HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    It's very late here in Europe, past midnight. Most people are sleeping....
    Gn8
     
  2. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    Just upgraded to 578 Beta. Browsers and hitman pro alert tests work OK.

    Win 10 latest, f-secure, appguard.
     
  3. Do I understand your answer correctly that you are implicitely saying the test of @cruelsister is not valid, because "exploit mitigation" and "application lockdown" would have prevented the sample to execute in the first place (intercepted earlier in the chain of events)?

    As far as I know,the majority of ransomware is delivered through email (dropped on the system by downloading an attachment). Most of these mail delivered ransomware do not even bother to use an exploit, they aim at the user to shoot themselves in the foot, by clicking on the downloaded attachment. So how would "application lockdown" prevent an attachment to be executed by the user?
     
    Last edited by a moderator: Jan 17, 2017
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The test is valid for CryptoGuard, not for Alert as a whole. But I understand the difficulties testing bigger scenario's. The more steps involved in the chain the higher the chance of it getting stopped by a security product if you are doing a test (time if a critical factor in testing attack chains). But the reality is that despite security layers like spam filters, URL/IP filters, on-access scanners (AV), computers still get ransomed. The daily news reflect that. It is hard to make people aware that signature and reputation based solutions have no place in a security world. With these solutions you are always stuck with detecting 0day and the time needed to update these solutions.

    I want to point out that all technologies in Alert are not signature driven or reputation based. Take for example "Application Lockdown". It just prevents the execution of binaries dropped on the system (via attachments). It is basically an Anti-Exe for specific applications (e.g. Office). By far most spam runs with ransomware come in via attached office documents, scripts, etc. These are mitigated by "Application Lockdown". I agree that a clicked URL in an email starting a browser to download a file and the user manually executing that download will not be mitigated. This is up to CryptoGuard to catch these attack scenario's.

    Lastly, from the test I cannot see if the files are merely renamed or actually encrypted. Some ransomware samples fail to encrypt (attack server down) but still rename the file. I recognize the annoyance of files renamed, CryptoGuard focuses currently only on the contents of a file (hence the name CryptoGuard). But this allows our technology to also work on file servers. This means that if you have a HMPA protected file server and unprotected endpoints, all files shared by the server are protected by CryptoGuard on that server. Same applies to a home computer (protected computer A) with shared files, those shared files are protected from ransomware running on unprotected computer B. There are no other solutions that have this capability.

    @cruelsister is doing a great job at raising awareness of (in)effectiveness security solutions. IMO Alert did a very good job at blocking the majority of ransomware in her video, especially considering our signature-less technology dates back to November 2013.

    A major update to CryptoGuard will arrive soon as beta in this forum.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Is it OK to download latest beta now, or should we wait for your go-ahead?
     
  6. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    you have to wait only if SecureBoot is enabled and you opted for a fresh installation of 10 AU.

    Infact, if you have upgraded your system, driver signing enforcement does not apply regardless of SecureBoot status....
     
  7. Cool feature. I understand that it does not block all files, just for me to understand fully (assuming you mentioned file as any file): when a user downloads a poisened Office document or PDF will "application lockdown" also acts as an anti-executable?
     
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Correct. All files dropping from Word or PDF-reader are blocked from execution by "Application Lockdown". Such applications are not meant to write executables to disk, only documents.
     
  9. Sorry: I asked when a user downloads a word document or pdf from the browser or saves an attachement to disk from his mail client, will that file be blocked when the user double clicks it in Windows Explorer?
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    That .doc is allowed to be read (otherwise you cant send documents among colleagues). But all files flowing from the .doc are blocked. So malicious powershell and macro's can't do harm. And of course exploits in those documents are also blocked.
     
  11. Cool, so this is simular to MemProtect, only with pre-set rules and a GUI (so no need to manually create rules in an ini-file).
     
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Build 578 works fine. If you want to use it just make sure that "Secure Boot" is Off in the UEFI.
     
  13. Erastus Seymour Pott

    Erastus Seymour Pott Registered Member

    Joined:
    Jan 17, 2017
    Posts:
    15
    Location:
    UK
    Hi all, just signed up as this seems to be the place to get info/help about HitmanPro.Alert.

    I am running build 574 on Windows 10 AU with Sophos Endpoint Security and Control 11.0.10 UTM and Rapport Trusteer and I get a lot of HMPA alerts in the event log for Firefox like the following:

    Mitigation SelfProtection

    Platform 10.0.14393/x64 v574 06_3f
    PID 3204
    Application C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Description Firefox 50.1


    Process Trace
    1 C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3204]
    2 C:\Windows\explorer.exe [12044]
    3 C:\Windows\System32\userinit.exe [9028]
    4 C:\Windows\System32\winlogon.exe [11824]
    winlogon.exe
    5 C:\Windows\System32\smss.exe [13348]
    \SystemRoot\System32\smss.exe 0000012c 00000080
    6 C:\Windows\System32\smss.exe [524]
    \SystemRoot\System32\smss.exe
    7 [4]

    Thumbprint
    2814b5ab94e1a1de09774bbe98bd90a6565915b090bc84f38eba3c952d77dc2b


    I even got one when registering for this site:

    Mitigation SelfProtection

    Platform 10.0.14393/x64 v574 06_3f
    PID 9112
    Application C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Description Firefox 50.1


    Process Trace
    1 C:\Program Files (x86)\Mozilla Firefox\firefox.exe [9112]
    "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -osint -url "https://www.wilderssecurity.com/account-confirmation/xxxxxxxxxxxxxxx"
    2 C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [5060]
    3 C:\Windows\explorer.exe [12044]
    4 C:\Windows\System32\userinit.exe [9028]
    5 C:\Windows\System32\winlogon.exe [11824]
    winlogon.exe
    6 C:\Windows\System32\smss.exe [13348]
    \SystemRoot\System32\smss.exe 0000012c 00000080
    7 C:\Windows\System32\smss.exe [524]
    \SystemRoot\System32\smss.exe
    8 [4]

    Thumbprint
    2814b5ab94e1a1de09774bbe98bd90a6565915b090bc84f38eba3c952d77dc2b

    Firefox has HTTPS Anywhere and uBlock Origin (Currently disabled) plugins.

    Any ideas? It doesnt seem to cause me any issues, I am just a little curious and wonder if HMPA is working as it should ?
     
  14. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,304
    Location:
    Kent. UK by the sea
    Hi erikloman

    HitmanPro.Alert 3.6.3 Build 578 BETA working with no problems here.

    With Regards
    Take Care
    TheQuest :cool:
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    @erikloman,
    Is this solved in build 578, or will there be a next build in which this issue is solved?
    I don't need the drivers to be co-signed, but nevertheless, I was waiting for the fixed next build to test that one. The same may apply to others.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Same here. I've also just waited.
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    3.6.3.578
    not seeing live keystroke encryption indicator bar
    Just me?
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Working here in Cyberfox.
     
  19. guest

    guest Guest

    It seems you are using a 32-bit browser in combination with Trusteer Rapport.
    The latest beta of HMP.A might fix your problem, but it is not yet fully co-signed by Microsoft.
    if "Secure Boot" is enabled, you can wait for a newer fully signed Beta-Release or you can disable "Secure Boot" and update to the HMP.A Build 578 Beta:
     
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Please remind me. What module remain active with HMP.A Service disabled?
     
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Okay, must be my Webroot.
    Thanks!
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Have you checked the setting for Keystroke Encryption?
     
  23. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Does one really need both, HMP.A and Trusteer Rapport?
    I guess no.
    HMP.A already secures the browser and does keystroke-encryption, and much more...

    I prefer a layered security, not a stacked security.
     
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Yeah, all boxes checked.
    Keyboard logger Test, text not readable.
    So, Webroot thingy?
    Thanks!
     
  25. guest

    guest Guest

    Regarding Webroot and Keystroke Encryption:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.