HitmanPro.ALERT Support and Discussion Thread

Kaspersky VPN and Password Manager. No Avast. I have Norton, which uses some Avast stuff now since the bought them out.

 

I installed the Supermium browser on a Windows 7 PC and HMP.A intercepted it on first launch:

False positive, or something to be concerned about? Supermium gets a 1/68 score on a certain virus-checking website...

 

Defender detected it as Trojan:Win32/Vigorf.A when i tried to download it.

 

Thank you!

 

But it must be a false positive. Defender does have it's share of those, only the 32bit version got detected.

 

Never heard about Supermium, does it use the latest Chromium version? Because then I wonder why other Chromium based browsers are not compatible with Win 8 anymore.

But anyway, seems like Supermium is somehow triggering ''process hollowing'' which is kinda odd. Especially if WD also detects it, wouldn't install it for the moment.

BTW, it's only flagged by 3 AV engines on VirusTotal, I'm talking about the 64 bit version. And there are two websites that offer downloads. You see how tricky this is?

https://www.supermium.org
https://win32subsystem.live/supermium/

 

G Data chrome extension blocks this.

 

My 2ct, this solution will be optional, and only interesting for Enterprise users with their own or knowledgeable security teams (for a long time) but MS has covered their legal risk.

On the other hand all major players will have to support some form of this usermode stuff, I'm just very curious how much protection they will offer compared to the driver based versions.
Vendors are now forced to live of what Microsoft offers in their public version of this (not sure how fair that will be against defender and their other undocumented options) instead of in prevention mode forced to go back in to detection mode and or best case reaction mode (already infected, but contained within x seconds/minutes) and repair options. (Same protection is impossible, specially for HMPA kind of solutions).

As long as attackers can bring their own vulnerable drivers (as long as it's no security driver) I'm not sure I would be putting my resources on that deploying it though the estate.

 

It tries to patch it's own PEB, likely not malicious but I guess we haven't made any exceptions for this exotic browser.

 

OK, so you're saying other Chromium browsers might also trigger this, if not whitelisted?

Yes, it's weird, I downloaded two versions from these websites, and one of them was flagged on VirusTotal, the other wasn't, so I wonder what's up with this. It seems to be a bit fishy. It wasn't detected by Win Defender though, so I wonder why Sir Percy did see this detection? Oh wait, he probably downloaded another version.

 

That's what I wonder about as well. It seems like Sophos is involved with the Windows Resilient Security Platform, can't you ask for more info? I mean, I can't visualize how protection tools would work without having to use a driver? When it comes to tamper protection, I guess Windows will take care of this, perhaps via app sandboxing.

Or perhaps I'm misunderstanding, and will security tools still use drivers, but without full kernel access? I guess for clues we have to look at macOS, where security tools already run in usermode, with the help of so called System Extensions. And Linux has got this system named eBPF, which is able to sandbox/isolate apps while still giving them access to the kernel. Sounds like Windows 12 would then need a complete redesign.

https://www.trio.so/blog/macos-system-extensions/
https://www.datadoghq.com/knowledge-center/ebpf/

 

BTW Ronny, two questions:

Does HMPA already cover this new Application Bound Encryption bypass? And does HMPA offer protection against exploitation of MS Teams and Zoom?

I just read about some bigtime crypto trader that was hacked via MS Teams, and it seems it was some kind of ''zero day'' exploit because he claims he didn't install anything and also didn't give any permissions to MS Teams. He lost almost $1 million! And apparantly, Windows Defender was blind to this attack.

https://www.cryptopolitan.com/fortune-collective-founder-phishing-scam/

 

Sorry it took so long to reply, there were circumstances beyond my control.

Yes, those two websites are run by the same developer. If I understand what he does, he ports patches from current Chrome to his Supermium fork. I can't claim to know the details of how he does it, but the idea is to maintain an updated browser for older versions of Windows, especially 7.

 

No problem, and I think this Chromium patching might sometimes trigger these ''process hollowing'' alerts. So it's not malicious in this case. I do think it's weird to have two websites, it's better to focus only on one official website. But I'm actually shocked there aren't any browsers for Win 8 anymore. Old versions of Vivaldi and Firefox still work though, but certain websites won't run correctly.

 

I don't know of any browsers that support Win7 but not 8, so Win8 users should do OK with a Win7 browser. That's what I do, anyway.

 

Ronny are you still there? I found these interesting articles from Sophos and CrowdStrike, I would be surprised if this new user-mode Windows API would give the same capabilities! I hope you can ask Sophos for more info.

https://news.sophos.com/en-us/2024/...ernel-drivers-in-sophos-intercept-x-advanced/
https://www.crowdstrike.com/en-us/blog/tech-analysis-kernel-access-security-architecture/

I'm still annoyed that Chromium (and Firefox Gecko) isn't supported on Win 8, I wonder how long it will take until they stop supporting Win 10. Their excuse is probably about missing APIs on Win 8.

 

BTW Ronny, I'm guessing you are on vacation?

I have found another article about the new Windows usermode API, bad sadly enough without any relevant technical information. I'm still hoping you can give more info, and I also hope it won't be like on Apple macOS, where security tools are not exactly that powerful, see second link.

https://windowsforum.com/threads/wi...api-and-kernel-less-threat-protection.373181/
https://drlogic.com/article/apples-...mework-how-to-secure-macos-in-the-enterprise/

 

I wish
Seems like I missed notification from the forum.

Usermode API will lack a huge load of protection because it's all "notification after the fact" so one will go from prevention to detection/reaction :-/
On top if the bad guy's find a bypass and or other tricks they will have a trick that works against all vendors as it's MS to fix.

Can's share to much as NDA bla bla etc.

 

Hi @RonnyT ,

I've been running HMP.A for a while now and can happily report there's been no more issues, except from time to time Windows Live Mail will open, but be unresponsive. I disabled protection for WLM and haven't been bothered by anything at all since I reported this:

#17071

After recently uninstalling Norton, I have re-enabled exploit protection for WLM and will keep an eye on it.

Thanks,
Dave

 

WLM became unresponsive again. Looks like I'll just leave MalwareBytes to cover it.

 

If you're using Malwarebytes Premium, then this might conflict with HMPA, because they both offer anti-exploit.

 

OK I see, I already thought it was weird you didn't respond.

But yes, don't know what to think about moving security tools out of the kernel. On one hand, it would be good for stability, but I highly doubt security tools would still be as powerful. I guess it all depends on the design, Linux's eBPF sounds quite cool. And what's also not clear is if you guys would still be able to perform usermode hooking.

 

Yes indeed, because I assume with kernelmode APIs you can still implement certain protections, but with usermode APIs most security tools would perhaps become sitting ducks. BTW, does HMPA protect against Direct Syscalls?

https://cyberpress.org/windows-defendersys-calls-and-xor-encryption/
https://www.linkedin.com/pulse/windows-defender-bypassed-just-one-line-code-huntmetrics-xrcne

 

I'm not @RonnyT but the following section from your second link above raised a question or two:

I can't comment on the first item on that list, but...

1. The second item led me to wonder if something like OSArmor or CyberLock/VoodooShield might serve the stated purpose
2. The third item would be addressed by using a standard account in Windows rather than an administrator account, is that right?
3. In the final item, would/should a BB take care of the "behavioral analytics" suggestion?

(My questions are in the context of a home or home-office user, not a large organization.)

 

Well, WLM has become unresponsive with HMP.A protecting it, MB protecting it, and with NO programs protecting it.

Stuffed if I know...