HitmanPro.Alert BETA

No worries guys, we're still alive and kicking. We've been working on several projects and are planning to release a new BETA version of HitmanPro.Alert soon. It will contain several new protections as well as an updated CryptoGuard 5 engine. Stay tuned!

 

Good news, and a relief Mark!

 

I have some information to share, about a protection that we've been working on over the last two years (and Wilder Security members have been enjoying it for that long too). It's about our Heap Heap Protect mitigation - called Dynamic Shellcode Protection in Sophos's flagship endpoint product Intercept X.
If you haven't read it yet and have 10 minutes, be sure to read my blog about it: Covert code faces a Heap of trouble in memory – Sophos News
Below a relatively short primer about why it's actually pretty bold.

Heap Heap Protect is unique in the world. It basically puts a hard limit on any application to what memory they can allocate. It impacts every process on the box, even Windows’ own processes.

How this works? Applications can ‘loan’ an extra memory region from the system for the purpose to run added code. But when the added code requests an additional ‘loan’ for the purpose to introduce and run even more code, we say NO.



The ‘freedom’ to use memory whenever an application sees fit has been a fundamental function of a computer since the invention of dynamic random-access memory in 1968. And thanks to segregation of data and code (enforced by the CPU hardware) we can now literally say NO MORE!

We initially crafted Heap Heap Protect to counter unknown supply-chain attacks like CCleaner APT. So, although it's completely signature-less, you may notice it is especially effective against remote access agents like Cobalt Strike and Meterpreter, as these are typically loaded into memory by a ‘loader’ or ‘stager’. Particularly in human-operated ransomware attacks, these agents are a mainstay.
To our surprise, when we tested the mitigation in the wild, it notably caught a lot of multi-packed malware too – including adware. This is because, before packed malware really works, the unpacker needs to allocate a region that can run the unpacked code. And multi-packed (layer over layer) malware will ‘loan’ such a region upon region – it unpacks like a matryoshka doll.

Perhaps the most interesting part of our protection is that our discovery is highly compatible with legitimate applications. Simply because regular applications are not loaded in a staged manner and they are not packed either.

If you want to know more, check out my blog. If you have, we'd like to hear your thoughts on this. Thanks!

 

super_cool!!

 

If Win7 ESU is still being supported, please test 32-bit a bit more thoroughly with the new cryptoguard engine because I still keep getting random crash dumps during the boot phase with the CRYPT32.dll. Reported back in Jan. 2020, but never fixed.

 

Wow sounds very interesting! Especially the fact that with this stuff you could mitigate attacks like on CCleaner.

 

Hi,

I am wondering if, Hitman Pro Alert Beta will work with Sandboxie, or have any conflicts with
other security software?

 

You guys are amazing keep up the good work

 

I've used them both for years and have never really experienced any issues, other than a sandboxed Vivaldi not getting along with HMP.A. But even that is easy to configure for. Just remember to add the HMPA template to sandboxie.

 

@n8chavez,

Thank you for the remember, appreciate.......

 

Could you provide the template please?

 

Looking forward to it, Mark!

 

Fascinating read...this and the blog. Makes me wonder why MS never redesigned Windows' memory management to do this after developing DEP.

 

Because they dont have the intelligence and ability to do this technology or other companies will be out of business this encourage competition in the market I guez

 

Here it is. This is not my template, it's just the default template from template.ini

Code:

[Template_HitmanProAlert]
Tmpl.Title=Hitman Pro Alert
Tmpl.Class=Security
Tmpl.Url=http://www.surfright.nl/en/alert
#Tmpl.Scan=s
#Tmpl.ScanService=hmpalertsvc
OpenPipePath=\Device\NamedPipe\hmpalert

 

Thanks!

 

HitmanPro.Alert 3.8.9 Build 891 Release Candidate

Changelog

• Special maintenance release: this is the last build that supports Windows XP, Windows Vista and Windows 7 RTM (no service pack). These Windows versions only support SHA-1 for code-signing certificates. Microsoft decided to require SHA-2 for new drivers while it did not release SHA-2 support for these Windows versions. So, in other words, we cannot release new kernel-mode drivers (with new functionality) for these older operating systems. If you run one of these old Windows versions we urge you to upgrade. On these Windows versions, HitmanPro.Alert will no longer update itself after this build.
  Both 32-bit and 64-bit versions of Microsoft Windows 7 SP1, Windows 8, Windows 8.1 and Windows 10 remain supported and will soon receive a new HitmanPro.Alert version with new features.

Download
https://dl.surfright.nl/hmpalert3b891.exe

Who of you are still using Windows XP? Let us know your thoughts, thanks!

 

Manually updated with no issue. Win 10 x64 Pro v20H2 19042.906.

 

No problems upgrading build 891 RC.

Win10 21H1 build 19043.868

 

Updated manually and looked at for a few days and had no issues.

Windows 10 Pro Versie 20H2 Build 19042.870

 

Hi can I use hitman pro alert and sophos home free together ?

 

@RonnyT

Dumps posted for v889 and v891. Will expire in three days

 

"add exclusion" button does not work. I click on it and nothing happens. The file selection window does not appear.



Blind alarm at Driver Booster software. https://www.iobit.com/en/driver-booster.php

~ Removed VirusTotal Results as per Policy ~

 

Have just tried here and works fine...would suggest that you try an uninstall/reinstall.

 

Yes that should work fine.