HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Yes, I definitely have seen Windows update issues, both with this HMPA beta and with HMPA stable. But I didn't have HMPA on my system during the recent set of updates.
     
  2. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    575
    I have a Vista Business x86 system. I downloaded HMP.A to see if I could replicate your problem. I was able to download HMP.A and install it, but entering my email address to request a trial key doesn't work -- the address I entered disappears from the form when I click on the button, there is no onscreen acknowledgment that I did anything, and no email has arrived from Sophos/Surfright providing a trial license. So at this point I can't contribute to investigating your issue... unless the inability to register a trial key is another sign that HMP.A simply no longer works fully in Vista x86.

    The HMP.A UI does indicate that it's protecting the browsers (under the "Safe browsing" box) and that 3.5 out of 7 "risk reductions" are enabled the; rest require a valid license. (I say "3.5 out of 7" are working because Passive vaccination is enabled but Active vaccination requires the license.)
     
  3. pimjoosten

    pimjoosten Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    36
    Location:
    Amsterdam, The Netherlands
    Thanks for your efforts. I just installed HMP.A in my VM and it immediately had a trial license for 31 days, without entering my e-mail address. What did I do differently? Did you already have HMP.A installed on your system before?

    Yes, that is another strange thing: under browsers it mentions Firefox and IE are protected, but under Exploit protection all running programs are categorized as unprotected programs. Also, the colored window does not appear when I click the title bar of any window. These are all indicators that something is not working right.
     
  4. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    575
    No, that computer had never had HMP or HMP.A on it before.

    Just in case it worked, I decided to reboot the machine -- and it worked! The trial key came through, all the Risk reductions are fully enabled now, and applications are getting added to the Exploit mitigations.

    However, the "you're protected" flyout isn't displaying when I open an application, nor is there a notice that the text that I type into the browser is being encrypted. And like you, I'm not seeing that colored window, while selecting the listed applications under Exploit mitigation tells me they're not protected and that I need to restart them in order to apply the mitigation settings. But restarting them doesn't get rid of the notice saying that I need to restart them.

    So it sounds like we're having similar experiences now with Vista x86.

    Erik/Mark -- any ideas?
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Click on Safety Notifications > change it to At Application Start, now click on Colored Window Border and enable that.

    Do you get the fly-outs now?
     
  6. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    575
    Sadly, they were both already set the way you describe, and yet with the unwanted results. :(

    As @pimjoosten reports, everything does work fine on Vista x64.
     
  7. pimjoosten

    pimjoosten Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    36
    Location:
    Amsterdam, The Netherlands
    In my case it was set at "Once per logon session" (cannot remember having done that), but after changing it to "At application start" and with Colored Border Window enabled the results are the same :(
     
  8. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    It seems that support for Windows x86 is declining rapidly these days, as developers continue to drop support on new versions of applications. I got weary of hearing that 64-bit only products were becoming available in the latest updates. This seems to be the mainstream trend now.

    I held out on a Windows 7 32-bit system until last year, but finally did a clean install for the switch to 64-bit. I still keep a Win XP x86 VM around to run old software, but the security software choices are limited, as well as browser choices. So I try to keep it off the web as much as possible, except for any required software downloads from trusted vendors. Avast and Malwarebytes are the best protection I have found for this one.
     
  9. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    575
    Your analysis makes sense to me. Hopefully Erik/Mark/RonnyT will confirm whether they're phasing out 32-bit support for HMP.A.
     
  10. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi JEAM,

    Can you try to register using HitmanPro, if that works Alert will also be registered after that (needs reboot).
    As we still support all the way back to XP I don't think we're going to move away from x86 soon.
     
  11. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    575
    Hi RonnyT, thanks for joining the conversation! And I'm glad to hear that you intend to keep supporting XP and other x86 systems. :thumb:

    I eventually did manage to get HMP.A registered on that Vista Business x86 machine. But there are no safety notifications, colored window borders, or flyouts indicating encrypted typing; see here.
    (To reiterate, all of this is working fine on my Vista HP x64 PC.)
     
  12. pimjoosten

    pimjoosten Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    36
    Location:
    Amsterdam, The Netherlands
    And yet Windows 10 on ARM, which will be released with the Creators Fall Update very soon, only supports x86 and not x64. Do not count x86 out yet!
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.7.0 Build 717 BETA

    Finally a big update to the last beta. It contains many improvements and fixes. Here is the changelog.

    Changelog
    • Improved Redstone 3 compatibility
    • Improved Anti-Malware cloud lookup
    • Improved CodeCave mitigation
    • Improved Credential Theft Protection
    • Improved CryptoGuard Anti-Ransomware
    • Improved Lockdown mitigation
    • Improved ROP mitigation
    • Improved DEP mitigation
    • Improved LoadLib mitigation
    • Improved Authenticode catalog signing handling
    • Improved memory usage (lowered)
    • Improved compatibility with Forcepoint
    • Improved compatibility with QQ Messenger
    • Fixed CodeCave detection in executables when McAfee is installed
    • Fixed CodeCave detection in Visual Studio 2017 15.3
    • Fixed LoadLib detection in Firefox 55.0.3
    • Fixed NonPaged memory leak in driver
    • Fixed BSOD when minifilter failed to initialize
    • Fixed potential BSOD when trying to hash an executable located on the network
    • Fixed DLL hijacking vulnerability on Windows 7 machines without KB2533623
    • Fixed DEP mitigation triggered in some Microsoft Excel macro's
    • Various other minor fixes
    Notes
    This version has Microsoft co-signed drivers.

    Download
    http://test.hitmanpro.com/hmpalert3b717.exe

    Please let us know how this version runs on your computer :thumb:
     
    Last edited: Sep 20, 2017
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Depends on how the attack is performed as there are many stages in an attack. I mean, Bashware doesn't magically appear on the computer.

    But, the article does hold merit in that most (if not all) security solutions are not yet fully handling the WSL environment in a proper fashion. Alert included.
     
    Last edited: Sep 20, 2017
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    off to play. Thanks Erik
     
  16. plat1098

    plat1098 Guest

    Had to add Alert 717 to EAM beta's exclusions, otherwise delays in startup/restart/app launch. When that was done, everything seemed normal so far. I'll keep trying it out.

    Hello @RonnyT . Pleased to meet you. :)
     
  17. guest

    guest Guest

    That's indeed a big update :)
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    I still have to turn off the credential protection as it breaks imageing. I suspect it's blocking the SAM file. Normally I'd just turn it off, but I have an automatic hourly imaging job, so that wouldn't work.
     
  19. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Macrium Reflect, or another imaging software?
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Didn't test all but probablly so. Problem is the SAM file is locked and the imaging programs can't read it.
     
  21. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    What I meant, your report "I still have to turn off the credential protection as it breaks imaging", was that regarding Macrium Reflect, or another imaging software?
    Just to get clarity about which imaging software is affected by this issue.
    I was only asking about the imaging software you use, or tested. I think we can't say anything for sure about imaging software that was not tested.
    If I'm not mistaken, the issue was reported with Macrium Reflect only, earlier.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Did some more testing. I tested Macrium, IFW, and Veeam. Initially Macrium and IFW failed and Veeam passed. Then I got to thinking they were all incremental jobs and may be that affected Veeam. So I ran a full backup on Veeam and then it also failed.

    I suspected any image taken in windows will fail
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Sounds to me like Erik, or Mark needs to install Macrium, and do some testing for themselves. It should be fairly easy to locate the problem.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I suspect it won't be that hard. The file SAM contains the credentials, and they have blocked access to it. The trick will be to somehow protecting it without blocking access by imaging software.
     
  25. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    I agree, and man this issue has been around for quite some time. I am not complaining though as different issues have different priorities, but the Imaging issue has been a thorn for a long time.
    I use Macrium but I clone, I can confirm I can't Image with HMPA running, oddly it does not effect cloning (at least for me)
    but no imaging. I use Macrium frequently enough that I cant have HMPA (Beta) installed till the issue is addressed.
    The issue for me is not present in HMPA 3.6.7 604.
    I keep watching for it to be resolved, once it is I will jump back in with both feet ;)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.