HitmanPro.ALERT Support and Discussion Thread

You don't get the option at all with executables as the email application blocks them. If it was for example a Word document macro then surely HMP.A would block the attack whether the Word document was opened as an attachment or saved to the desktop and then opened?

I would expect HMP.A to intercept all three and that would be somewhat reasssuring. But if they are zero-day executables rather than say three Word documents then is it a realistic test? I'd say not. Would I be worried? Nope. Should the average computer user be concerned? No.

I agree. Although see my point below.

It's all in the delivery, if you put in the caveats that it isn't a realistic test, just a lab test that wouldn't really occur on the average users computer then that would be fine.

Agreed.

Testing stuff in the lab is all well and good to capture those unrealistic scenarios like having three zero-day ransomware executables on your desktop, but I have no interest in that. What I want to know is, are my users safe to open Word documents, PDFs and the like during the course of their business day doing business related activities. My users don't download executables, they certainly don't download zero-day ransomware samples, they don't get executable attachments because they can't.

Feel free to make developers aware of flaws, but don't make a song and dance about it. Test products using real scenarios. If you found ransomware that got through as an application attachment on Windows 10 PC as a non-admin user with Windows Defender and HMP.A running, then you would have my attention.

As it is your testing is frankly a bit pointless to IT Managers who live outside the lab and couldn't care less about geeks running ransomware samples from the desktop.

 

Then send all information you can provide.

 

Eddie- when testing anything one must use the "lowest common denominator" approach. A user can save malware that comes as a zip file anywhere, or the user can plug in an external drive and run a file either from there or by transferring and running it locally. Remember that email malware comes in many forms- Office files, Jscripts, and executables. I've included them all.

Also remember that my videos are geared to the Home user and not a Corporate environment, mainly because the products reviewed are promoted as something an individual can use. And yes, an IT manager in an Enterprise that may use something like a FireEye appliance or have Policies in place to preclude the user from running an exe should have no interest in a product marketed to a Home user. But does this invalidate a test?

Finally, about putting in caveats- I totally agree. See the first sentence in this post.

 

Can't this support link be stuck somewhere prominent? Sorry, hawki, I used this after a lot of rummaging around, thanks for your unwitting help.

 

You can not miss it if you go to the support-page:

 

What do you mean by "song and dance"?

While I understand why you want a real world test of the whole product why would you not want to see how CryptoGuard performs on its own?

 

Again? Shame on me.

Yes, I am also curious to see the test results. It's just a good thing to do. Why object to it?

 

It was in reference to cruelsister's comment "it's time for my quarterly dance with the Loman boys".

Because I don't install just CryptoGuard, I install HMP.A. Real ordinary people don't run zero-day ransomware executables from their desktop, that's what geeks do in lab tests.

 

Exactly! Why would anyone who installs and uses HMP.A to protect their system from malware disable all the features of the product except Cryptoguard? IMO any such test of HMP.A is irrelevant and pointless.

I always thought tests were supposed to use the applications default settings. Isn't that what the 'lowest common denominator' user would do?

 

Agreed; a test of CryptoGuard exclusively doesn't say something definitive about HMPA being able to stop ransomware over all. Hopefully it is even more effective in the real word with all features enabled, but so what? A test is valid if the methodology is clear and the result is understood in context.

 

Testing a certain module of a product is still valuable, no it doesn't say anything about the whole product but it does say something about that module. Also, I assume most of you have disabled Cryptoguard then? It doesn't seem to have any relevance for you since the malware would be stopped at other points, otherwise you'd see the point in the test. The test is basically for when all other parts of the protection fail, would Cryptoguard still prevent the ransomware? And if you say that's unrealistic, then why have Cryptoguard enabled at all? Either things can get past these other protections, in which case Cryptoguard is relevant, or they can't and Cryptoguard is irrelevant. And if you say that Cryptoguard is relevant, then so are its flaws.
Edit: At least that's my view on the issue.
Edit 2:

It proves something about that one module. Which, if unfixed, may be used by someone else in conjunction with some other flaws to bypass HMPA. Ideally all flaws in each module should be fixed, since these modules work together in different layers to stop malware.

 

HMPA is a multi-layered defense. Malware exploits can look for and use multiple methods in real-world attacks. . Having the defense layers work together to defeat an attack makes more sense, than just using one method to defend with. I don't think that HMPA was designed with intent to be effective with just one layer enabled.

 

Does a new HMPA license also license HMP or there is a new business model that requires purchasing both?

 

The HMPA license includes HMP.
See first three features/ check marks.

 

Thanks Stupendous Man

 

I did not like the hmp scan part of hmpa so i installed another hmp app.

 

Yikes! You guys are killing me! Considering that the majority of ransomware now is distributed by email attachments (ask Professor Google), where do you folks think that these attachments are run from? Certainly not somewhere in the Cloud, but instead locally on your system. For instance, open an attachment that is a Doc file- this Doc will be run within MS Word, and if malicious HMPA has a specific exploit mitigation to shut down the malicious process (hint). Open an attachment that is an exe- where do you think this one would be run from? Would running it from some Temp directory be more valid than running it from the Desktop? And in case of a fail, would this negate the excellent results of HMPA shown previously?

Finally it seems that some are presuming that I will trash HMPA. Would such a Kind and Gentle person as myself ever do such a thing? Horrors!!!!

M

 

But Windows Mail, and possibly all mail applications, isn't included in the default list of protected programs due to some users, as what Erik/Mark said here, that deliberately use email services for exchanging .exe. So, HMP.A, by default, won't protect mail applications from exploit mitigation, thus Application Lockdown is already out of the question. I'm not 100% sure if I'm right, though.

By the way, it seems Windows Mail won't stick in the list of HMP.A's protected process after some time. I'll monitor further.

 

No problem with Windows Live Mail + HMP.A here.

 

In another thread @markloman posted a flowchart, showing how a weaponized word document is treated.
https://www.wilderssecurity.com/thr...arative-analysis-2016-q3.387310/#post-2604011

Testing only the CrypotGuard of HMP.A will give a false impression, of how HMP.A will protect your machine.