HitmanPro.ALERT Support and Discussion Thread

Stop teasing us! Give us the real deal!

I'm happy with AppGuard along with Hitman Pro and HitmanPro.Alert and have been for a long time now. I recently renewed A LOT of licenses due to the recent update releases. Hitman Pro was on a hiatus for a while, but now it's being very actively developed again!

 

"Exploit Blocked" ROP

 

I want to use Hitman Pro.Alert Will it work fine with my setup? DefenseWall + Shadow Defender + Hitman Pro.

Best Wishes,
Amit

 

Interesting screenshot

I have used v1 of Alert with Defensewall together, no problems. Though it probably doesn't check DW's built-in banking browser, but perhaps Erik can say more about it.

 

Trying this out, very very light. Along side of AppGuard and 360

 

So it will work fine even in FF sandboxed by DW? Alert is great for when banking right? Is it better to use it in normal FF sandboxed by DW or DW's built in banking browser?

Best Wishes,
Amit

 

Just curious regarding the upcoming anti-exploit, will hmpalert take action before, or after EMET? Does it terminate the browser or trace and remove the exploit code?

 

I've installed it. Working fine with DW. Does it mitigate and protect against MITM or MITB? How is it made compatible with other security suites or AVs when most offer both MITM and MITB protection?

Best Wishes,
Amit

 

HitmanPro.Alert shows an Alert when it found a MITB. Existing security suites mostly do not warn when there is a zero-day Zeus, Citadel, Tinba, Cridex, Sinowal/Mebroot/Torpig stealing information from the browser. I know this for a fact because HitmanPro removes these from computers despite presence of AVs.

Since the launch past wednesday we've received several calls from users which got warnings from Alert but their AV failed to detect malware. After running dozens of tools, no tool found the presence of a zero-day 64-bit Sinowal (I found it manually). It already sat on their systems for 10 days! when they decided to try Alert.

You are right that AVs do MITB, but they are almost all signature based. Alert is forensic based and warns the user instantly. No signatures needed.

About MITM, I can't comment on features that have not released yet

 

Any anti-exploit tool should terminate (or suspend) the thread that is using a pivoted stack or executing a ROP chain. This because the thread first got owned via a vulnerability (a component like Java or Adobe reader crashed in the process) and is now executing malicious payload; keeping the thread alive is downright dangerous. Also the process memory is very likely heap-sprayed with exploit code (browser has eaten most of your memory) to get around DEP and ASLR. Keeping the process or thread alive does not make sense as your process and its threads got totally owned.

Are you aware of tools rolling up threads that are executing exploits, keeping browsers alive?

 

Oh I see. Thanks. And I'm glad MITM feature is on the way.

 

A quick question, will this tool only alert you if the system has already been infected, or can it also prevent the hijack in the first place, sort of like a HIPS?

And is it different from tools like for example G Data BankGuard and Trusteer Rapport?

 

@ erikloman

Tried installing again from the link in your Sig. Saw a black flyout 1st followed by a green of the same size. Then my comp INSTANTLY rebooted ! It didn't install ?

No log, but i found one from last week when i tried.

View attachment alertexe.log

 

Today I noticed a second fly-out when starting Chrome. It has happened once before. So it seems like it happens intermittently and randomly.

Nothing bad happened though after that. I could browse the web as usual.

 

@ erikloman,

I didn't try the HitmanPro.Alert beta, but since Wednesday July 3rd, I use HitmanPro.Alert 2.0.8.

Saturday July 6th, I noticed some odd behavior with HitmanPro.Alert, but only once, up to now:

At some time, the computer idle, with no browser open, or with IE9 with multiple tabs open (I can't recall, unfortunately), the system went into hybrid sleep mode, as it was supposed to.
Some time later, I woke up the computer from hybrid sleep, and subsequently HitmanPro.Alert behaved oddly:

- HitmanPro.Alert's green flyout did not only appear with opening the browser,
- but also with about half or one third of all (multiple) new browser tabs that I opened,
- even after I closed the browser, opened it again and tried again.
- Also, each flyout was a double flyout,
- and clicking the flyout did not open the HitmanPro.Alert Settings window.
- A Windows reboot fixed all of that strange behavior.

I haven't been able to reproduce this issue,
not with waking up the computer after it went into hybrid sleep with no browser open,
nor with waking up the computer after it went into hybrid sleep with IE9 with multiple tabs open.
Perhaps sleep mode had nothing to do with the issue.

Nevertheless, I guess it may be useful to report my findings.

Finally,
some probably relevant system information:

Windows Vista SP2 x86
IE9
G Data IS 2014
SpywareBlaster 5.0
EMET 4.0 with all EMET mitigations for iexplore.exe and also "Deep Hooks" enabled in EMET\ Apps\ Application Configuration.

 

Yes, it works with browsers set as Untrusted(sandboxed) by DW, I'm not familiar with how DW's built-in banking browser actually works, so I can't say if Alert+FF Untrusted is better than DW's banking browser. Perhaps Surfright can add protection for DW's browser in Alert, but it is probably more work than with a normal browser and the market share is very little, so I doubt they will to that.

 

There was certain misunderstanding: I didn't doubt the necessity of killing the process (e.g. EMET does exactly this), my questions were
(1) Does this cause undesired interference if both EMET and the upcoming hmpalert try to take action at the same time?
(2) In addition to termination, will hmpalert be able to find the file containing the exploit and remove it?

Thank you.

 

Oh I indeed misunderstood. We agree on the termination

1) I think the tool that gets called first, the tool that hooked into critical functions last, is going to handle the exploit first.

2) hmpalert monitors process injections system wide. It is able to pinpoint the source of injection (across process boundaries). In terms of exploits, they are mostly not files but downloaded content living in memory (perhaps also in a cache file). I'd say maybe on your question.

 

1) Did you mean that hmpalert and EMET might be competing for killing a process, and the result (who gets it first) can vary from case to case? So would you test out hmpalert's compatibility with EMET? The scenario sounds similar to two AV trying to remove the same file?

2) Besides in-memory exploit, isn't it rather common nowadays that malicious PDF files contain exploit code, which can enable remote execution? In that case, hmpalert can pinpoint which PDF is responsible and remove it?

Since you told us that the monitoring is not limited to browsers, is it safe to say that hmpalert will be a general-purpose anti-exploit tool (which would be wonderful)?

Thanks!

 

Hi Erik, Any chance of getting this to work with Comodo Dragon? (Chromium based)

 

+1 on that

 

HitmanPro.Alert 2.0.9 Build 34 Released

Changelog

• ADDED: Support for Avant Browser, Baidu Spark Browser, Comodo Dragon, SRWare Iron and Yandex Browser.
• FIXED: Compatibility with Kaspersky Antivirus 2013
• FIXED: Compatibility with Sandboxie 3.76
• IMPROVED: Browser detection algorithm

Existing users are automatically updated within the next 24 hours.

Download
http://dl.surfright.nl/hmpalert.exe

 

New user here....on Comodo Dragon...
I will post news about it on Comodo forum....

 

Ah thanks.

Okay I'm confused here. Are you saying Hitman Pro.Alert protects my browser? I thought it alert about MITB and uses Hitman Pro to remove the threat.

 

Sorry, I used wrong wording, it is indeed not protection as in blocking, perhaps inspection is a better word.