Hitman Pro Support and Discussion Thread

Wow, I was not aware of this.

 

Just curious, did any AV effectively catch these particular "scriptors"?

 

Most are (as they are old) caught by a primary AV scanner when coded either as a script or an exe. The issue here is that HMP is not capable of detecting the malware when they already exist (got past the primary AV); and catching infections already extent on a system is the purpose of a 2nd opinion scanner.

 

Thanks. Agreed it would be nice to catch everything! It has always been my understanding that a primary AV scanner that uses signature files is the first line of defense, and that is why one uses 2nd, 3rd. etc. opinion scanners. Most of which are also signature based. I use 2nd & 3rd opinion on-demand scanners here.

Also using HMP & HMPA to cover a different niche, as these are not signature based. I'm not exactly clear on how the HMP scanner detects potential "static" malware traces and/or cleans it. Although HMPA seems designed to catch bad "behavior" in the act, and terminate it.

From the Hitman Pro website:
"It scans for bad behavior

A standard antivirus program misses stuff. It’s focused on finding malware signatures that virus firms have identified as malicious. But what about new, zero-day threats that haven’t been researched? That’s why HitmanPro looks at behaviors when scanning for trojans and other malware. Bad behavior is caught, with or without a malware signature."

 

HitmanPro v3.8.30 build 326

Changelog

• ADDED: Detection of Tarrask malware (Windows 10 and up)
• CHANGED: If a scan cannot complete in "Direct Access Mode" it switches to "Compatible Disk Mode"

Download
https://get.hitmanpro.com

32-bit https://dl.surfright.nl/HitmanPro.exe
64-bit https://dl.surfright.nl/HitmanPro_x64.exe

 

What's this "Tarrash malware", can you provide a sample of it so i can test it against GData BEAST/DeepRay?

 

There's a typo, it's about this one
https://www.microsoft.com/security/...are-uses-scheduled-tasks-for-defense-evasion/

 

Thanks Ronny, added this HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
For my custom protected NVT registry guard rulebase.

 

This is a welcome change. Hopefully, this happens automatically, otherwise my entire system freezes and I have to unplug the computer and restart it. Very rare but can still happen on here. The Windows drive is an nvm-e.

 

That's the intention of this change indeed, if a system freezes/bsod, scanner crash etc then it will auto-default to Compatible disk mode next time.

 

For RonnyT

 

Thanks, should no longer show up

 

Thank you no longer appears

 

@RonnyT
Seems that HPA does not like custom .exe packers and automagically flags those as a malware? These are Demoscene products.
Result
Then, i'm using Resonic to play my audio files. It is legit software, but everytime i start Resonic, HMP says "Attack Intercepted".

 

Can you send a scan log from HMP, and the alert details from HMPA to support@hitmanpro.com please

 

@RonnyT
Sent.

 

Does Sophos Scan & Clean get a similar update?

 

After this FP I got this from HMP:

Code:

HitmanPro 3.8.30.326
www.hitmanpro.com

   Computer name . . . . : DAVID-HP
   Windows . . . . . . . : 10.0.0.19045.X64/4
   User name . . . . . . : DAVID-HP\David
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (425 days left)

   Scan date . . . . . . : 2022-10-30 12:00:16
   Scan mode . . . . . . : Quick
   Scan duration . . . . : 48s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 1
   Traces  . . . . . . . : 2

   Objects scanned . . . : 5,673
   Files scanned . . . . : 5,673
   Remnants scanned  . . : 0 files / 0 keys

Malware _____________________________________________________________________

   C:\Program Files (x86)\PrivaZer\PrivaZer.exe
      Size . . . . . . . : 20,652,072 bytes
      Age  . . . . . . . : 0.1 days (2022-10-30 10:17:38)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : A9A4168ADB3C27E3FB9B6BF75799519B227FBCB034722ADC1FC7E67A20C00602
      Product  . . . . . : PrivaZer
      Publisher  . . . . : Goversoft LLC
      Description  . . . : PrivaZer
      Version  . . . . . : 4.0.56.0
      Copyright  . . . . : Goversoft
      RSA Key Size . . . : 2048
      LanguageID . . . . : 1033
      Authenticode . . . : Valid
    > SurfRight  . . . . : Mal/Behav-048
      Fuzzy  . . . . . . : 85.0
      Startup
         C:\WINDOWS\system32\Tasks\PrivaZer_SkipUAC

I note that it is ONLY Sophos who detect this file on VirusTotal.

Edit: "Google" is now detecting it too.

 

Hello @Krusty,
Where do you see "Google"?

 

I saw that too, but now fixed (Google -> Sophos).

SHA-256 . . . . . : A9A4168ADB3C27E3FB9B6BF75799519B227FBCB034722ADC1FC7E67A20C00602

 

Hi @The_PrivaZer_Team ,

While I don't see it there now, when I scanned the installer at VirusTotal Google was listed as one of the vendors.

 

OK.
The problem is fixed with Hitman Pro flagging PrivaZer.
We have contacted them and they have updated their virus definition.

 

Hmmm, had reported this glitch back in March here:

https://www.wilderssecurity.com/thr...iscussion-thread.236732/page-341#post-3075718

In a nutshell, if I left the scanner running while going into a game with old graphics style and screen resolution below 1920x1080, the HMP UI would turn out funny-looking. I'm simply reporting it again, this time with a different game. Sent to support with full details.

Honestly, I don't expect anything to come out of it; just letting one know.

Spoiler: hmp scan while in-game w/old graphics/scr. resolution.

 

Hi,
I have been using HMP for years and now all of a sudden I got a message from VirusTotal saying I have been exceeding my total of 500 checks a day! What would cause this? Did someone hack my API that is used with hitmanpro?
Thanks,
Dave

 

Norton should be officially notified. This only occurs with their latest database. It did not appear yesterday.