HitmanPro.ALERT Support and Discussion Thread

As I had mentioned the other day, Group Policy (and CryptoGuard) will protect the Documents, and UAC will cover the Windows directory. We are still left with all our applications and whatever individual settings used totally trashed, as well as not being able to boot back into Windows without a boot disk.

I really don't think the damage done should in any way be minimized or discounted (and personally I think the malware is much more similar to Fortress).

 

Yes, that's the 2nd thing I tried.

I have been following the thread at Virtualbox org that covers the security hardening of their product since Vbox v4.3.14. Since they have hardened their application to guard against DLL injection, a number of security apps have caused this behavior. Vbox logs show a list of .dll files that "lacks WinVerifyTrust" when the error is thown as a VM is launched.

Apparently, by installing the HitmanPro.Alert, a number of system .dll files become "protected" via .dll injection. Virtualbox has a problem with trusting these files and refuses to launch the VM.

Disabling protections or excluding apps apparently has no effect on these .dll files. It seems that HMPA uninstall would be the only way to remove these "protections".

Although much of this technically is over my head, my basic understanding is that the bottom line here involves DLL certification or signing. I have also heard that it can be complicated by the Microsoft Windows certificates. The certificates in MS Windows, the way they are handled, and of course to the policy followed by Oracle regarding it.

 

VBox issue has been confirmed by Erikloman and should be fixed starting from 3.5...

 

Thanks! Good to know.

I was wondering after I saw an earlier post mentioning one possibility of waiting for Oracle to fix their stuff.

From what I have seen over at Virtualbox org. they insist it is not their issue, so not holding my breath waiting on Oracle, LOL!

HMPA 3.5 sounds good to me!

 

The problem with Virtualbox was introduced when we've fixed an incompatibility with Emsisoft. Now that Emsisoft solved the issue as well, expect the fix for Virtualbox this week.

 

@erikloman @markloman

Exploit Test Tool link on Surfright.nl\Downloads is only downloading 32 bit version; 64 bit version is gone.

 

It will return. We had to pull it per Sophos request.

 

Thanks mate.

Thanks for taking a close look at the WinLocky. I was afraid the link to the video would get deleted from the thread.

 

As an ordinary user I can hardly follow the discussion about this video.
I assume that HMPA will handle this type of Ransomware in the near future?

 

It will be in future version (3.5). Developer mentions it on prior page (359).

 

You also have to consider that, depending on the way this malware has to enter the computer and execute itself, exploit mitigation and lockdown would have stopped it dead in its tracks long before Cryptoguard could have chimed in. I am mainly worried about social engineering through the browser, where lockdown doesn't work as strictly as it does in other threatgate applications.

 

That's wonderful news! However, I am wondering why I have wasted so much time to describe to your support that there is a problem with Virtualbox and HMP Alert. They were sending me some strange solutions to try that have no effect. They could have at least confirmed the problem and could have told me that you are working on a solution. Very disappointed with HMP e-mail support, especially regarding the fact that we purchased 12 licenses ...

UPDATE: How about some "known issues" section on your website, or did I overlook it?

 

Eric, thanks for the quick response!

In the meantime I have reverted to an old pre-hardened version of VBox (unfortunately for the folks on Win 10, not an option). I figure with HMP.Alert now on guard duty, that the un-hardened VBox is now the least of my worries.

Looking forward to trying out the fix!

 

BTW, I just read a report about how to block ransomware with behavior based technology. I wonder if HMPA is already using the three mitigations that were mentioned, see page 12 and 13.

http://www.eurecom.fr/en/publicatio...t-a-look-under-the-hood-of-ransomware-attacks

 

Our in-house developed CryptoGuard technology dates back to 2013 to prevent crypto-ransomware. It works with a minifilter driver to monitor file changes and it even protects shared files against unprotected endpoints. WinAntiRansom and MBARW wont help you there.

Working with decoys (mentioned on page 13) is silly. You already lost most of your files when the ransomware starts encrypting the decoy.

 

Any update on this?

 

Alert is not looking for EMET specifically, the Exploit Test Tool is.

In Audit mode all features are enabled (if proper licensed). Though it should never raise an alert. BadUSB and CamGuard (webcam notifier) need user input, so these are always shown regardless of the audit mode.

 

I tried to activate HMPA/HMP on my new computer about a week ago (mobo died in old one) now but it said it is already activated on another computer, no options to deactivate. I contacted support who said they can do a reset on my license key but I haven't heard anything back for nearly three days now.

I know erik said he could assist by PM but I don't want it to get muddled up now and reset twice. What should I do?

 

+ 1 for this simple request

 

OK, so you have already taken a look under the hood of WAR and MBARW? Like I said, it seems that WAR is using more advanced techniques than I initially thought.

I also didn't understand this, I suppose the idea behind it, is to somehow trigger malware from first modifying the decoy, after that you can suspend/terminate the process.

 

HitmanPro.Alert 3.1.9 Build 361 PreRelease

Changelog

• Fixed compatibility with VirtualBox hardening
• Fixed compatibility with Microsoft Edge 31.14279 (Redstone)
• Fixed compatibility with Microsoft OneNote' e-mail function
• Improved ROP mitigations
• Improved keystroke scrambling
• Updated embedded libpng library

Download
http://test.hitmanpro.com/hmpalert3b361.exe

Please let me know how this version runs on your computer

 

No problems upgrading build 361 PreRelease.

Win10 1511 build 10586.164 x64/Norton Security with Backup v22.6.0.142

 

No problems upgrading, Win 8.1 x64.