This is a dedicated thread to discuss Public BETA and Public CTP builds of HitmanPro.Alert. Latest BETA is mentioned in this post: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-7#post-2683278
HitmanPro.Alert 3.7 Build 708 Community Technology Preview 2 (CTP2) Surprise... Due to overwhelming feedback on the Private CTP1 build we decided to make the CTP2 release a Public Beta! In order to keep the BETA and CTP feedback separated from the Support and Discussion thread we created this new thread dedicated to discuss BETA and CTP builds. Otherwise people might think reported issues in the BETA and CTP builds are also in the stable releases. We need your feedback to make sure the new HitmanPro.Alert mitigations run alongside other security products. New Features in version 3.7 Real-time Anti-Malware Works with the HitmanPro cloud. Credential Theft Protection Preventing theft of authentication passwords and hash information from memory, registry and disk. Prevents Mimikatz-style attacks. Local Privilege Guard Prevents exploits of the operating system kernel. Prevents an attacker from using the privilege information of another process. Code Cave mitigation Stops backdoors in trusted code. Sticky Keys mitigation Prevents misuse of the Microsoft sticky key feature. Usually used by attackers to gain persistence. Asynchronous Procedure Call (APC) mitigation Stops code injection via APC (ex. DoublePulsar and Atom Bombing attack). Application Verifier mitigation Prevents misuse of the Application Verifier feature of Windows (eg. Double Agent attack). Malicious Process Migration Detects remote reflective DLL injection used to move laterally between processes. Changelog (compared to CTP1) Added DoublePulsar detection to APC mitigation Added Compatibility with QEMU/KVM hypervisor Improved Anti-Malware component Improved CodeCave mitigation Improved Local Privilege Guard mitigation Improved Asynchronous Procedure Call (APC) mitigation Improved DLL injection respects Trustlets Improved CryptoGuard 4.9 Improved Installer Fixed CodeCave false positives Fixed PrivGuard false positives Fixed APCViolation false positives Fixed BSOD installing Alert in QEMU/KVM Fixed BSOD caused in minifilter (introduced since 701) Fixed iTunes compatibility Fixed Compatibility with Steam Apps Fixed typo in German translation Offene Browser Notes Do NOT run this build on production environments. This is BETA software. This build has Microsoft co-signed drivers. This build triggers a PrivGuard false positives when running Sandboxie sandboxed processes. We are looking into this and aiming to get this fixed as soon as possible. Download http://test.hitmanpro.com/hmpalert3b708.exe Make sure to report the Technical Details of a potential false positive. If you hit a compatibility issue, make sure you mention which version of Windows you are running and what security products you have installed. Happy testing and let us know how this build runs on your computer in this brand new thread
--deleted CPT1 comments per request.-- Re-edit: No BadUSB so far. No impacts on startup/restart so far. BadUSB and Keystroke Encryption work well so far. When trying the anti-malware, this mitigation came up at 99% complete and is reproducible:
I though that was fixed in this build. Guess not We plan on rolling another update later this week with several minor fixes. A fix for this will definitely go in.
Hello @erikloman, All of the issues that I experienced and discussed with you in PM with CTP1 seem to be fixed now, except for the Credential Theft Protection (CredGuard) alert when running a HitmanPro scan (also reported by others). I will be watching over several reboots to see how it goes but so far great improvements over CTP1...
When testing against real malware is where this build shines. A new feature, a red fly out when malware has been detected. Cool.
Yes, this is a good new feature. Will there be an updated build of HitmanPro, or are you doing the fix within HMP.A?
I uninstalled CTP1, prior to installing CTP2, but CTP2 remembered the alert count. How to reset alert count?
Hello @Hiltihome, Open the "Windows Event Viewer" > "Windows Logs" > "Application" - under "Actions" > "Clear Log" HTH...
@puff-m-d: ̶t̶̶h̶̶a̶̶t̶̶ ̶̶d̶̶o̶̶e̶̶s̶̶ ̶̶n̶̶o̶̶t̶̶ ̶̶w̶̶o̶̶r̶̶k̶̶ ̶̶f̶̶o̶̶r̶̶ ̶̶c̶̶t̶̶p̶̶.̶ I deleted hmpalert.xml, but after reboot the alert count is back. edit, deleting all events cleared the counter, but that's not elegant. THX (WIN7-64, bitdefender-free-2016, fresh install, 3 weeks back)
Hello @Hiltihome, HMP.A stores its alerts in the Windows Application Logs and allows you to view them via a snap-in (Custom View) by clicking on either "Number of alerts" or "Last alert" in the HMP.A GUI. I am fairly sure that it is pulling the counts from there also hence when you clear the application logs the counter resets to zero. As far as I know, that is the only way to reset the counter...
I did a fresh install of HMPA 3.6.7 build 602 (no upgarde, and HMPA has never been installed on this image) on Windows 10 X64 Professional. I'm also using Eset Internet Security 10, and AppGuard. Immediately after installation I noticed that the bad USB Protection was disabled. I enabled it, but after rebooting it was disabled again. I made HMPA a power app in AppGuard which gives it the right to do much more than other applications, but I had the following blocked events below in my AppGuard Activity Report. I suspect this is related to HMPA's new mitigation for EternalBlue, and Double Pulsar. What do you think Erik/Mark? Do you think this activity is related to HMPA alert's added protection for EternalBlue, and Double Pulsar? I have never had AppGuard block this activity before in my years of using AG. I had the Task Manager open, and I was using msconfig when these blocked events occurred in AppGuard. 05/30/17 18:20:54 Prevented <MSCONFIG MFC APPLICATION> from writing to <\registry\machine\bcd00000000>. 05/30/17 18:20:59 Prevented <Task Manager> from reading memory of <Local Security Authority Process>. 05/30/17 18:22:28 Prevented <pid: 6644> from writing to <\registry\machine\bcd00000000>. 05/30/17 18:23:01 Prevented <pid: 4384> from reading memory of <Local Security Authority Process>.
I just noticed i'm not receiving the flyout that notifies me that Firefox is being protected like I use to. It does however still inform me i'm protected if I place my cursor on the border of the browser UI. I'm using Windows 10 X64 Professional.
No problems thus far. Resource usage is respectable. Ran two scans, both of which were quick, but I was testing process hacker and it detected it as a Trojan: Properties Name processhacker-3.0.639-setup.exe Location C:\Users\Poopshoot\Downloads Size 5.2 MB Time 10.3 days ago (2017-05-20 09:36:56) Entropy 8.0 Product Process Hacker Setup Publisher Process Hacker Description Process Hacker Setup Version 3.0.5166.639 LanguageID 9 SHA-256 B66E3046BB4F00A3A48256AC6580B59A71D81CB0018DCE66A7766F56B6AAC7C5 Detection Names Kaspersky not-a-virus:HEUR:RiskTool.Win32.ProcHack.gen I'm guessing just a false positive, but thought I'd throw it out there
CTP2 running well on Win10X64 CU. I noticed that this happening and realized to change the "Saftey Notification" from "once per login session" to "At application start". Not sure if this is your issue. Regards.
Thanks! That was it. I looked for a setting controlling the flyout, but did not have any luck finding it.
I'm using Process Hacker 2.39.124 on Windows 10 X64, and I have not experienced any detections. It says i'm using the latest stable build. I noticed it says you are using version 3.0.639. What is that, a beta version? Where did you get it from? Are you sure it's legit?
Updated here, MPC-BE still doesn't work. Appears for only one second, then auto-closes. Set the action mode to "Audit only" but still the same results. Following installers don't work, getting Lockdown for all. Spoiler: Subtitle Edit Mitigation Lockdown Platform 6.1.7601/x64 v708 06_2a PID 1424 Application D:\Unchecked\SubtitleEdit.exe Description Subtitle Edit Setup 3.5.3 Filename C:\Users\Subhro\AppData\Local\Temp\is-79927.tmp\SubtitleEdit.tmp Created By D:\Unchecked\SubtitleEdit.exe Command line: "C:\Users\Subhro\AppData\Local\Temp\is-79927.tmp\SubtitleEdit.tmp" /SL5="$40792,5532970,141824,D:\Unchecked\SubtitleEdit.exe" Process Trace 1 D:\Unchecked\SubtitleEdit.exe [1424] 2 C:\Windows\explorer.exe [2812] C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding 3 C:\Windows\System32\svchost.exe [820] C:\Windows\system32\svchost.exe -k DcomLaunch 4 C:\Windows\System32\services.exe [704] Thumbprint 81365dfe79e039f471a8ba1b59e119cd896c2af09c1c6130b63c5ae1e2e33d93 Spoiler: Peazip Mitigation Lockdown Platform 6.1.7601/x64 v708 06_2a PID 5080 Application D:\Unchecked\peazip-6.4.1.WIN64.exe Description PeaZip Setup 6.4.1 Filename C:\Users\Subhro\AppData\Local\Temp\is-NODLQ.tmp\peazip-6.4.1.WIN64.tmp Created By D:\Unchecked\peazip-6.4.1.WIN64.exe Command line: "C:\Users\Subhro\AppData\Local\Temp\is-NODLQ.tmp\peazip-6.4.1.WIN64.tmp" /SL5="$20770,7039495,149504,D:\Unchecked\peazip-6.4.1.WIN64.exe" Process Trace 1 D:\Unchecked\peazip-6.4.1.WIN64.exe [5080] 2 C:\Windows\explorer.exe [2812] C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding 3 C:\Windows\System32\svchost.exe [820] C:\Windows\system32\svchost.exe -k DcomLaunch 4 C:\Windows\System32\services.exe [704] Thumbprint d5dab80444204b1f8aa9c7c96373f0e052ac432ea238ffff14932a83c6e9581b Spoiler: PDF Shaper Mitigation Lockdown Platform 6.1.7601/x64 v708 06_2a PID 3620 Application D:\Unchecked\pdfshaper_cfree_7.3.exe Description PDF Shaper Free Installation 7.3 Filename C:\Users\Subhro\AppData\Local\Temp\is-013FE.tmp\pdfshaper_cfree_7.3.tmp Created By D:\Unchecked\pdfshaper_cfree_7.3.exe Command line: "C:\Users\Subhro\AppData\Local\Temp\is-013FE.tmp\pdfshaper_cfree_7.3.tmp" /SL5="$407EA,7289112,189952,D:\Unchecked\pdfshaper_cfree_7.3.exe" Process Trace 1 D:\Unchecked\pdfshaper_cfree_7.3.exe [3620] 2 C:\Windows\explorer.exe [2812] C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding 3 C:\Windows\System32\svchost.exe [820] C:\Windows\system32\svchost.exe -k DcomLaunch 4 C:\Windows\System32\services.exe [704] Thumbprint f0286d38b6246fab11b7d752626220ae0cf89c3ca96f618a9ab579fd8946b69f Spoiler: Image Magick Mitigation Lockdown Platform 6.1.7601/x64 v708 06_2a PID 4040 Application D:\Unchecked\ImageMagick.exe Description ImageMagick 7.0.5 Q16 (64-bit) Setup 7.0.5 Filename C:\Users\Subhro\AppData\Local\Temp\is-4LR57.tmp\ImageMagick.tmp Created By D:\Unchecked\ImageMagick.exe Command line: "C:\Users\Subhro\AppData\Local\Temp\is-4LR57.tmp\ImageMagick.tmp" /SL5="$607E0,24577323,121344,D:\Unchecked\ImageMagick.exe" Process Trace 1 D:\Unchecked\ImageMagick.exe [4040] 2 C:\Windows\explorer.exe [2812] C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding 3 C:\Windows\System32\svchost.exe [820] C:\Windows\system32\svchost.exe -k DcomLaunch 4 C:\Windows\System32\services.exe [704] Thumbprint 2bc4c2245a5e135c98bee2c2fb79653ea33ade85f81bd4bb158590ca543712aa