for IE11 or Chrome) and Shadow Defender (only used for testing)
This is much the same setup as Peter2150 has but I have never seen any start up issues. The IE11 problem only stared with Build 125, I had no problems with bld 124 at all. All problems disappear if I uninstall EIS.
Anything else you want me to try or any logs I can provide to help solve this?

 

When a mitigation is triggered it can be sent to the backend. This way users can be protected _before_ a mitigation is triggered. Source code is not sent to the backend.

 

Cant test it as the update finished eventhough I killed the setup process.. so no new update avilable to test :S

 

HitmanPro.Alert 3 version 3.0.22.129 Release Candidate

HitmanPro.Alert version 3 introduces Exploit Mitigations, of which its hardware-assisted Control-Flow Integrity (CFI) technology is perhaps its most striking feature. CFI is a technique to prevent flow of control not intended by the original application, without requiring the source code or debug symbols of the protected application. With CFI, HitmanPro.Alert 3 effectively stops attackers that hijack control-flow to combine short pieces of benign code, already present in a system, for a malicious purpose; a so-called return-oriented programming (ROP) attack. This capability is achieved by programming and leveraging a hardware feature in modern Intel® Core™ processors to track code execution and assist in the detection of attacks in real-time – an industry-first method not found in any other security product.

Besides a performance advantage, employing hardware traced records has a security benefit over software stack-based approaches. Stack-based solutions, like Microsoft EMET, rely on stack data, which is (especially in case of a ROP attack) in control of the attacker.

Cybercriminals and hackers are becoming increasingly more proficient in finding and attacking previously unknown vulnerabilities to bypass antivirus software as well as memory protections (DEP+ASLR) to silently infiltrate computers. Well known cases that led to the discovery of zero-day attacks, like Operation SnowMan[1], GreedyWonk[2] and Clandestine Fox[3] (all uncovered by security firm FireEye), show that attackers are adept in creating malware (shellcode) by borrowing instructions from legitimate applications running on the victim computer – a ROP attack. Antivirus software is not designed to block this as there are no malicious processes or files involved. HitmanPro.Alert version 3 is built to stop existing and future attacks whether they are conducted by exploit kits or (foreign) nation-state hackers, without requiring prior knowledge of attacks or abused vulnerabilities.

Besides Exploit Mitigations, HitmanPro.Alert 3 also offers Application Lockdown, which prevents abuse of logic-flaw vulnerabilities and stops macros in Office documents from hoisting in malware. It also protects business environments that are bound to run outdated software, including Java-based company applications.
HitmanPro.Alert 3 also offers Man-in-the-Browser Intruder Detection (Safe Browsing), Cryptolocker Protection (CryptoGuard), System Vaccination, Webcam Notifier, Keystroke Encryption, BadUSB Protection and our acclaimed HitmanPro on-demand forensics-based Anti-Malware. Together they aim to disrupt the Cyber Attack Life-Cycle:



DOWNLOAD

• http://test.hitmanpro.com/hmpalert3rc.zip

The file hmpalert.exe inside the ZIP archive installs the software and requires just 5 MB of free disk space. It runs on 32-bit and 64-bit versions of Windows XP SP3, Windows Vista, Windows 7, Windows 8 and Windows 8.1.

The ZIP archive also contains version 1.4 of our Exploit Test Tool which contains 27 tests to check a pc’s security posture or verify the correct working of HitmanPro.Alert. The exploit techniques performed by the Exploit Test Tool are not malicious and safe to use.


HITMANPRO.ALERT 3 FEATURE OVERVIEW

• Install-and-Forget Signature-less protection suitable for Home Users, Power Users and IT Professionals
• Exploit Mitigations (Anti-Exploit) Aims to stop attackers from exploiting software vulnerabilities
• Fine-grained Exploit Mitigation Settings Allows experienced computer users to change individual mitigations, per application
• On-demand Malware Detection and Remediation Integrated Anti-Malware scanner
• BadUSB Protection Blocks malicious USB devices that pose as a keyboard
• Safe Browsing (Man-in-the-Browser Detection) Warns when malware manipulates the browser; behavior-based
• Active Vaccination Makes sandbox-aware malware self-terminate
• CryptoGuard Protects your data against CryptoLocker, CryptoWall, TorrentLocker, OphionLocker, CoinVault and variants; behavior-based
• Webcam Notifier Blocks the webcam when it is (secretly) accessed
• Keystroke Encryption Protects credentials against keyloggers in the browser
• Hollow Process Protection Protects the main executable of a process against unmapping
• Network Lockdown Helps to stop attacks that connect back to command-and-control
• Full 64-bit Support Offers 64-bit applications same protection as 32-bit applications
• Software Radar Automatically protects new browsers, plug-ins, media and office applications
• Easy-to-Use High DPI User Interface Suitable for Home Users, Power Users and IT Pros
• Advanced Exploit Reporting Logs advanced technical data for forensic threat analysis
• Multilingual User Interface English, Chinese (Simplified), Chinese (Traditional), Dutch, French, German, Italian, Brazilian Portuguese, Russian, Spanish
• Antivirus Compatible Runs alongside third-party antivirus or internet security software

ANTI-EXPLOIT // CODE MITIGATIONS

• SEHOP Stops abuse of the structured exception handler
• Stack Pivot Stops abuse of the stack pointer
• Stack Exec Stops attacker's code on the stack
• Software Stack-based Anti-ROP Stops return-oriented programming (ROP) attacks (part of Control-Flow Integrity)
• Hardware-assisted Branch-based Anti-ROP Programs microprocessor to stop ROP attacks (part of Control-Flow Integrity)
• Import Address Table Filtering (IAF) Prevents attackers from snooping function addresses (part of Control-Flow Integrity)
• Caller Check Stops processes called from attacker-controlled memory (part of Control-Flow Integrity)
• Load Library Stops modules that load from insecure network paths
• Application Lockdown Prevents abuse of logic flaws and stops attacks that bypass mitigations (incl. Office macros)

ANTI-EXPLOIT // MEMORY MITIGATIONS

• Enforce DEP Prevents abuse of buffer overflows
• Mandatory ASLR Prevents predictable code locations
• Pseudo ASLR for Windows XP and Windows Server 2003 Prevents predictable code locations of modules on legacy Windows (part of Mandatory ASLR)
• Bottom Up ASLR Improves code location randomization (ASLR)
• Null Page Stops exploits that jump via page 0
• Heap Spray Pre-Allocation Stops attacks that start via common memory addresses on the heap (part of Dynamic Heap Spray)
• Dynamic Heap Spray Stops exploits that start via the heap; behavior-based

SCREENSHOTS



[1] http://www.fireeye.com/blog/technic...ises-us-veterans-of-foreign-wars-website.html
[2] http://www.fireeye.com/blog/technic...omised-serving-up-flash-zero-day-exploit.html
[3] http://www.fireeye.com/blog/uncateg...hrough-11-identified-in-targeted-attacks.html

 

HitmanProAlert keeps on blocking Dropbox.exe and therefore stopping dropbox syncing. Please can you fix this, otherwise it will be uninstalled so dropbox works OK!