HitmanPro.ALERT Support and Discussion Thread

Kaspersky VPN and Password Manager. No Avast. I have Norton, which uses some Avast stuff now since the bought them out.

 

I installed the Supermium browser on a Windows 7 PC and HMP.A intercepted it on first launch:

False positive, or something to be concerned about? Supermium gets a 1/68 score on a certain virus-checking website...

 

Defender detected it as Trojan:Win32/Vigorf.A when i tried to download it.

 

Thank you!

 

But it must be a false positive. Defender does have it's share of those, only the 32bit version got detected.

 

Never heard about Supermium, does it use the latest Chromium version? Because then I wonder why other Chromium based browsers are not compatible with Win 8 anymore.

But anyway, seems like Supermium is somehow triggering ''process hollowing'' which is kinda odd. Especially if WD also detects it, wouldn't install it for the moment.

BTW, it's only flagged by 3 AV engines on VirusTotal, I'm talking about the 64 bit version. And there are two websites that offer downloads. You see how tricky this is?

https://www.supermium.org
https://win32subsystem.live/supermium/

 

G Data chrome extension blocks this.

 

My 2ct, this solution will be optional, and only interesting for Enterprise users with their own or knowledgeable security teams (for a long time) but MS has covered their legal risk.

On the other hand all major players will have to support some form of this usermode stuff, I'm just very curious how much protection they will offer compared to the driver based versions.
Vendors are now forced to live of what Microsoft offers in their public version of this (not sure how fair that will be against defender and their other undocumented options) instead of in prevention mode forced to go back in to detection mode and or best case reaction mode (already infected, but contained within x seconds/minutes) and repair options. (Same protection is impossible, specially for HMPA kind of solutions).

As long as attackers can bring their own vulnerable drivers (as long as it's no security driver) I'm not sure I would be putting my resources on that deploying it though the estate.

 

It tries to patch it's own PEB, likely not malicious but I guess we haven't made any exceptions for this exotic browser.

 

OK, so you're saying other Chromium browsers might also trigger this, if not whitelisted?

Yes, it's weird, I downloaded two versions from these websites, and one of them was flagged on VirusTotal, the other wasn't, so I wonder what's up with this. It seems to be a bit fishy. It wasn't detected by Win Defender though, so I wonder why Sir Percy did see this detection? Oh wait, he probably downloaded another version.

 

That's what I wonder about as well. It seems like Sophos is involved with the Windows Resilient Security Platform, can't you ask for more info? I mean, I can't visualize how protection tools would work without having to use a driver? When it comes to tamper protection, I guess Windows will take care of this, perhaps via app sandboxing.

Or perhaps I'm misunderstanding, and will security tools still use drivers, but without full kernel access? I guess for clues we have to look at macOS, where security tools already run in usermode, with the help of so called System Extensions. And Linux has got this system named eBPF, which is able to sandbox/isolate apps while still giving them access to the kernel. Sounds like Windows 12 would then need a complete redesign.

https://www.trio.so/blog/macos-system-extensions/
https://www.datadoghq.com/knowledge-center/ebpf/