HitmanPro.ALERT Support and Discussion Thread

As video of Cruel Sister shows (even current) HPMAlert does not protect against file deletions, so Cryptoguard probably only monitors 'en masse' files overwrites. Newer variants of ransomware also encrypt the filename. So Cryptoguard would probably not notice the change since the original file is saved under a different name and original file is deleted.

Are you still running V2.6 while you have V3.x or are you only asking (and are using your licenses, hence the explicit request to NOT suggest upgrade to latest)?

 

Simply because it has a small footprint and version 3.x.x won't install on one of my legacy XP computers. Run it together with MBAE 1.08.1.1189 (also small footprint) without conflict. As long as HMPA 2.6.5.77 adds a layer of security I'll keep it.

 

Upgraded against a charge, yes. But, as I said, I already have a 2 years v3.x license for 3 PCs and my query relates to the usefulness of 2.6.5.77 regardless.

 

Thanks for the 1st paragraph sum-up. Have to read that again to get the full meaning...

As for the 2nd para, to reiterate, because it has a small footprint and version 3.x.x won't install on one of my old XP computers. As long as HMPA 2.6.5.77 adds a layer of security I'll keep it (together with MBAE 1.08.1.1189).

 

FWIW ~ little test > Paranoid Fish report w Active vaccination.
http://betanews.com/2016/03/23/malware-detect-sandbox/

Spoiler: Paranoid Fish report

* Pafish (Paranoid fish) *

Some anti(debugger/VM/sandbox) tricks
used by malware for the general public.
[-] Debuggers detection
[*] Using IsDebuggerPresent() ... OK

[-] CPU information based detections
[*] Checking the difference between CPU timestamp counters (rdtsc) ... OK
[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex
it ... OK
[*] Checking hypervisor bit in cpuid feature bits ... OK
[*] Checking cpuid hypervisor vendor for known VM vendors ... OK

[-] Generic sandbox detection
[*] Using mouse activity ... traced!
[*] Checking username ... OK
[*] Checking file path ... OK
[*] Checking common sample names in drives root ... OK
[*] Checking if disk size <= 60GB via DeviceIoControl() ... OK
[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK
[*] Checking if Sleep() is patched using GetTickCount() ... OK
[*] Checking if NumberOfProcessors is < 2 via raw access ... OK
[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
[*] Checking if pysical memory is < 1Gb ... OK
[*] Checking operating system uptime using GetTickCount() ... OK
[*] Checking if operating system IsNativeVhdBoot() ... OK

[-] Hooks detection
[*] Checking function ShellExecuteExW method 1 ... OK
[*] Checking function CreateProcessA method 1 ... OK

[-] Sandboxie detection
[*] Using GetModuleHandle(sbiedll.dll) ... OK

[-] Wine detection
[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
[*] Reg key (HKCU\SOFTWARE\Wine) ... OK

[-] VirtualBox detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... traced!
[*] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK
[*] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK
[*] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
[*] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK
[*] Additional system files ... OK
[*] Looking for a MAC address starting with 08:00:27 ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VBoxTray windows ... OK
[*] Looking for VBox network share ... OK
[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
[*] Looking for VBox devices using WMI ... OK

[-] VMware detection
[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... traced!
[*] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
[*] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:5
0:56 ... OK
[*] Looking for network adapter name ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VMware serial number ... OK

[-] Qemu detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK

[-] Bochs detection
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid AMD wrong value for processor name ... OK
[*] cpuid Intel wrong value for processor name ... OK

[-] Cuckoo detection
[*] Looking in the TLS for the hooks information structure ... OK

YMMV

 

Fair enough I would just suggest that you make sure you've got protection against the newer crypto-ransomware threats.

 

I am seeing a minor problem with the latest (beta) versions of HMPA (stock settings) where flash is crashing on certain web pages. Using Chrome 64-bit on Win10 and am seeing it consistently on the BBC website (specifically the 'live' linked pages for sports/news etc.). Don't know if people outside the UK can recreate it as the BBC pages will be different. Uninstalling HMPA fixes it.

 

pay attention surfing on BBC.com since it is on of the most striked website according to this report.

So my question is simple:
real attack?

 

Possibly though I've seen it for over a week.

 

Well strangely enough SurfRight support asked me to remove my Netgear switch (which has no router function) between my TP-Link router and my computer and promptly marked my problem as solved. I replied back that (as expected) the problem still remains. And even if it were to solve the problem, then I still find it strange that SurfRight sees this as a solution to simply remove a piece of hardware that's essential for my home network and never gave me any problems.

 

I also got some strange answers from support regarding my VirtualBox problem, they did not seem to understand what I was talking about and just sent me "some reply" not really related to the actual problem.
Besides that, HMPA 3.1.9 build 361 seems to work fine with VirtualBox now, I use it together with KIS 2016.

BTW: After Symantec's blacklisting of hitmanpro.com few weeks ago, now Avira's browser plugin also seems to block that link:
http://test.hitmanpro.com/hmpalert3b361.exe

 

I have no such switch, so that is not a solution. Perhaps they can't see the cause, or in their view the problem is limited and not worthy of attention.
In my case, accessing the router works - it is just very slow.

 

I got another response from SurfRight support, this time from another person. His answer was a lot more logical. They are researching the problem and are aware of the issue. He further replied that the problem seems limited to only TP-Link routers and that a possible fix will be provided in an upcoming version. And even though this isn't a direct solution, I'm confident they will fix it. Let's hope sooner rather than later!

I've had several experiences like that with other support helpdesks, I wonder why sometimes this seems more a rule then an exception to give nonsense answers.

 

When HPMA 3 gives problems, I would replace HPMA 2 with Secure Folders (against ransomware) and keep MBAE free (against exploits).

 

Does HMP.A protect against new TESLACRYPT4.0, that does not change file name, nor file extension?

 

Interesting read here:

http://www.bleepingcomputer.com/new...d-with-bug-fixes-and-stops-adding-extensions/

This one uses RSA4096 (because apparently RSA2048 wasn't strong enough )

Here's some interesting data about what it would take to break RSA2048:

https://www.digicert.com/TimeTravel/math.htm

Excerpt:

"In putting together our video, we estimated the age of the Universe to be 13,751,783,021 years or a little over 13.75 billion years*, therefore if you tried to break a DigiCert 2048-bit SSL certificate using a standard modern desktop computer, and you started at the beginning of time, you would have expended 13 billion years of processing by the time you got back to today, and you would still have to repeat that entire process 468,481 times one after the other into our far far distant future before there was a good probability of breaking the certificate. In fact the Universe itself would grow dark before you even got close."

 

Does HMP.A protect against PETYA Ransomware?
https://blog.gdatasoftware.com/2016/03/28213-ransomware-petya-encrypts-hard-drives (scary video inside)

CryptoGuard will certainly not work in this case, because Windows ist not even loaded, when Petya encrypts the hard drive.

 

I don't know about this. Better to have @erikloman or @markloman chime in...

 

Yes it does.



Also the samples we tested also trigger HollowProcess first.

 

No. CryptoGuard does not block this.

You can recover from PETYA though. Our brief research shows that only MBR and NTFS are touched, so with an undelete tool you can recover.

Ofcourse we are not waiting for the next one to hit

 

I smell innovation here. I hope I'm right.

 

Thanks. You mean Secure Folders by SubiSoft? Locking/encrypting folders sounds like added overhead and, besides, a company that doesn't state where it's located is not for me. You have to follow the country code (+91) to find out. Maybe MBARW (once ready) will be folded into MBAE...

 

Would HMPA offer me anything additional to MBAM/MBAE and NS? CryptoPrevent running in std mode as well. I have HMP standalone scanner already.
Tks in anticipation...

 

You will get features apart from anti-ransomware and anti-exploit. There are features in HMP.A that may not be present in your current security configuration.
http://www.hitmanpro.com/alert

 

No, he doesn't mean the Subisoft product, but another soft which has been abandoned unfortunately, though it does its job admirably.
I suspect you wouldn't want that, but if you do it is still available but I would have to search for the link.
Also, MB have intimated that MBARW will be incorporated into MBAM. Don't know if MBAE will be also.
, this is OT.