HitmanPro.ALERT Support and Discussion Thread

http://www.cs.ucr.edu/~nael/pubs/micro16.pdf - Branch buffer shortcoming in Intel CPUs allows hackers to reliably install malware on systems by bypassing ASLR.

A New Problem for you guys to solve!

 

Thank You Peter2150 and mood

 

HitmanPro.Alert 3.5.4 Build 567 BETA

Changelog (compared to 562)

• Improved CryptoGuard mitigation handling secure delete tools
• Improved WipeGuard mitigation
• Improved compatibility with Trusteer Rapport
• Added hardware-assisted support for Intel Goldmont and Intel Kaby Lake
• Added workaround for BSOD when Hyper-V is enabled on Windows 10 Redstone 1
• Fixed BSOD when removed USB flash drive
• Fixed BadUSB not disabling/enabling on certain computers
• Fixed disabling Network Lockdown now further disables network filtering
• Fixed compatibility issue with Zarafa
• Fixed Windows XP support
• Various minor issues solved

Notes
This build does not work on Windows 10 AU with SecureBoot enabled as the drivers in this build are not yet counter-signed by Microsoft.

Download
http://test.hitmanpro.com/hmpalert3b567.exe

Please let me know how this version runs on your computer

 

I think they got inspired by our WipeGuard solution

It is redundant. WipeGuard attaches closer to the hardware though.

 

All Win 10 AU or only Win 10 AU that was installed rather than upgraded?

 

All fresh installed Windows 10. So if you upgraded from Windows 7 or 8 to Windows 10, you can use the above build.

 

Such a shame as I'm curious is it working any better with Uplay and 3DMark. (As both of them are not working normally with HitmanPro.Alert running in background)

 

All well on my Windows 7 x64.
If any issue might show later, I will report, of course.

 

The paper is not about abusing a flaw in Intel CPUs to 'reliably install malware', but about bypassing ASLR. All exploit attacks of the last few years, incl. those in commodity exploit kits, are already capable of bypassing ASLR. This specific attack on ASLR alone is abusing a flaw in Intel hardware so the attacker can guestimate, through trial and error, adresses to abuse critical functions.

Important to mention: this specific attack cannot be performed using e.g. JavaScript. It cannot be done from remote without employing other existing exploit techniques. In order to abuse this flaw, the attacker must already be able to run code on the machine.

So before an exploit can eventually run the payload (install malware), the attacker must employ other exploit techniques too, to bypass e.g. DEP (Data Execution Prevention). He or she can do this with Return-Oriented Programming (ROP) and we e.g. have our hardware-assisted Control-Flow Integrity (CFI) against that.

In other words (of the game Quake), this attack on ASLR is cool but is like killing a bee with a Big Fragging Gun (BFG), while less dramatic conventional methods work too and are easier.

 

W7-x64: installed hmpa build 567 Beta over build 565.
No issues (yet) running HitmanPro build 280 with HitmanPro.alert build 567 Beta.
All my W7-x64 systems are running licensed. However my trial license on my test W10 AU laptop (upgraded from W7-x64) is expired so no W10 testing.

 

So far so good here.

 

How does one whitelist a W10 UWP game because the (for example, forza_x64_release_final.exe) executable in c:\program files\windowsapps\etc. appears to be encrypted or not a valid EXE?

 

Updated to build 567, no issues s far.

 

No problems upgrading build 567 beta. Did a secure wipe of 350+ files with Ccleaner 5.23 and no cryptoguard-issue.

 

No issues with 567 Beta upgrade. Everything as normal.

 

Despite HmP.A 567 beta (Improved CryptoGuard mitigation handling secure delete tools) a cryptoguard-issue with Ccleaner64.exe 5.23 (secure wiping of jpgs).

Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation CryptoGuard

Platform 10.0.14393/x64 v567 06_17*
PID 5152
Application C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner64.exe
Description CCleaner 5.23

Filename C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner64.exe

C:\$Recycle.Bin\S-1-5-21-1139147123-4150390050-2674437762-1000\$RREWAP0\IMG_0161.JPG
C:\$Recycle.Bin\S-1-5-21-1139147123-4150390050-2674437762-1000\$RREWAP0\IMG_0160.JPG
C:\$Recycle.Bin\S-1-5-21-1139147123-4150390050-2674437762-1000\$RREWAP0\IMG_0159.JPG


Process Trace
1 C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner64.exe [5152]
"C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner.exe" /uac
2 C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner.exe [6308]
"C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner.exe" /uac

Win10 1607 build 14393.321 x64/Norton Security v22.8.0.50

 

This build should fix some problems mentioned in this thread.
"BSOD after Removal of USB disk" / "Hyper-V" / ...
But Win10-Users (which don't want to disable "Secure Boot") may have to wait for a newer beta, because it's not counter-signed from MS.
Edit 2: Only fresh installations of Windows 10 are affected. Systems upgraded from an earlier OS to Windows 10 are not affected.

Edit: after reading "(compared to 562)" i see that some entries in the changelog were already mentioned in previous changelogs
So i removed already mentioned entries (but i'm not 100% sure, don't count on my user-customized changelog):

 

only if you have done a new [clean] installation


"OS signing enforcement is only for new OS installations;
systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change".

SecureBoot ON + system upgraded from an earlier OS (7, ...,10TH2) to Windows 10, version 1607 →
nothing to worry (OS signing enforcement OFF)

SecureBoot ON + new OS installation → OS signing enforcement ON → wait for proper counter-signed driver...

 

Oh, i forgot that
----
With the previous build sometimes the keystroke encryption indicator was not "animated" (Encrypting ...), but i keep an eye on that if it happens again.
----
The latest beta (b567) is running fine.
No problems with secure-deleting files with CCleaner or some other tools, and no problems after removal of USB-/Flash-drives.

 

Why is it that whenever I stop manually the HMP.A service, my internet connection is temporarily disrupted?

Is this intentional?

 

Bitdefender emailed today to say they fixed the problem that occurs with SQL Installing/Patching in the presence of HMP.A. I've confirmed it is indeed fixed after updating Bitdefender. :-D

 

Perform malware scan after installation fails in HMPA.
Even after installing HMP first and then installing & clicking on scan computer in HMPA 3.5.4 build 567
BETA shows failed.
Earlier versions of HMPA did however work when clicking on scan computer so something has changed.

 

Firewall rules are allowed for all HMPA connections AFAIK.

 

Build 567 BSODs on XP. Clean HMPA install. Launched Firefox browser -> BSOD.
Reboot XP -> BSOD right after boot. PAGE_FAULT_IN_NONPAGED_AREA 0x10000050
I sent you the dump Erik. Deleted HMPA files from XP via Win7 and XP boots fine.