HitmanPro.ALERT Support and Discussion Thread

Hiltihome- It also encrypts files that do not reside in the Windows directory (all document related stuff of course, as well as exe, dll, etc). The system is essentially trashed.

 

@Peter2150

I am not "not liking" any software product. I am not against or for a software product.

I am just commenting on strange answers. Do you agree with "We try hard .. where others don't"?

 

@ Cruelsister

I would have 2 questions:

1) The ransomware is unsigned?
2) UAC setup of the video?

TH.

 

I was referring to that we provide specific features that other vendors do not have/invest into. AV invest in getting better/quicker signatures in there labs. IMO this doen't work.

The fact that we have been acquired 3 months ago doesn't mean that our software team suddenly became bigger. In fact, it got smaller due to integration with Sophos products (less people working on features and improvement) You must have noticed its a quieter here in the thread as well. Working for a big company means answering tons of email. Money suddenly doesn't buy extra software developers with a malware mindset, they are extremely hard to come by.

On the development side I am sure things will improve in the near future. Alert 3.5 is around the corner with CryptoGuard v4 (mentioned before), additional anti-exploit features and many overall improvements under the hood including whitelisting.

 

I found that disabling (only) Control-Flow Integrity (ROP) for Windows 7 Media Center makes it possible to watch live TV once again.

Is there a risk to doing this?

 

It is the toughest feature, so disabling it has impact. Can you sendthe techical details of the alert via PM?

 

Erik - What is future of HMP and HMPA. I just recently switched to HMPA from MBAE. I noticed Mark is no longer participating in this thread. Is development going by the wayside now because of the Sophos acquisition? Looking back it seems like whenever there is an acquisition the original product is usually abandon by the new company.

 

@erikloman ,

Hi Erik,
Could you check your PMs please.

Thanks.

 

HMP and HMPA are getting new versions and updates. I admit, it is quieter in this thread. Mark is extremely busy with getting SurfRight and Sophos aligned. That means answering a lot of email and conference calls. On the dev side we are working on Sophos integration and Alert 3.5. Some features for Sophos also make it into the Alert mainstream builds, so it is not a one way direction.

Hope this helps.

 

Cyber Security is a $75B industry. Who gives a crap about a few millions and that is not where we are in for (at least not me). We aim to build protection for things that don't exist yet. And sorry we did not have protection for this single one in the current public build.
With over 25M users, not one of our customers/user ran into this specific Winlocky variant, nor reported it to us. Since the sample is apparently half a year old, it's a bit of a single case. That doesn't mean we won't investigate how this critter works, it might become prevalent. So we are very happy that this was brought to our attention. You can be sure we are not sitting on our butts counting money, so I'd appreciate it if you'd let go of the hate towards us, which is frankly unfounded and undermines your credibility a bit. You sometimes have valuable points and we hope you keep those coming.

Again, Cyber Security is a $75B industry and the headlines are full with stories of networks being hit, including police, hospitals and the elderly couple that were writing a book for their grandson about their lives. They all lost documents. Sophos did not buy us if we made something they'd already have or could create within considerably amount of time. And they were not the only big players to tried to buy us.

Update: CryptoGuard 4, which is in HMPA 3.5 build 5xx and up, protects to some extent against this Winlocky; the perpetrator is blocked from modifying documents and photos but the machine is still locked as CryptoGuard is purpose built to handle the crypto attack only. HitmanPro.Kickstart can unlock the desktop, so it's a bit of a hassle but the documents and photos are unaffected.

 

Erik, sent you a mail with a dmp.

 

I commented on two post of your brother: first about results are more important than features, second on the "We try hard .. to provide what others don't ". He explained that he was referring to specific features which HPMA provides and other don't. You have to admit that without this addition it is a strange statement.

Why are you responding after your brother has just explained where he was referring to? By the the tone of your response it sounds that you have got an issue. So I am not responding to your remarks about hate and credibility.

 

Q: HitmanPro.Kickstart support for W8.1/10....?
last I heard support for pre W8...
Thanks

 

No support yet W10.

 

Sounds to me a "rogue" or dim wit, as has happened before, modified a copy of Locky to inflict maximum damage. Encrypting all files make no sense if ransom was the objective.

 

Thanks Erik - HMPA working wll with EIS and AppGuard so I am hoping it is around for a while.

 

We ran the sample and Alert does block it when the sample reaches protected file extensions. You can see if you leave Alert GUI open when running the sample. If you let the sample run, click on CryptoGuard (at the orange tile) and you'll see a process is blocked.

So the sample first starts on EXE and DLL files (trashing the system), then it encrypts the personal content like documents and images. When it reaches these, Alert's driver kicks and blocks additional encryption. Yet, harm was already done on the EXE and DLL files (these are not protected by CryptoGuard, yet).

Basically it looks more like a KillDisk (eg. DarkSeoul) than Ransomware.

I smell new feature for Alert

 

glad to know!

 

out of curiosity, what about Cerber ransomware?

do you have more info on UAC bypass? (is it 'intercepted' with UAC at highest level? And what about user that doesn't belong to administrator group?)

 

OK so HMPA does pass the test? Perhaps you should also watch for file modification of executables.

Can you perhaps give some more info about why WinAntiRansom does pass the test? What does it exactly monitor, have you figured this out?

I was just about to ask this. I wonder if HMPA's Process Protection feature would have stopped the UAC bypass. It seems to use a form of process hollowing.

 

Surely it must be more advanced, since it kills the ransomware process within seconds with the "PreEmptive Strike" feature. I believe "SafeZone" is just one of its extra features. So perhaps my last comment in the WinAntiRansom thread was not correct, it seems to be more advanced than I thought.

 

I just installed HitmanPro.Alert (v3.1.8 build 360), for the first time yesterday. Nice! But, it immediately broke Virtualbox v5.0.16 due to the hardening issue (since Vbox v4.3.14). I had tested Virtualbox prior to the HMPA install and it worked fine then. I have had problems with security software, namely Avira, causing this issue with Virtualbox in the past. So I made sure to test prior to installing any new security software.

Avira recently fixed their conflict, so I was wondering if this is an open issue with the HMPA devs?

I tried disabling all of the exploit mitigation and risk reduction, rebooted, but still no luck.

I had to buy a license for HitmanPro.Alert due to being unable to run the trial to test for conflicts. Looks like I may need to uninstall it to get Virtualbox running again.

Running Windows 7 Pro 32-bit, with Avira as only other realtime security software. Also use Windows firewall and the on-demand Malwarebytes MBAM Free scanner.