HitmanPro.Alert BETA

BTW, why not improve keystroke protection in a way that it will work similar to KeyScrambler, which guarantees it will automatically protect hundreds of apps? And another thing I wonder about, would HMPA be able to spot TrickBot trying to hook the browser? Perhaps you can also test and showcase this, see link.

https://www.sentinelone.com/labs/how-trickbot-malware-hooking-engine-targets-windows-10-browsers/

 

HitmanPro.Alert 3.8.23 Build 951 (BETA) has been running fine for me for about a couple of weeks now.

 

A question/request why don't they make HMPA free like Sophos did with HMP? Thank you very much in advance. All the best.

 

Well, from my opinion, it’s because the technology in HMP.A is much more advance and relies on being real-time while HMP is an on-demand scanner.

Real-time protection is definitely much more useful and necessary.

With that said, HMP.A already has a free version. Obviously with limited functions but still free.

Of course this is my opinion.

 

Thank you. The point I am going to is that if this is only for testing to later integrate it into another product, why is a license necessary? If it's free, many more users could try it on their computers and report problems, if they add a feedback option like zemana did in the old days. All the best.

 

I guess you have a point, but Sophos Intercept X is their corporate product so I understand they don't what to give all of its features away for free, since HMPA is basically a clone. And you do get certain features for free like Safe Banking. What I would like to see is HMPA becoming more userfriendly. Give an option to whitelist trusted software, improve keystroke encryption and add more protection against code injection techniques.

 

Yeah. Haven’t fully tested but I notice this didn’t work while using a password manager.

So it would be nice if they could improve so it’s more compatible with much more apps

Like Keyscrambler
https://www.qfxsoftware.com/features/compare/

 

Exactly, I don't get why HMPA can't improve the keystroke encryption feature. I also wonder where Ronny went, perhaps he's testing TrickBot LOL.

 

The current Stable(947) and the Beta(951) both appear to create a BaseNamedObject(Event) without proper Security Permissions being set. The Event seems to have an entirely random Hex String upon each reboot so it's less of an issue IMO vs an easily targetable one (say starting with hmpalert_) such as before but if it isn't intended you may want to look into this.

https://i.ibb.co/dg4jNxp/NoPerm.jpg

 

Technically it can already handle many other apps, it's just a matter of getting the settings to apply the keyboard encryption per profile. The GUI is horrible in this regard but if you *really* want to use it - there is a way.
Export your settings from inside the HMP.A GUI (The Gear Icon to the left of the _ and X in the upper right corner) to an xml file. I'd suggest using something to re-format the xml as by default it doesn't have the line breaks to separate things.

Open the exported .xml (any text editor [eg notepad etc] will work) and find the program you want to use it with and isolate the 'profileid' it is attached to. Note that, sometimes, multiple apps will share a profile so it's best to check which other software might use this profile and try to edit the settings in the GUI for your target app to ensure it gets its own 'Profile id' before trying this. I have close to 100 software entries (including exclusions) spread over just 11 profiles so it doesn't techincally have to be unique, just be sure that you want to apply the change to ALL the software which uses that profile .

If you already have settings applied for said app it'll look something like this, otherwise you'll want to add and customize said app through the GUI prior to exporting. In the example below the profile we want to change is "ABCD-EFGH"

Code:

<Application path="X:\FolderPath\FileName.exe" profileId="ABCD-EFGH" />

Then find the profile entry itself

Code:

<Profile id="ABCD-EFGH">
 <DEP>on</DEP>
 <ASR>off</ASR>
 <ASLR>on</ASLR>
 <BottomUpASLR>on</BottomUpASLR>
 <SEHOP>on</SEHOP>
 <NullPage>on</NullPage>
 <HeapSpray>off</HeapSpray>
 <LoadLib>on</LoadLib>
 <Caller>on</Caller>
 <IAF>on</IAF>
 <JITGuard>on</JITGuard>
 <StackPivot>on</StackPivot>
 <StackExec>on</StackExec>
 <BannedAPI>on</BannedAPI>
 <Intruder>off</Intruder>
 <KbdGuard>off</KbdGuard>
 <LockdownNewFile>on</LockdownNewFile>
 <LockdownAutorun>on</LockdownAutorun>
 <LockdownLoadImage>on</LockdownLoadImage>
 <SendKeyGuard>on</SendKeyGuard>
 <Template>Office</Template>
</Profile>

Change the 'off' between the KbdGuard entries in said profile to 'on'

Code:

<KbdGuard>off</KbdGuard>

Save the file as a new name ~ in case you want to revert it with the originally exported one later
Import the new, edited, file into HMP.A

Obviously this is a completely unsupported method so don't go crying to them or here on the forum if a particular program does have issues with this (or any other alterations you make) enabled! They likely don't want to test it with hundreds of programs upon each revision and stick to those they deem most important and likely to be a target for harvesting credentials from...eg browsers. I actually appreciate this approach as something like Zemana Anti-Logger (which I used to use and liked for a time) tried to do everything by default (via a now legacy/unsupported method) and added exclusions when needed which could only increase the demands on support and development. So I understand why the keyboard encryption in HMP.A isn't enabled more broadly by default but I am still annoyed that there is no way to enable it via the GUI for power users.

I know all this because the keyboard encryption (not the anti-exploit) is actually my primary reason for using this product. I've noticed many games may have issues with keyboard encryption enabled (some only sporadically - however I exclude games from that now) but generally regular software works pretty darn well with it enabled.
It would be best to test each addition one at a time.

Also note that you should probably re-start (close entirely, not left running in the background or to tray) the app in question (or just reboot to be sure) after importing the settings via HMP.A and let it apply the new settings to said app.

 

I personally don't think it's an excuse since KeyScrambler IS able to do this. They simply made sure it works correctly for a couple of hundred apps.

 

If you add the desired application to the "Other" profile the keystroke encryption is enabled.

 

Thanks for reporting, I'll pass that to the team.

 

There's only 8 hours a day one can work on something, this isn't our biggest protection part, and will probably not get on par with mentioned applications.
Some things are done better by others, so we prefer to put the hours in new mitigations (some new stuff is coming in new build).

 

@RonnyT

What happens if HMPA detects malware activity that is known and detected by the full (primary) antivirus on the computer? Does this double, simultaneous detection cause, or can it cause, collisions (e.g. freezes, system crashes), because both want to take action?

 

Yes I understand that, but if you're offering keystroke protection, make sure that it works with the most important apps by default, just like KeyScrambler and SpyShelter. And you ignored (or missed) my other questions, about HMPA/Sophos Intercept X being able to detect or block TrickBot and the supply chain attack on 3CX, see links. And when I say detect, I mean detection purely via behavior blocking, not via signatures.

https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-85#post-3126787
https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-674#post-3139571

 

HitmanPro.Alert 3.8.24 Build 957 (RC1)

Changelog (compared to 951)

• Added HWBGuard, A technique heavily used by red-teams to bypass Syscall protections is to set a HardwareBreakPoint, we now block these breakpoints.
  
• Improved AMSIGuard
• Improved CookieGuard
• Improved SendKeysGuard now only protects specific predefined applications
• Improved HeapHeapProtect prevents Powershell scripts from patching AMSI for bypass
• Improved Bitdefender compatibility causing crashing applications on startup after a recent update on their end
  
• Fixed BSOD in StickyKeys
• Several other changes under the hood

Beware this build is signed with a new code-signing certificate by Sophos BV, this might take some 3rd party vendors to have "trust" issues as it's a fresh certificate.

Download
https://dl.surfright.nl/hmpalert3b957.exe

Please let us know how this version runs on your machine

 

No problems upgrading/updating to HitmanPro.Alert 3.8.24 Build 957 (RC1). And no problems with the new code-signing certificate and Norton 360.

 

Installed and running fine along side Kaspersky Plus so far.

 

Everything perfect. Thank you!

 

No issues with 957 (RC1) so far (other security softs always excluded, and vice versa) ...

 

No problems here either.

 

I rebooted into it yesterday. No issues to report.

 

No issues with this version on my systems!
I did notice a new entry in the settings, SystemWideSyscallEx (I think it was) which was set to off...is this not yet ready for prime time?
That random BaseNamedObject Event without security still exists (after a reboot) [just so you know]
The changelog mentions the addition of HWBGuard but I didn't notice any entries in the GUI to enable\disable it...did I miss something?

 

I may have spoken too soon. Chrome triggered an alert (probably a false positive). I had to suppress the alert to get Chrome to load.

Code:

Mitigation   CookieGuard
Timestamp    2023-05-11T18:49:44

Platform     10.0.19045/x64 v957 06_2a%
PID          20784
Feature      007D1A345FBFB0B6
Application  C:\Program Files\Google\Chrome\Application\chrome.exe
Created      2023-05-10T15:38:32
Description  Google Chrome 113

Cookie data retrieval performed by untrusted code in browser
Attempt to read protected Chrome data
Caller originates from module: C:\Program Files\Google\Chrome\Application\113.0.5672.93\chrome.dll

Hashes for owner-module: C:\Program Files\Google\Chrome\Application\113.0.5672.93\chrome.dll
SHA-256      ab2c6ff5c657c39198e833fd938496854d34fd88a15997adb96025ed9ba16872
SHA-1        3271e717185b1073e8072a68c90debd4c53a637c
MD5          e614ec33d5496f0be1dbc9be80e90795
Certhash could not be obtained for owner-module
ErrorCode: 00000000

Loaded Modules (63)
-----------------------------------------------------------------------------
00007FF75E460000-00007FF75E77A000 chrome.exe (Google LLC),
                                  version: 113.0.5672.93
00007FF8598D0000-00007FF859AC8000 ntdll.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF857930000-00007FF8579EF000 KERNEL32.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF856DF0000-00007FF856F15000 hmpalert.dll (Sophos B.V.),
                                  version: 3.8.24.957
00007FF857450000-00007FF85772A000 KERNELBASE.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF8544A0000-00007FF854530000 apphelp.dll (Microsoft Corporation),
                                  version: 10.0.19041.2546 (WinBuild.160101.0800)
00007FF823B50000-00007FF823FE6000 AcLayers.DLL (Microsoft Corporation),
                                  version: 10.0.19041.2846 (WinBuild.160101.0800)
00007FF859070000-00007FF85910E000 msvcrt.dll (Microsoft Corporation),
                                  version: 7.0.19041.546 (WinBuild.160101.0800)
00007FF857A80000-00007FF857C1D000 USER32.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF856FE0000-00007FF857002000 win32u.dll (Microsoft Corporation),
                                  version: 10.0.19041.2846 (WinBuild.160101.0800)
00007FF858BF0000-00007FF858C1B000 GDI32.dll (Microsoft Corporation),
                                  version: 10.0.19041.2130 (WinBuild.160101.0800)
00007FF857040000-00007FF857150000 gdi32full.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF857150000-00007FF8571ED000 msvcp_win.dll (Microsoft Corporation),
                                  version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF8571F0000-00007FF8572F0000 ucrtbase.dll (Microsoft Corporation),
                                  version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF8582E0000-00007FF858A24000 SHELL32.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF857A20000-00007FF857A75000 SHLWAPI.dll (Microsoft Corporation),
                                  version: 10.0.19041.2075 (WinBuild.160101.0800)
00007FF858FC0000-00007FF85906E000 ADVAPI32.dll (Microsoft Corporation),
                                  version: 10.0.19041.2130 (WinBuild.160101.0800)
00007FF858060000-00007FF8580FC000 sechost.dll (Microsoft Corporation),
                                  version: 10.0.19041.2846 (WinBuild.160101.0800)
00007FF859110000-00007FF859236000 RPCRT4.dll (Microsoft Corporation),
                                  version: 10.0.19041.2846 (WinBuild.160101.0800)
000002617DB30000-000002617DB33000 sfc.dll (Microsoft Corporation),
                                  version: 10.0.19041.2075 (WinBuild.160101.0800)
00007FF8461A0000-00007FF846238000 WINSPOOL.DRV (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF84FBA0000-00007FF84FBB2000 sfc_os.DLL (Microsoft Corporation),
                                  version: 10.0.19041.2311 (WinBuild.160101.0800)
00007FF8579F0000-00007FF857A20000 IMM32.DLL (Microsoft Corporation),
                                  version: 10.0.19041.2673 (WinBuild.160101.0800)
00007FF82F2A0000-00007FF82F3FC000 chrome_elf.dll (Google LLC),
                                  version: 113.0.5672.93
00007FF856BE0000-00007FF856BEA000 VERSION.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF856490000-00007FF85649C000 CRYPTBASE.DLL (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF857730000-00007FF8577B2000 bcryptPrimitives.dll (Microsoft Corporation),
                                  version: 10.0.19041.2486 (WinBuild.160101.0800)
00007FF856860000-00007FF856957000 guard64.dll (COMODO),
                                  version: 12, 2, 2, 8012
00007FF859760000-00007FF85988A000 ole32.dll (Microsoft Corporation),
                                  version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FF857D00000-00007FF858054000 combase.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF856850000-00007FF85685B000 fltlib.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF84BB10000-00007FF84BB51000 IseGuard64.dll (COMODO),
                                  version: 1, 6, 472587, 185
00007FF856B30000-00007FF856B63000 ntmarta.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFFF3230000-00007FFFFFFEA000 chrome.dll (Google LLC),
                                  version: 113.0.5672.93
00007FF858A90000-00007FF858B5D000 OLEAUT32.dll (Microsoft Corporation),
                                  version: 10.0.19041.985 (WinBuild.160101.0800)
00007FF857C90000-00007FF857CFB000 WS2_32.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF8578C0000-00007FF857927000 WINTRUST.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF8572F0000-00007FF857446000 CRYPT32.dll (Microsoft Corporation),
                                  version: 10.0.19041.2486 (WinBuild.160101.0800)
00007FF84DBF0000-00007FF84DC17000 WINMM.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF841AC0000-00007FF841CA4000 dbghelp.dll (Microsoft Corporation),
                                  version: 10.0.19041.867 (WinBuild.160101.0800)
00007FF856010000-00007FF85604C000 IPHLPAPI.DLL (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF856B70000-00007FF856B9E000 USERENV.dll (Microsoft Corporation),
                                  version: 10.0.19041.572 (WinBuild.160101.0800)
00007FF8485B0000-00007FF8485BC000 Secur32.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF82C1B0000-00007FF82C4A5000 UIAutomationCore.DLL (Microsoft Corporation),
                                  version: 7.2.19041.2788 (WinBuild.160101.0800)
00007FF848650000-00007FF84875A000 WINHTTP.dll (Microsoft Corporation),
                                  version: 10.0.19041.2673 (WinBuild.160101.0800)
00007FF84E1A0000-00007FF84E41F000 DWrite.dll (Microsoft Corporation),
                                  version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FF848DB0000-00007FF848DCD000 dhcpcsvc.DLL (Microsoft Corporation),
                                  version: 10.0.19041.2673 (WinBuild.160101.0800)
00007FF8527F0000-00007FF8528E6000 PROPSYS.dll (Microsoft Corporation),
                                  version: 7.0.19041.1741 (WinBuild.160101.0800)
00007FF856BA0000-00007FF856BD2000 SSPICLI.DLL (Microsoft Corporation),
                                  version: 10.0.19041.2130 (WinBuild.160101.0800)
00007FF8569C0000-00007FF8569D2000 MSASN1.dll (Microsoft Corporation),
                                  version: 10.0.19041.2251 (WinBuild.160101.0800)
00007FF854650000-00007FF8546EE000 uxtheme.dll (Microsoft Corporation),
                                  version: 10.0.19041.2193 (WinBuild.160101.0800)
00007FF8554F0000-00007FF855513000 gpapi.dll (Microsoft Corporation),
                                  version: 10.0.19041.2846 (WinBuild.160101.0800)
00007FF8596B0000-00007FF85975D000 shcore.dll (Microsoft Corporation),
                                  version: 10.0.19041.1865 (WinBuild.160101.0800)
00007FF855DA0000-00007FF855DB9000 wkscli.dll (Microsoft Corporation),
                                  version: 10.0.19041.1645 (WinBuild.160101.0800)
00007FF856050000-00007FF85605C000 netutils.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF858C80000-00007FF858D94000 MSCTF.dll (Microsoft Corporation),
                                  version: 10.0.19041.2673 (WinBuild.160101.0800)
00007FF854B40000-00007FF854B52000 kernel.appcore.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF856DA0000-00007FF856DEB000 powrprof.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF856D80000-00007FF856D92000 UMPDC.dll (),
                                  version:
00007FF8482C0000-00007FF84855A000 COMCTL32.dll (Microsoft Corporation),
                                  version: 6.10 (WinBuild.160101.0800)
00007FF856F20000-00007FF856F3F000 profapi.dll (Microsoft Corporation),
                                  version: 10.0.19041.844 (WinBuild.160101.0800)
00007FF854D40000-00007FF8554D3000 windows.storage.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)
00007FF856520000-00007FF85654E000 Wldp.dll (Microsoft Corporation),
                                  version: 10.0.19041.2788 (WinBuild.160101.0800)

Process Trace
1  C:\Program Files\Google\Chrome\Application\chrome.exe [20784]
   "C:\Program Files\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x009c,0x009d,0x002f,0x0035,0xc013,0xc014 --flag-switches-begin --enable-gpu-rasterization --enable-quic --enable-zero-copy --disable-smooth-scrolling --use-angle=d3d11on12 --
2  C:\Program Files\Google\Chrome\Application\chrome.exe [4992]
   "C:\Program Files\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x009c,0x009d,0x002f,0x0035,0xc013,0xc014
3  C:\Windows\explorer.exe [7400]

Dropped Files
1  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-645D38B3-5130.pma
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [20784]
2  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\Variations
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [20784]
1  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-645D38A2-1380.pma
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [4992]
2  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\Variations
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [4992]
3  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\3e51688c-9c8a-4e39-9bdc-040ed39848b7.tmp
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [4992]
4  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\Local State~RF1eb8f33f.TMP
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [4992]
5  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\7e819b5a-0307-49c7-aaa2-d13839f7faa1.tmp
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [4992]
6  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\Local State~RF1eb8f38d.TMP
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [4992]
7  C:\Users\UserX\AppData\Local\Google\Chrome\User Data\lockfile
     Dropped by \Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe [4992]
1  C:\Users\UserX\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7400]
2  C:\Users\UserX\AppData\Local\Microsoft\Windows\Explorer\NotifyIcon\Microsoft.Explorer.Notification.{A137E124-24B0-E4B8-1C9B-70319DF8FBF2}.png
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7400]
3  C:\Users\UserX\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x00000000000006b1.db
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7400]

Thumbprints
0c69d3f961b8b1777157f35bd2bd177a4f8fa1c4cc4d06978ccf7cfa816e7616 (fhsh-mod)