HitmanPro.ALERT Support and Discussion Thread

I think he meant Windows 10. But no worries, I can reproduce the issue with Virtual Box. We're investigating it tomorrow. Thanks!

 

@erikloman
@markloman

Is Caller Check mitigation dependent upon any HMP.A settings ?

My impression is that it is hardware-dependent instead.

 

yea, that's the same issue w/vbox I reported last week sometime. build 351 (of hmp.alert) still works. i'm on a non-preview version of win10.

 

Sorry, I disappeared. I view inside Firefox browser. Windows 10.

 

@Peter2150

What exactly is the purpose of C:\Windows\CryptoGuard ... ? ... LOL.

 

Apparently, Virtual Box does not play nice with lots of common software: https://forums.virtualbox.org/search.php?keywords=ldrloaddll
I am contemplating if we should make a work around or just wait for Oracle to fix their stuff.

 

m0unds was suggesting that build 351 works and the later ones do not, I think I did have 351 on that laptop before updating to test the latest
I put that ldrloaddll reference in my post after finding all those comments in the virtualbox forums to make it easier to hunt down

It depends if the workaround is a lot of effort and if you expect that VirtualBox might change any time soon to eliminate the incompatibility
If you choose not to workaround for now it is probably worth flagging the incompatibility (or potential incompatibility) during install

 

No worries, we haven't thrown in the towel yet stay tuned!

 

'That is the rollback folder; if you get hit by ransomware then you lost max. 3 files.' [Source]

?

 

Actually, the C:\Windows\CryptoGuard folder contains temporary previous versions of files (documents, photos, etc.) that are about to be changed on the disk. When your files are attacked (en masse encrypted) by crypto-ransomware, CryptoGuard will rollback the previous versions from the CryptoGuard folder so you never loose any files. You do not loose max. 3 files, you should not loose any at all.

 

hi, *loman:
what about this improvement?

Can you share some more informations?

Txs a lot!

 

ok

 

I've often wondered about how this works if I you're running a light virtualisation solution like Shadow Defender protecting the system partition and had data encrypted by Ransomeware on another non-virtualised partition.

In a scenario where you had an exception to C:\Windows\CryptoGuard in Shadow Defender to allow pre-encryption copies of the files to be stored to the 'real' system partition when the attack took place and rebooted to clear the infection (also likely wiping any logs or journaling employed by HMPA) could you just move the pre-encrypted copy files out of C:\Windows\CryptoGuard or does HMPA have to do that work? If the latter how does it know to do that if the logs/journaling are deleted by dropping out of the virtualised session?

Thanks

 

Thanks! Yeah, I agree but I also use SD on my daughters laptop and she shares and updates lots of docs so committing each one is not really an option for her so it is largely just the system partition that is shadowed. I also have AppGuard in there so anything infecting her is unlikely but there are always 'shoot in foot' moments for everyone, especially for her with the amount of sharing of files with her cohort who may be less security conscious, so just wondered how such a scenario would be recovered using HMPA.

 

yep, vbox has always been a flaky mess. this is the first time I've personally run into a software conflict with it though. I usually just avoid anything that conflicts as I have to use vbox for work.

 

@erikloman
@markloman

Is Caller Check mitigation dependent upon any HMP.A settings ?

My impression is that it is hardware-dependent instead.

 

CallerCheck is part of CFI.

There are 2 implementations, hardware-assisted and a software based implementation (like EMET).

Both are always used. If hardware is unsupported the software based implementation remains.

 

Thanks @erikloman.

 

@erikloman

I have ransomware samples that are blocked by CallerCheck.

Is that one of the typical mitigations for ransomeware ?

 

Ah that specific check falls under Process Protection. It is also called CallerCheck because some malware step on our trap as malware makes assumptions that hmpalert breaks, hence CallerCheck.

It is not specific to ransomware but malware in general.

 

@erikloman - you da best !

 

@erikloman
@markloman

Have there been any reported conflicts between HMP.A and SpyShelter products ?

More specifically, has the HMP.A keystroke encryption been reported as clashing with SpyShelter's anti-logger ?

 

On Windows 7 64 bit HMP.Alert reenables IPv6.
I have the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\DisabledComponents set to 0xff.
As soon as hmpalert.exe starts the value is reset to 0x00.
Running HMP.A version 3.1.7.357