HitmanPro.Alert BETA

Which one( F#, C++, C#, Visual Basic, XML )?

Are you still developing the 3.7 series or will the next be the 3.8?

 

Win 10 Pro x64 v1903 b18362.356.

BSOD on reboot. But so far, fine after subsequent reboot.

WhoCrashed report below. Can't say that it's due to HmP.A ... test machine with other security softs installed, mostly disabled.

Code:

On Fri 2019/09/27 6:08:41 AM GMT your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\Minidump\092719-6171-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x1C10A0)
Bugcheck code: 0x3B (0xC0000005, 0xFFFFF8066E24826C, 0xFFFFF30A524C2960, 0x0)
Error: SYSTEM_SERVICE_EXCEPTION
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.

I use Macrium Reflect and have been running with CryptoGuard v4.
Due to @Peter2150's on v5, will give it a whirl.

 

Paul, does that machine have BlackFog Privacy 4.x on it? There is a known bug causing BSODs with it.

 

Yes, it does @Krusty.

I should have made the connection because I saw that BFP post though I hadn't experienced it before v4.0.1.

That explains it then, thanks .

 

No worries. I emailed Darren to try and send a dump but even compressed it was far to large to attach. He set me up with an account at account.box.com. He posted in the other thread that it was related to Secure Boot, but my machine (that had the BSOD) does not have Secure Boot.

 

No problem to report here so far, Mark.

 

No more alerts with Ccleaner portable 5.61 and build 849 CTP2 (CryptoGuard v5).

 

We're now actively developing for 3.8 and will backport important improvements back into 3.7 until 3.8 becomes GA.

 

Thanks for the reply, I look forward to the developments.

 

CTP2 running fine so far

 

Updated from CTP1 to CTP2 with no issues to report. Event log is clean.

Oh, and thanks Mark for the detailed description and the Power Point slide. From what I can tell, item #23 under App-level should protect against this recently described Nodersok malware.

 

No Reflect imaging slowdown detected with CryptoGuard v5.

 

Wow, this stuff looks very cool, it's sort of like an EDR!

BTW, perhaps you can also respond to some of my other questions and what I have never understood is why the "Keystroke Encryption" module doesn't work globally on almost all apps?

https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-63#post-2850861

 

Running smooth here, W10 build 1903.

All the minor issues I had with previous version seem to have disappeared (y).

 

Windows 10 Pro versie 1903

HitmanPro.Alert versie 3.8.0 build 849, CTP2

No problem na updated HitmanPro.Alert.

 

Asynchronous Procedure Calls
This is a system-level mitigation. It shields all processes.
Prevents code injection via Asynchronous Procedure Call (APC) from kernel and user-mode.
It is effective against DoublePulsar (used by e.g. EternalBlue, EternalRomance) and AtomBombing attack techniques used by the Dridex malware. It is also effective against BlueKeep.

Hollow Process Mitigation
This is a system-level mitigation. It shields all processes.

• Prevents abuse of a (trusted) process to act as a container for hostile code
• Prevents manipulation of the Process Environment Block (PEB)
• Prevents hijacking of the main thread (MTH)

It is effective against Process Hollowing, Process Doppelgänging, Transacted Hollowing and similar attack techniques. But it also intercepts malware packers used by e.g. Emotet, Trickbot.

Keystroke Encryption proactively scrambles keystrokes against keyloggers (we don't use encryption, you can't reverse it, we just feed keyloggers rubbish). It is an app-level mitigation and is only enabled on applications that are Browsers (category). In addition, we also shield password managers (Other category). We don't scramble the keystrokes in e.g. Microsoft Office apps. You could change this by removing e.g. Microsoft Word from the Office category and add it again under the Other category, which offers Keystroke Encryption. It was a design choice to enable it only on specific applications where users need to enter passwords.

Hope this helps!
Mark

 

@markloman
In which category would it be appropriate to place discord ?! browser or other ?!

br.

 

W7-x64 Prof. Installed 3.8.0 CTP2 over 3.7.10 build 379. So far no issues what so ever!

 

Thanks for the info!

About APC code injection, I forgot that this protects against attacks like DoublePulsar. But why not add protection against more code injection techniques, since most apps don't often make use of it. Of course security software like AV's need to be whitelisted.

About protection against Process Hollowing, thanks for confirming that it protects EVERY process, so I'm guessing you guys look at if processes are launched in suspended state.

About Keystroke Encryption, the thing is, tools like KeyScrambler and SpyShelter protect just about all important apps system wide. Perhaps you should simply copy the list from KeyScrambler, that would give users peace of mind. I mean, why not protect MS Office out of the box, I don't see any reason not to.

https://www.endgame.com/blog/techni...-technical-survey-common-and-trending-process
https://www.qfxsoftware.com/ks-windows/applications.htm

 

Hi,

for info
i had 1 false alert with v 3.8 build 849 CTP2
"Risk Reduction CryptoGuard about my AppData\Local\Discord\app-0.0.305\Discord.exe
I had placed discord in the category "Other" in terms of exploits mitigation btw

br.

 

HitmanPro.Alert 3.7.11 Build 791 Release Candidate

Changelog (compare to build 789)

• Improved CryptoGuard 4 anti-ransomware module.

Download
https://dl.surfright.nl/hmpalert3b791.exe

Please let us know how this version runs on your computer We aim to update our entire community (excluding users running the newer 8xx technology previews) to this new version later this week.

 

When I tried to install Build 791, the currently installed build (789) opened instead of the installer. I had to remove build 789 first, reboot, and then build 791 installed without a problem. It is running fine.

 

I'll rather wait for the official update on my 'prod' machine, running 8xx on my test machine.

 

The update was done fine, now there is no problem. I did not check my BADUSB problem.

 

I got a pop-up notice on my release version of HMPA build 789 that a new version was ready to be installed. This in-application notice appeared only 24 hours after this post from Mark went up, and I haven't seen any feedback on the RC yet. Looks a bit premature to me.

Was this intentional?