HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    Problem still exists with build 130 :(
     
  2. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Build 130 automatically downgrades to build 129 so after reboot MBAE wil throw the warning again. We're checking things and might decide to automatically update everybody to build 130 later today.
     
  3. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Could you post some details of the alert that HMPA is showing? Click on 'Technical details' when the alert is shown and copy and past the data (or screenshot). We are unable to reproduce and seek more information.
     
  4. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    If you're able to post a screenshot of the 'Technical details' shown in the alert, that would help a lot!
    We're pretty eager on diving into this as it seems that Dropbox is altering your data.
     
  5. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Is there any known issue or conflict while using HMPA and Kaspersky software?:doubt:
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Really? It doesn't update until reboot for me, and stayed working with MBAE as build 130 so far. Already implemented?
    *Nevermind, it said an update is available and asked me to reboot again. Obviously not going to.

    And I would like to ask about Prey compatibility once again if you don't mind.
     
    Last edited: Dec 20, 2014
  7. guest

    guest Guest

    I'm on win8 using MBAE premium and HPA v3 129 FREE and apparently is working fine, no conflicts, crashes or warnings.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Folks, I'll say it again. Trying to mix MBAE and HMPA, is a bad idea. Erik can fix HMPA, and then a change in MBAE breaks it again. Choose one or the other and stick with it. Trying to mix the two because of the lack of them in the free versions, just will keep leading to the problems. The solution is to buy one. That's life.
     
  9. guest

    guest Guest

    I have tested the mitigation capabilities of both MBAE and HMPA and I can say that they offer roughly the same level of protection. I would advise MBAE if you dont want to configure anything by yourself and HMPA if you want more advanced options.
     
  10. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    OK, but are you sure that they offer the same level of protection, please look here what HMPA 3 actually offers:
    https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-128#post-2438835

    I just don't think MBAE premium offers that much at all, so I don't know what to say about your testing MBAE and HMPA 3.
    I mean HMPA 3 offers so much more than just exploit mitigations, it offers:
    https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-128#post-2438835

    Please, also read this:
    https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-127#post-2438170

    Now when you read this all of this in details, can you again say and 100% confirm that MBAE premium and HMPA 3 both offer the same level of protection, I don't think so, of course, maybe I'm just simply/plain wrong and maybe I'm just making completely wrong conclusions.
     
    Last edited: Dec 20, 2014
  11. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,157
    Location:
    Canada
    Windows 7, 64 bit.
     
  12. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I just started using HMPA again after not using it for a few months. Whan i start Chrome sometimes a get a Application error message for Chrome.exe about some kind of exception. Also does HMPA 2.6.5 have any problems running with MBAE like it has in the past.
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Do not make this the other way around. It was MBAE that had an issue with Alert 2.6.5.
     
  14. guest

    guest Guest

    Okay, let me rephrase my statement: I have tested the exploit mitigations and they are comparable. Of course HMP.Alert 3 contains more secondary 'protection' mechanism, but those are not key features of HMP.Alert 3.
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Alert 3 is install-and-forget. You do not have to configure it. But if you want to, you can, up to every detail.
    Alert has both a simple and advanced interface to support both types of users where the simple interface is default.

    Also in terms of exploit mitigations, the hardware-assistance offers unprecedented detection of advanced exploit attacks. For example it detects various attacks that bypass EMET via CALL gadgets (http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf). Our Exploit Test Tool has this exact test.

    Some attacks are probing whether EMET is protecting the attack surface (https://www.fireeye.com/blog/threat...ises-us-veterans-of-foreign-wars-website.html).
    So you see exploit writers are very much aware of what they are up against and how they can bypass mitigations.

    Hardware-assistance does offer better protection because it tells you what the CPU has been up to, it cannot be faked. In other words, if a ROP is in progress, the CPU can tell you. Unlike the stack which is under control of the attacker.

    Hope this helps.
     
    Last edited: Dec 20, 2014
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I agree, especially after reading all these problem reports, almost all are caused because of combining MBAE with HMPA. In theory, HMPA (free version) should not interfere with MBAE, but in practice it's apparently difficult to stay compatible. No wonder because they both monitor the same memory areas. I would expect that tools like Webroot ID Shield and Trusteer will almost for sure also cause problems when combined with MBAE/HMPA/EMET.

    What do you think about MBAE not being able to stop some certain tests from the HMPA exploit testing tool? And can you tell me a bit more about your testing methods?
     
  17. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,157
    Location:
    Canada
    More info, if I open HMPA under safe browsing there are 2 IE icons, if I click on one it opens a box that shows your web browsers, it lists 2 for IE, one is ixeplore.exe(32 bit) and the other iexplore.exe. If I use HMPA to open IE by clicking on "open browser", the 32 bit application does not have the green border or encryption, the other one, iexplore,exe has both. So I guess when I'm clicking on my IE icon on the desktop it opens the 32 bit version instead of the 64 bit version.
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The fact that you see problems with Alert 3 is because you are part of its development.

    Compare it to a car. Once it is in the shop you just buy and drive it, not knowing that the engineers went through hell getting that V6 engine run smooth in that mini ;)
     
    Last edited: Dec 20, 2014
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I think the 32-bit browser is added to the Office template. That was an issue with the CTP4 release. This way the 32-bit browser does not get the green border or encryption. The RC picks up the CTP4 settings.

    To resolve, delete the iexplore.exe (32-bit) from the list of Applications. Restart the Alert service so that it picks up the 32-bit browser again.

    In the final there will be a reset settings option.
     
  20. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,157
    Location:
    Canada
    Ok, please explain how to delete it because I can't figure out how to do it. Also, uninstalled MBAE to see if it would make a difference, it didn't.
     
  21. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    1. Open HitmanPro.Alert user interface by clicking on its tray icon (or click on the flyout)
    2. Switch to Advanced Mode via the gear icon next to the minimize window button (top right)
    3. Click on the blue tile
    4. Click Applications
    5. Click iexplore.exe (32-bit) listed under OFFICE
    6. Click Remove mitigations
     
  22. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    I reported this instance of two IE11 icons previously in one of my posts re encrypted text in IE11 address bar which by the way I am still awaiting a reply on. It does seem that all my posts are being ignored.
    I have just opened the hmp.Alert interface following your instructions above and both my icons are listed under browsers. Is that correct?
     

    Attached Files:

  23. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    456
    Location:
    England
    Just for information:

    I was able to bypass the FTP > NAS upload stalling issue by enabling "active mode" rather than passive mode in Filezilla - the stalling issues have gone away

    not a fix of course, but maybe the cause of the problem can be narrowed down.

    (RC 129 working fine otherwise, no other problems noticed)
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I appreciate your concern on this but I am still hoping that MBAE free version and HMP.A 3 free version without exploit mitigations can cohabit on the same machine.

    "The solution is to buy one. That's life."

    Not everyone is made of money. That too is life.
     
  25. guest

    guest Guest

    First of all: Excuse me for my English.

    The testing tool that is provided with HMPA specifically focuses on proving that HMPA works. ( It works ;) )
    So I'm not surprised that some tests will 'be unsuccessful' when tested against MBAE. (http://postimg.org/image/4v1klhp11/)

    Most exploitation attempts will target Internet Explorer/Flash with memory corruption vulnerabilities, Java or MS Office with malicious macro's trough generally known delivery methods which are also detected by MBAE. But also a number of more exotic tests is present in the testing tool that you probably won't find in the wild that quickly.
    I would even be surprised if any professional (with knowledge of vulnerability research) would trust 'evidence' based on a tool that simulates 'attacks'. Furthermore I wouldn't be surprised if 99% of the users of the testing tool doesn't understand *any* of techniques simulated.

    Let me mention that this criticism was only focused on the testing tool and *NOT* on HMPA or MBAE. Both tools do a good job in stopping the vast majority of exploitation attempts without a loss of performance, period.

    About the testing I performed:
    I was originally writing a long post about it, but I didn't make a back-up of my progress before I accidentally reloaded this page ... (Bye bye 30 minutes of typing)

    I tested MBAE and HMPA with:
    - Java
    - Internet Explorer on Windows 7

    The big question: Can MBAE and HMPA be bypassed? Of course, it even isn't that difficult on a physical machine with hardware assisted CFI.
     
    Last edited by a moderator: Dec 20, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.