HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    If I understood correctly, without the hooking of nearly every process, HMPA would not be able to provide certain protection, like safe banking and anti-ransom. But for pure anti-exploit protection, system wide hooking is not necessary. In newer versions of HMPA, you can exclude certain processes from being hooked, is this correct?
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually, I doubt that his setup will ever be defeated, if one of them fails, then there's always another one to give some back up. :D

    Nicely said, I'm also sick and tired of the buggy and bloated and AV's from nowadays. But regarding the possible bypass of HMPA, it doesn't seem to be true ransomware, it just crashes the machine and after reboot it starts to delete files. So there is no encryption going on, so no wonder that HMPA doesn't react.
     
  3. numen

    numen Registered Member

    Joined:
    Jul 31, 2016
    Posts:
    10
    Location:
    Europe
    Thanks for your report. I did a fresh install of the newest version, just to be sure, but still the same result (plus I had to fight the infamous Avira detected the update to Windows 10 message once more; at least they've got a KB article of how to get rid of it now). Hopefully the devs will be able to replicate or I will need to start looking for another AV solution (though my subscription is still good for over a year and I genuinely did like Avira).
     
  4. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    No. The answer to the question "I wonder how this ransomware gets on your system in the first place?" doesn't imply any advanced attack that justifies security software. He is talking about the oldest tricks in the book, like opening malware inside an e-mail attachment or enabling macros in a suspicious office document or surfing with an outdated browser + plugins. He is way too smart for that. Truth is, if he was honest with himself, he wouldn't need most of the stuff he is using right now, and if he were truly paranoid, he would be afraid of this "new ransomware".
     
  5. Frankthetank

    Frankthetank Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    3
    Location:
    Germany
    Hello there,
    today I got an issue with HMP Alert on cleaning the system with Wise Care 365 (Common Cleaner).
    After starting the cleaning process I got a blocking message by HMP Alert shown on my screenshot (german language). What I can do, to prevent this message while cleaning with Wise Care? I don't want to add it as exclusion. Maybe I should remove some folders which Wise Care will clean up?
     
  6. hjlbx

    hjlbx Guest

    @Windows_Security

    Appears to me the ransomware just terminates and\or disables Windows explorer.exe. This would account for the taskbar\tray icon disappearance - as well as the deskotp background change.

    I cannot confirm as the knucklehead reviewer doesn't show Process Explorer after Der Fürher's ransom note appears. Plus, I didn't see a system reboot. Perhaps after the reboot the taskbar\tray icons would reappear.

    If that is indeed the case, then probably nothing was disabled - just still running, but withtout a visible indicator (taskbar w\tray icons) to indicate HMP.A was still active on the system.
     
    Last edited by a moderator: Aug 9, 2016
  7. plat1098

    plat1098 Guest

    Oops, I apologize, this was a misunderstanding.:'( That IS a lot of stuff there, is it all necessary?

    To me, this is a creepy threat to one's machine-- specifically as HMP-A is a big component of my current security. I'll be very interested to see how this video ultimately pans out and whether it actually demonstrated what it claimed, without any trickery.
     
  8. When I understand correctly all (windows) protected processes can't be hooked, so HPMA should already be able to deal with certain processes not being hooked.
     
  9. I have seen that video also, but this video is from August 5th and with Cerber 2 (while HPMA protected against Cerber 1 in a june comparative review).
     
  10. To be honest, I have not followed the ransomware hype, because first ones needed to be executed by the user or used poisened documents with scripts or other embedded code in (mail) attachments. @SHvFl You seem to have followed this more closely: are there also ransomware samples which are delivered through staged threats or advanced exploits? Thx :thumb:

    @FleischmannTV please don't slaughter this question as you did with Peter, see my sig I use mostly Windows build in protection. :oops:
     
    Last edited by a moderator: Aug 9, 2016
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Gosh, you knew my question so well, I almost didn't need to ask it :) But as I have said before, I run a business on my computers and some of my clients could be a big risk if the data got out, so when someone mentions new ransomware and doesn't indicates it's just more of the same, indeed I will ask the question again.

    Something else I do with my set up is test it against me. If any program poses a challenge or question and I answer it wrong am I still protected. So far so good.
     
  12. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Most stuff is still spread in 'regular' spamruns.
     
  13. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    The last time my Norton subscription was up, I considered Emsisoft and their lack of e-mail scanning was one specific reason that I passed them up. One less line of defense, as far as I'm concerned.
     
  14. @SHvFl thx, nice diagram explains staged attack of CryptoWall malware using Neutrino Exploit kit on page 4 of the PDF you posted
     
  15. @erikloman @markloman

    upload_2016-8-10_9-14-3.png

    As video's of malware researcher seems to suggest HPMA does not protect, I am asking you directly: does HPMA protect against Hitler and Cerber-2 ransomware?
     
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We're looking into this. As I am on vacation I have no access to equipment. Mark will post his findings. Please be patient.
     
    Last edited: Aug 10, 2016
  17. Enjoy your holiday, as posted it is a bit taggy of competiting malware researcher to show your logo's (icon's) on malware video's.

    They force Surfright to spend time and money (Mark's time and manpower) to counter these covert public attacks, so take your time to respond.
     
  18. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    I've spoken to the guy who creates those videos via direct message on Twitter a while ago, and he confirmed that he turns off protections just to illustrate the ransomware. He apparently only has one snapshot for both protection tests (CryptoGuard ON) and illustration videos (CryptoGuard OFF). So if you see a video from "GrujaRS" know that CryptoGuard is OFF.

    Now that you know, on your request I've done some research on the Hitler ransomware and the Cerber2 crypto-ransomware. The results are expected:
    • HitmanPro.Alert does NOT stop the Hitler ransomware, as it is NOT crypto-ransomware. CryptoGuard protects against crypto-ransomware and the Hitler ransomware doesn't encrypt your data. It simply removes the file extensions from your files and then demands ransom money. Your files are not changed.
      If victims reboot their machine, the data is deleted. This deletion process doesn't happen using overwrite (CryptoGuard would've stepped in otherwise) which means victims can use a simple undelete tool to get their files back. The Hitler ransomware is not prevalent, only 1 sample on VirusTotal, and it's extremely low tech. The first time it appeared on VirusTotal, AV detection was already decent; your AV would likely have protected you against this.

    • HitmanPro.Alert STOPS the Cerber2 ransomware, because it is irreversibly encrypting your data:
      Cerber2.png
      Cerber2 is highly prevalent. Like Locky or Zepto, many, many variants of Cerber2 crypto-ransomware appear on VirusTotal every day. AV detection of new obfuscated variants is high; your AV will do a good job against Cerber2.
    Hope this helps.
     
    Last edited: Aug 10, 2016
  19. emil emil

    emil emil Registered Member

    Joined:
    May 5, 2016
    Posts:
    28
    Mitigation WipeGuard

    Platform 6.1.7601/x64 06_1e
    PID 3608
    Application G:\Downloads\rufus-2.10p.exe
    Description Rufus 2.10

    Master Boot Record (MBR)

    Process Trace
    1 G:\Downloads\rufus-2.10p.exe [3608]
    2 C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe [4456]
    3 C:\Windows\explorer.exe [2124]
    4 C:\Windows\System32\userinit.exe [2444]
     
  20. guest

    guest Guest

    If you start software that is known to modify the MBR, format volumes, etc. you have to disable WipeGuard temporarily.
     
  21. Sand

    Sand Registered Member

    Joined:
    Apr 28, 2016
    Posts:
    26
    Hello, someone knows how I can delete events logged in HitmanPro.Alert Events to report number of advices to 0? Thanks.
     
  22. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Am I correct?...does it means that HMPA doesn't cover specific folders in User Profiles and can't detect such not so sophisticated action on files? Hmmm...I think user who would see screen with such characteristic person will count on your app but in fact he can't. Undelete tools?...I know small number of less/average-skilled users who are using such tools...for most of such people this is just "witchcraft".
     
  23. Yes, thx, mmhhh with such friends . . .:eek:
     
  24. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    Clear the Application log in Windows Event Viewer. A restart was required for HMP.A to change to 0.
     
  25. Sand

    Sand Registered Member

    Joined:
    Apr 28, 2016
    Posts:
    26
    Thanks @eddiewood I managed to reset both windows and Hitman logs with this command in cmd.exe as admin:

    for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.