HitmanPro.Alert BETA

Well for once I am very happy to still be running a 3rd gen (Ivy Bridge) Intel Core chipset!!! Cheers!!!

 

The way I read this, since the ME runs its own CPU and operating system completely outside the view of the computers host OS, it would be very hard to stop, short of re-flashing the chipset on the motherboard.

So until we know more, it sounds like mitigating this from within Windows may not be possible. Although I will continue to hold out hope that the Lomans can figure out a way to stop it!!!

 

Yes, once the ME is compromised, all bets are off. I was just wondering if it would be possible to migitate against it from getting compromised in the first place. Though it looks like that may not be possible either.

 

BLACK FRIDAY! Our HitmanPro and HitmanPro.Alert are available at 50% discount (excl. VAT): https://www.hitmanpro.com/en-us/holiday-promotion.aspx

 

Waiting for long time , i had also sharing this discount information at other forum

P.S:
I got some member in other forum send a private message to me ,
tell me that he using HMPA for trial version a month ago ,
there is some issue and false alert happen ,
unfortunately English isn't his main language(me too) ,
did SurfRight customer service support Chinese language ?

My English is basic , it's very hard to explain some technology issue detail exactly .

 

We are native Dutch speakers but also proficient in English and German. For other languages we use Google Translate and Deepl

 

Thank you

 

Thanks Is there a way to combine a new license with an existing subscription?

 

Not that I know of. Just wait and activate your license when the other one runs out.

 

I just bought another year's worth, entered the key into Alert and it extended the existing subscription.

 

I have been running build 723 (auto-updated from build 604) since November 22 with all features enabled, and I have not had one single issue or alert and nothing in the Event Viewer. As a matter of fact, I had an issue under build 604 that I didn't even know was related to HMP.A but was resolved after upgarding to build 723: The VPN feature in Opera could not connect when launched from a Comodo sandbox, but worked fine outside of the sandbox.

On another note, after upgrading to build 723, I decided to test it but running through all of the tests available in Sophos Tester. All tests were run using the Dummy target. HMP.A popped up to block all of the attacks except for one:

Safe Browsing > WinINet hijack:

Attack : WinINet
Time : 2017-11-26 10:22:27
Computer: IOPCC10
Platform: Windows 10 Home (64-bit)
Target : Sophos Tester 3.2 (SophosTester.exe)

Initializing ...
Process created (PID 7444)
Target received exploit.
Target executing exploit ...
Executing ...
Wininet functions detoured. Waiting ...
Result: Exploit succeeded

 

Unable to reproduce on another system...

 

Hi HempOil,

This test is not applicable on x64 platform, on x86 you need to select a browser instead of dummy and then run the test.
This should result in a Intruder alert and a red border around your browser.

 

Mendeley Desktop is supposed to be automatically added.
This happened after a manual update.

Spoiler: Application Lockdown on Mendeley

Mitigation Lockdown

Platform 10.0.16299/x64 v723 06_3d
PID 1532
Application C:\Program Files (x86)\Mendeley Desktop\MendeleyDesktop.exe
Description MendeleyDesktop 1.17.12

Filename C:\Program Files (x86)\Mendeley Desktop\MendeleyWordPlugin.exe
Created By C:\Users\*\AppData\Local\Temp\mendeleyDesktopUpdateDownload\up.tmp\Updater.exe

Command line:
"C:\Program Files (x86)\Mendeley Desktop\MendeleyWordPlugin.exe" --user-regserver

Process Trace
1 C:\Program Files (x86)\Mendeley Desktop\MendeleyDesktop.exe [1532]
2 C:\Windows\explorer.exe [10004]
3 C:\Windows\System32\userinit.exe [14968]
4 C:\Windows\System32\winlogon.exe [10804]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [5680]
\SystemRoot\System32\smss.exe 000000a8 00000084 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

Thumbprint
1e429f52ebbb3c5f1e3e4716adf0a7351677ecb20d633bf25a643334edc2df09

 

Untick "Application Lockdown" in the mitigation properties of "Mendeley Desktop".
Then try to update it again.

(after getting the Mitigation Lockdown, HMP.A has locked the file "C:\Users\*\AppData\Local\Temp\mendeleyDesktopUpdateDownload\up.tmp\Updater.exe" and unticking Application Lockdown doesn't help at this moment.
Before updating of Mendeley Desktop try to restart the service of HMP.A or reboot, now HMP.A has released the lock and the update should work)

 

Thanks!

Yeah, I did that after I got the block. I, then, restarted the laptop. It's okay now.

 

Ok, fine

 

Oh, OK Ronnie. Thanks for clarifying.

I should mention that I did get an alert today. I have Credential Theft Protection enabled with the Security Account Manager option checked. It seems that my Comodo Internet Security suite (which includes antivirus) attempts to access the SAM when performing an antivirus scan. I would imagine that this could be a common alert amongst multiple antivirus vendors now that HMP.A protects the SAM. Here is the mitigation message that HMP.A generated:

Mitigation CredGuard

Platform 10.0.16299/x64 v723 06_2a
PID 12148
Application C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
Description COMODO Internet Security 10.0.2

SAM access denied.

Range = LBA 4786216 :56
Read = LBA 4786256 :8

Process Trace
1 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe [12148]
"C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvScanner -Embedding
2 C:\Windows\System32\svchost.exe [744]
C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
3 C:\Windows\System32\services.exe [804]

Thumbprint
0ac06686907da4909378dac65857018c8b5ef9cb0b03ff0ec73ac8177b7050c5

 

Just received these alerts on 723, also with Credential Theft Protection and SAM enabled. Is the only solution to turn off SAM?

Mitigation CredGuard

Platform 6.3.9600/x64 v723 1f_0a
PID 1236
Application C:\Program Files\ESET\ESET Security\ekrn.exe
Description ESET Service 11

SAM access denied.

Range = LBA 2367008 :512
Read = LBA 2367008 :8

Thumbprint
a2fbea1d1e0c7c27d1037660e0a1a06e76463f07ade85e5e1a267abdd1d14f60

-------------------------------------------------------------------------------------------------------
Mitigation CredGuard

Platform 6.3.9600/x64 v723 1f_0a
PID 1204
Application C:\Windows\System32\dwm.exe
Description Desktop Window Manager 6.3

SAM access denied.

Range = LBA 2367008 :512
Read = LBA 2367008 :64

 

Please post production version related queries in the production board. For the moment there is no BETA version.
Thanks.

 

Congratulations Loman bros., RonnyT, Surfright & Sophos! You are out of beta! Great work- many thanks for HMPA, HMP & your other fine products. (I know there's still stuff to work on - but it will always be so . Thanks again for letting us participate and (sort of) watch you make the sausage!

 

I purchased a new key and tried to extend my old license(still valid for hundred days) but it actually replaced the license instead of extending the old one. How can i fix this issue?
I am not sure what i did wrong, i followed istructions in the email from cleverbridge. Even in the email it says "Activate or Extend a License"...

 

Maybe the support can correct this. But in general it is better to wait before a new key is being used: