HitmanPro.ALERT Support and Discussion Thread

"That's All Folks" -- I'm done with SurfRght

HMPA Uninstalled

SurfRight is dead to me.

Not worth the aggravation.

 

This may have changed recently but I was under the impression that you could use a HMP license for HPMA but that it wouldn't work vice versa.

 

I think other way around.

 

You may be right as I wasn't sure, was just throwing it out there for someone to confirm or deny.

 

HMP key definitely will not actvate HMPA

What is particularly galling about my experience is that in July, when I made my purchase, there was a coupon code available for HMPA that was $2 cheaper than the special sale price being offered by SurfRight at that time. Out of loyalty I decided to directly give SurfRight my transaction. Shame on me.

 

This is typical from most company today. The tech staff is usually competent and helpful, but customer service is another story…

 

Thanks for confirming.

 

HMPA license includes HMP, but definitely not the other way around.

 

I did get a further reply from HitmanPro Support informing me that if I buy a (another) new license for HMPA they would refund what I was charged for the HMPro license that I was sent.

While not ideal, this seems to be a reasonable solution.

 

BTW, a general question but I asume Sophos Intercept X isn't suffering from the design flaws as mentioned in this topic, see link? I'm asking because it's partly based on HMPA.

https://www.wilderssecurity.com/thr...-malware-defense-thats-easy-to-bypass.447186/

 

Hi Hawki,

Was this issue resolved?
Should you ever run in to issues with support again feel free to send me a DM here so I can get things sorted, or solve them if possible.
While mainly technical I can also handle administrative issues

 

Have there been any recent tests of efficacy? The only ones I could find were from 5+ years ago.

 

Good question, isn't it time for someone to put HMPA to the test again? How does it fare against exploit attacks and against malware that's already running on the system, after bypassing AV? Would be cool if Sophos/SurfRight could give some more info.

 

A good question, but who would you trust to test it? If Sophos/SurfRight did reveal any weaknesses in their detection, that information could then be leveraged by adversaries to attack it.

 

A third party would be cool, but these type of tests are often sponsored, so in the end it wouldn't matter anyway. I wouldn't worry about hackers, because full details shouldn't be disclosed, and in the end it's all about making the product better. Don't forget, Sophos Intercept X is partially based on HMPA. In the past when HMPA was new on the market, they sometimes published reports, it was mostly about HMPA vs Malwarebytes, so much fun.

 

HitmanPro.Alert 3.8.22 Build 947

Changelog (compared to 945)

• Improved HollowProcess
  
• Improved Syscall
• Improved StackPivot
• Improved RemoteThreadGuard
• Improved CryptoGuard 5
• Fixed rare BSOD's in CryptoGuard 5
• Fixed HollowProcess incompatibility with PC-Matic/Pitstop
• Several other changes under the hood

Download
https://dl.surfright.nl/hmpalert3b947.exe
Auto-updater is enabled as of now.

 

Auto-updated just fine.

 

Update good here today!

 

RonnyT, you ignored my question, not a good sign, see first link. I also saw this review, but I don't think it was fair to HMPA, since it's not an AV but a behavior blocker, see second link. And lastly, I wonder if HMPA's CryptoGuard can already protect against this new ransomware technique, see link 3?

https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-671#post-3102872
https://www.safetydetectives.com/best-antivirus/hitmanpro/
https://www.bleepingcomputer.com/ne...tching-to-new-intermittent-encryption-tactic/

 

If not, you just need to prevent this ransomware from getting on your system in the first place! Safe computing!

 

Yes, but if AV's could block 100% of all malware, then you wouldn't need a tool like HMPA in the first place. HMPA's job is to block malware that is delivered via exploits, but also to block malware that is capable of bypassing AV's. That's the whole point of CryptoGuard.

 

You really only need an AV if the user allows untrusted software to run on the computer in the first place. First layer of defense is the user behavior. Don't click on unknown links, and don't open unknown attachments.

I've been running an AV on my PC for forever, and HMPA for over 5 years, and neither of them has ever had to catch malware for me. They are just there in case I do something stupid.

And if they ever do catch something, I will likely just restore my system from a clean Macrium Reflect Image.

 

Spoiler: HMPA Alert Zeus and Poseidon game

Code:

Mitigation   CodeCave
Timestamp    2022-10-03T20:21:54

Platform     10.0.22000/x64 v947 af_21
PID          18032
WoW          x86
Feature      007D0B30000000A2
Application  E:\GOG Pelit\Zeus and Poseidon\Zeus.exe
Created      2022-10-03T17:43:46
Description  Zeus and Poseidon 2.1.4

Process Protection / Code Cave Mitigation: Active code cave detected!

 Loaded Modules (75)
-----------------------------------------------------------------------------
00400000-01611000 Zeus.exe (Sierra),
                  version: 2.1.4.0
77220000-773CA000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.22000.918 (WinBuild.160101.0800)
74450000-7456C000 hmpalert.dll (SurfRight B.V.),
                  version: 3.8.22.947
75C40000-75D30000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.22000.708 (WinBuild.160101.0800)
76F30000-77188000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.22000.978 (WinBuild.160101.0800)
743B0000-74450000 apphelp.dll (Microsoft Corporation),
                  version: 10.0.22000.282 (WinBuild.160101.0800)
759C0000-75B6C000 USER32.dll (Microsoft Corporation),
                  version: 10.0.22000.832 (WinBuild.160101.0800)
75570000-7558A000 win32u.dll (Microsoft Corporation),
                  version: 10.0.22000.37 (WinBuild.160101.0800)
76440000-76463000 GDI32.dll (Microsoft Corporation),
                  version: 10.0.22000.832 (WinBuild.160101.0800)
75E10000-75EF6000 gdi32full.dll (Microsoft Corporation),
                  version: 10.0.22000.978 (WinBuild.160101.0800)
754F0000-7556B000 msvcp_win.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
765A0000-766B2000 ucrtbase.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
76920000-76F2C000 SHELL32.dll (Microsoft Corporation),
                  version: 10.0.22000.978 (WinBuild.160101.0800)
756E0000-7582D000 ole32.dll (Microsoft Corporation),
                  version: 10.0.22000.120 (WinBuild.160101.0800)
751C0000-7544C000 combase.dll (Microsoft Corporation),
                  version: 10.0.22000.978 (WinBuild.160101.0800)
74FB0000-7506B000 RPCRT4.dll (Microsoft Corporation),
                  version: 10.0.22000.675 (WinBuild.160101.0800)
019B0000-01A0E000 mss32.dll (RAD Game Tools, Inc.),
                  version: 6.0m
7BEB0000-7BF9B000 DDRAW.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
75070000-75132000 msvcrt.dll (Microsoft Corporation),
                  version: 7.0.22000.1 (WinBuild.160101.0800)
74210000-74241000 WINMM.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
01A10000-01A67000 binkw32.dll (RAD Game Tools, Inc.),
                  version: 1.0s
01A70000-01A95000 ijl10.dll (Intel Corporation),
                  version: 1.0.5
746F0000-74702000 kernel.appcore.dll (Microsoft Corporation),
                  version: 10.0.22000.71 (WinBuild.160101.0800)
59650000-5971C000 dxgi.dll (Microsoft Corporation),
                  version: 10.0.22000.918 (WinBuild.160101.0800)
77410000-77417000 DCIMAN32.dll (Microsoft Corporation),
                  version: 10.0.22000.832 (WinBuild.160101.0800)
74720000-74728000 VERSION.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
58FA0000-58FCE000 dxcore.dll (Microsoft Corporation),
                  version: 10.0.22000.653 (WinBuild.160101.0800)
766C0000-766E5000 IMM32.DLL (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
66B20000-66BA2000 uxtheme.dll (Microsoft Corporation),
                  version: 10.0.22000.832 (WinBuild.160101.0800)
75140000-751A4000 bcryptPrimitives.dll (Microsoft Corporation),
                  version: 10.0.22000.778 (WinBuild.160101.0800)
75D30000-75E0A000 MSCTF.dll (Microsoft Corporation),
                  version: 10.0.22000.778 (WinBuild.160101.0800)
763C0000-7643A000 sechost.dll (Microsoft Corporation),
                  version: 10.0.22000.556 (WinBuild.160101.0800)
63B90000-63C71000 textinputframework.dll (Microsoft Corporation),
                  version: 10.0.22000.282 (WinBuild.160101.0800)
75450000-754EC000 OLEAUT32.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
7BFA0000-7C06B000 CoreMessaging.dll (Microsoft Corporation),
                  version: 10.0.22000.71 (WinBuild.160101.0800)
7C7C0000-7CA53000 CoreUIComponents.dll (Microsoft Corporation),
                  version: 10.0.22000.132
74780000-7486A000 wintypes.dll (Microsoft Corporation),
                  version: 10.0.22000.918 (WinBuild.160101.0800)
77190000-7720C000 advapi32.dll (Microsoft Corporation),
                  version: 10.0.22000.653 (WinBuild.160101.0800)
74750000-7475B000 CRYPTBASE.DLL (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
74710000-7471E000 msasn1.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
74010000-74037000 cryptnet.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
758C0000-759BE000 CRYPT32.dll (Microsoft Corporation),
                  version: 10.0.22000.856 (WinBuild.160101.0800)
56760000-56864000 drvstore.dll (Microsoft Corporation),
                  version: 10.0.22000.120 (WinBuild.160101.0800)
641F0000-64214000 devobj.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
740A0000-740DB000 cfgmgr32.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
6B160000-6B19A000 wldp.dll (Microsoft Corporation),
                  version: 10.0.22000.918 (WinBuild.160101.0800)
76470000-764C3000 WINTRUST.DLL (Microsoft Corporation),
                  version: 10.0.22000.918 (WinBuild.160101.0800)
763A0000-763BA000 imagehlp.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
74640000-74653000 CRYPTSP.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
74610000-7463F000 rsaenh.dll (Microsoft Corporation),
                  version: 10.0.22000.282 (WinBuild.160101.0800)
745F0000-74609000 bcrypt.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
74870000-74F12000 windows.storage.dll (Microsoft Corporation),
                  version: 10.0.22000.918 (WinBuild.160101.0800)
75B70000-75C31000 SHCORE.dll (Microsoft Corporation),
                  version: 10.0.22000.708 (WinBuild.160101.0800)
75590000-755DA000 shlwapi.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
745D0000-745EF000 gpapi.dll (Microsoft Corporation),
                  version: 10.0.22000.282 (WinBuild.160101.0800)
74760000-74778000 profapi.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
66BB0000-66BD7000 dwmapi.dll (Microsoft Corporation),
                  version: 10.0.22000.41 (WinBuild.160101.0800)
03520000-0354A000 MP3DEC.ASI (RAD Game Tools, Inc.),
                  version: 6.0m
03560000-03574000 MSSDS3DH.M3D (RAD Game Tools, Inc.),
                  version: 6.0m
0AB20000-0AB82000 MSSRSX.M3D (RAD Game Tools, Inc.),
                  version: 6.0m
63790000-637AA000 MSACM32.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
742B0000-74322000 DSOUND.DLL (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
74170000-74209000 ResampleDmo.DLL (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
74120000-74165000 powrprof.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
74100000-7411F000 winmmbase.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
740F0000-740F9000 msdmo.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
740E0000-740EE000 UMPDC.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
755E0000-75662000 clbcatq.dll (Microsoft Corporation),
                  version: 2001.12.10941.16384 (WinBuild.160101.080
58DC0000-58E3B000 MMDevApi.dll (Microsoft Corporation),
                  version: 10.0.22000.708 (WinBuild.160101.0800)
501F0000-5036D000 AUDIOSES.DLL (Microsoft Corporation),
                  version: 10.0.22000.708 (WinBuild.160101.0800)
51E40000-51E50000 resourcepolicyclient.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
58E40000-58F75000 Windows.UI.dll (Microsoft Corporation),
                  version: 10.0.22000.1 (WinBuild.160101.0800)
63780000-63789000 avrt.dll (Microsoft Corporation),
                  version: 10.0.22000.675 (WinBuild.160101.0800)
56870000-56955000 nvldumd.dll (NVIDIA Corporation),
                  version: 31.0.15.1659
50370000-51807000 nvd3dum.dll (NVIDIA Corporation),
                  version: 31.0.15.1659

SHA256:   
3f4aa81866105246270c362da63df8b5a18dda863bee5db6dd27c227f010cc4d

Process Trace
1  E:\GOG Pelit\Zeus and Poseidon\Zeus.exe [18032]
2  C:\Windows\explorer.exe [9296]
   C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
3  C:\Windows\System32\svchost.exe [1092]
   C:\Windows\system32\svchost.exe -k DcomLaunch -p
4  C:\Windows\System32\services.exe [560]
5  C:\Windows\System32\wininit.exe [960]
   wininit.exe

Services
1092  BrokerInfrastructure
1092  DcomLaunch
1092  PlugPlay
1092  Power
1092  SystemEventsBroker

Dropped Files
1  E:\GOG Pelit\Zeus and Poseidon\save\Koryne.dat
     Dropped by \Device\HarddiskVolume6\GOG Pelit\Zeus and Poseidon\Zeus.exe [18032]
        Read by \Device\HarddiskVolume6\GOG Pelit\Zeus and Poseidon\Zeus.exe [18032]
1  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_FE_MainMenu.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
2  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_FE_MissionIntroduction.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
3  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_FE_Registry.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
4  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_FE_tutorials.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
        Read by \Device\HarddiskVolume6\GOG Pelit\Zeus and Poseidon\Zeus.exe [18032]
5  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_Load1.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
6  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_Load2.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
7  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_Load3.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
8  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_Load4.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
9  E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece01.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
10 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece02.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
11 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece03.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
12 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece04.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
13 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece05.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
14 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece06.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
15 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece07.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
16 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece08.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
17 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece09.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
18 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_MapOfGreece10.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
19 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_Title.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
20 E:\GOG Pelit\Zeus and Poseidon\DATA\Zeus_Victory.jpg
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
21 E:\GOG Pelit\Zeus and Poseidon\zeus.exe
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [9296]
        Read by \Device\HarddiskVolume3\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1032]
                \Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe [3900]

Thumbprints
f27c1aaa8c9d58767634841998cf1183108383f75550485e7160e8b3f7c1d133

 

I totally agree with you. The weakest link in computing is the human. It is the first line of defence.

I also use Macrium Reflect. Daily backups are a great security.

 

Daily image backups are the best security that you can have!

In fact, I consider HitmanPro.Alert to be just an "alert" that some malicious behavior is taking place on my PC. It it turns out to not be a "false" detection, I am going to perform a full system restore.

The last company I worked for with an enterprise scale network did not even consider infected team members computers "cleanable". They just immediately wiped the PC and restored from image, so I assume that is how most pros do it.