HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    In process protection is it suggested to have all types ticked without risk of breaking anything or performance impact?

    For whatever reason on my PC and laptop I have LPM and APC disabled (unticked), I dont know why, whether it was default or I previously read something suggesting to turn it off.

    Thanks
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    All Process Protections ticked here with no issues, v3.8.0 build 853, CTP3.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Same here. I am using the v5 of cryptoguard with 853 and there are no issues
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +1, that too.
     
  5. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Same here. No mitigation(s) so far with Sandboxie and HMP.A build 853 CTP3.
     
  6. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    HitmanPro.Alert 3.7.11 Build 791 Release Candidate's cryptoguard function is not compatible with ESET 13.0.22.0 Banking & Payment Protection, tries to protect but confuses the keyboard. A different letter appears than the one I typed. If I disable cryptoguard protection, then there is no problem.
    The cryptoguard function of HitmanPro.Alert 3.8.0 Build 853 Community Technology Preview 3, however, is perfect with ESET 13 13.0.22.0 Banking & Payment Protection, more precisely it does not try to protect it and therefore there is no problem. Windows 10 64bit pro v1909 build.18363.476. Firefox 70.0.1 64bit.

    Sorry I misspelled. CryptoGuard was not the cause of the problem, but the keystroke encryption. See pictures below.

    Correctly:

    HitmanPro.Alert 3.7.11 Build 791 Release Candidate's keystroke encryption function is not compatible with ESET 13.0.22.0 Banking & Payment Protection, tries to protect but confuses the keyboard. A different letter appears than the one I typed. If I disable keystroke encryption protection, then there is no problem.
    The keystroke encryption function of HitmanPro.Alert 3.8.0 Build 853 Community Technology Preview 3, however, is perfect with ESET 13 13.0.22.0 Banking & Payment Protection, more precisely it does not try to protect it and therefore there is no problem. Windows 10 64bit pro v1909 build.18363.476. Firefox 70.0.1 64bit.
     
    Last edited: Nov 17, 2019
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Do you mean keystroke encryption? Keystroke encryption can be toggled on/off without changing CryptoGuard.
     
  8. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    I'm talking about this feature.

    2019-11-17_183046.jpg

    That was the cause of the problem. When I turned it off, the problem disappeared.

    2019-11-17_183324.jpg

    You're right! Sorry, CryptoGuard was not the cause of the problem, but the keystroke encryption.

    Thank Victek for warning me.
     
    Last edited: Nov 17, 2019
  9. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    Is this a bug? Should not protect the Banking & Payment Protection. This caused the above problem.

    2019-11-17_185511.jpg

    Problem solved: ESET factory reset.
     
  10. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
  11. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
  12. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert 3.7.12 Build 793 Release Candidate

    Note: This is a 7xx build. Users running a 8xx Community Technology Preview should not update to this version. An updated 8xx is coming soon.

    Changelog (compared to 791)
    • Improved CryptoGuard to handle a deficiency in Windows leveraged by the RIPlace evasion technique
    • Fixed a CryptoGuard EFS false positive on LSASS (Local Security Authority Sub System)
    Download
    https://dl.surfright.nl/hmpalert3b793.exe

    Please let us know how this version runs on your machine. We expect to start updating everybody from Monday December 2nd, 2019.

    Thank you! :thumb:
     
  13. guest

    guest Guest

  14. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Very excited :geek:
     
  15. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Can I assume this is a false positive and can safely be ignored?

     
  16. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    I just wanted to quickly say that Hitman.Pro Alert is an excellent piece of software that has saved myself & many others from getting infected with ransomware etc...

    I don't comment that often, but that doesn't mean I'm not actively testing every beta & RC for any issues. Happy Christmas. :)
     
  17. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Is HitmanPro.Alert 3.7.12 Build 793,
    more or less secure than v3.8.0 build 853, CTP3 at the moment?
     
  18. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert 3.8.0 Build 857 BETA

    We've exited the Community Technology Preview (CTP) series and are gearing up towards a GA release of the new HitmanPro.Alert.

    In case you missed the CTPs, here's what's new:

    CryptoGuard v5 (default On)
    • Complete redesign and rewrite of the award winning and world's first anti-ransomware module (est. 2013) to also monitor unknown file types, increase performance and reduce I/O overhead
    New user interface panels
    • Event List panel to view the alerts (finally replaces the standard Windows Event Viewer)
    • Event Process Tree panel to provide graphical representation of an attack
    • Protected Volumes list panel to view the volumes and network shares that are protected by CryptoGuard
    RDP Guard to lockdown Remote Desktop (RDP) sessions (default Off)
    • Blocks access to new binaries that are introduced in RDP sessions
    • Strips processes from administrator privileges
    • Allows to generate 2 factor token file to unlock an RDP session (automatically enforced when enabling mitigation)
    Added
    • CryptoGuard can run in either v4 or the new v5 mode.
    • CryptoGuard v5 block modes: Terminate, Isolate and Audit.
      • Terminate: terminates and isolates the ransomware process (new default)
      • Isolate: detects and isolates the ransomware by revoking write access (old default)
      • Audit: detects ransomware, but takes no action on it (new)
    • RDP Guard includes a new shell extension that shows an overlay icon on binaries that have been introduced in a RDP session. The extension also helps with unlocking the RDP session via a token file located on a drive shared with the RDP session.
    • Process Tree view with timeline to graphically animate how an attack took place. Includes clickable objects, dropped files per process, time between processes, exit state, hyperlinked SHA-256 hashes that open report on VirusTotal, etc.
    • Added CTF Guard under Risk Reductions > Process Protection. This new mitigation validates CTF protocol callers and is ported over from GA builds 785-789 (since August 23). This new system-level exploit mitigation protects against abuse of the undocumented Windows CTF protocol as mentioned in CVE-2019-1162, discovered by Tavis Ormandy. More details: https://news.sophos.com/en-us/2019/08/22/blocking-attacks-against-windows-ctf-vulnerabilities/
    • Added protection against side-loading of code via ApiSet Stub DLLs. The mitigation is called APISetGuard and is an integral part of the DLL Hijacking mitigation under Risk Reductions > Process Protection.
    • Added protection against replacement of accessibility tools (like StickyKeys) from a remote machine. This is specifically useful against attacks like BlueKeep, that target RDP-enabled endpoints. This mitigation is called FileProtection.
    • Added JIT Guard which prevents the use of Win32 API calls from just-in-time (JIT) memory in web browsers. This new mitigation is enabled on Chrome-based and Firefox-based web browsers, and thwarts attacks on vulnerabilities like CVE-2019-9810.
    • Added DCOM filtering to Application Lockdown.
    • Support for Windows in Safe Mode. This will stop ransomware that forces Windows to (re-)boot into a diagnostic mode and encrypt the system from there – in Safe Mode.
    • Added license expiration reminder. Users that renew their license will receive a discount of 15% on a new license when buying one via the new reminder message.
    • Anti-Malware now relies on a new network manager module to detect when internet connection is lost or restored.
    • Excalibur.db is regularly truncated to prevent the file to become too large on high activity machines).
    • Alert Events are now also stored in excalibur.db, the local event trace database.
    • Ability to suppress (whitelist) previous alerts via the new Event List interface panel.
    Improved
    • Improved HeapHeapProtect mitigation to also block malicious process migration and .NET attack code run from PowerShell.
    • Improved CodeCave mitigation.
    • Improved HeapSpray mitigation.
    • Improved CryptoGuard 4 and 5 to handle ransomware attacks that leverage EFS (Windows Encrypting File System).
    • Improved CryptoGuard 4 and 5 to handle a deficiency in Windows leveraged by the RIPlace evasion technique.
    • WipeGuard inadvertently protected USB drives that were already connected during boot.
    • Keystroke Encryption was default enabled on the first window that was visible after install.
    • Inner workings of the keystroke encryption engine.
    • Keystroke encryption engine now correctly handles the Windows 10 Emoji Picker (shortcut Win + . ).
    • Service is now hardened against an unsolicited stop command.
    • Alert processes are now hardened by enabling several Windows 10 mitigations.
    Fixed
    • Fixed initial dashboard when installing as CryptoGuard-only.
    • Alt-Tab window could get stuck when the foreground process had keystroke encryption active.
    Removed
    • Credential Theft Protection no longer shields the SAM database on the disk (CredGuard SAM). Too many legitimate applications access the SAM database.
    Screenshots

    Capture3.PNG

    Figure: New RDP Guard prevents attackers from remote to run arbitrary code

    JITGuard1.png

    Figure: New JIT Guard exploit mitigation that shields just-in-time memory in Firefox and Chrome

    GoSnatch-2.PNG

    Figure: Process Tree revealing source of attack

    Notes
    • Do NOT install this on a machine of which you only have access over Remote Desktop as it will lock you out from admin access, you need hands on keyboard to generate the 2fa token.
    • Do NOT return from this 8xx CTP to version 7xx stable without first removing c:\programdata\hitmanpro.alert\excalibur.db
    Download
    https://dl.surfright.nl/hmpalert3b857.exe

    Please let us know how this version runs on your machine, thanks :thumb:
     
    Last edited: Dec 6, 2019
  19. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Works fine here on Win10x64 Pro 18363.476.
     
  20. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    No problems upgrading build 857 beta. Anti-malware was offline temporarily, probably because of a connecting VPN during W10-startup.

    Win10 1909 build 18363.476 x64/Norton Security v22.19.9.63
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    No problems here so far on 1809. Whats the changelog compared to build 583?
     
  22. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello @markloman ,
    This has me a bit confused. From previous release notes and my personal testing, I had thought that "suppress" did exactly that, suppress/ignore the alert itself and did not actually whitelist/exclude a particular alert. Are you saying that using "suppress" actually whitelists that particular alert and excludes it from future detection? If it does, if the hash of the file from the alert changes, does a new alert appear and you have to "suppress" that alert again? If memory serves me, I also tested this with the Anti-Malware scanner and had issues too. I ended up with multiple suppressions for the same alert on the same file so I disabled the Anti-Malware scanner. I know from my personal testing when this was first introduced, all "suppress" seemed to do was keep the alert from popping up but the action still was carried out. My original testing might have been faulty so I am asking for some clarification please as it will be very much appreciated...
     
  23. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    The product will always detect a behavior by a file or process but will suppress an alert when configure so. Whitelisting is exactly that, allowing the practice of an identified behavior. We simply thought of naming it different but we got questions about it while we actually thought of being more clear.

    Anyway, from your wording, it seems you have an issue with a particular file? Can we help?
     
  24. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello @markloman ,

    The main reason that I have disabled the Anti-Malware scanner is because of Process Hacker. Installations and updates are blocked along with the blocking of Process Hacker starting at login. Either excluding the files or suppressing the alerts did not help. The reason I asked about hashes is that Process Hacker can update as few as once in 7 to 10 days up to 2 or three times a day as it is very actively developed. In HMP, even as I have reported the file as safe, the next update brings the detections back on the files, installers, and the run entry. Along with this, HMP.A blocks all of these with the Anti-Malware scanner. Process Hacker can update very often so dealing with can be a big hassle.

    As far as the mitigations in HMP.A, I have the most issues with Credential Theft Protection when using just about anything to search, scan, or optimize the registry. Either excluding the files or suppressing the alerts seems to not help. I found myself ending up with exclusions that did nothing and multiple suppressions for the same alert and file. An example of one of the softwares I have had issue with is Vitsoft Vit Registry Fix. Using this software to search, scan, or optimize can cause multiple alerts and I have found no easy way to stop them.

    There are other softwares that cause these same type of issues but the above two are the main ones that I remember. The easiest solution for me has been to disable both Anti-Malware and Credential Theft Protection. With these two options disabled, HMP.A runs pretty much silent with no hassles at all.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Have the new 857 installed. Upgrade was smooth. I've turned on all protections and everything is good so far. Will do the second machine tomorrow.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.