Hitman Pro Support and Discussion Thread

Re: Anyone tried out Hitman Pro?

I wonder sometimes when does HMP receive there updates from the vender's that is supplied in HMP? Is it up to the minute, Hour, Day, Week or more than that?

TH

 

Re: Anyone tried out Hitman Pro?

Not a problem Buddy happy to help out!

TH

 

Re: Anyone tried out Hitman Pro?

I think it's pretty close to real-time, last time I asked.

 

Re: Anyone tried out Hitman Pro?

Thank you for posting the MBAM log. I've took the time to look at it and before I start explaining the entries in that log, I want to express the fact that unlike MBAM, Hitman Pro 3 is a signature-less behavioral based scanner. If you try to cleanup an infected system with other AV software first (and it removes some malware), it is possible that Hitman Pro may *not* detect and cleanup any related (remaining) objects. The reason for this is that other AV solutions might have removed the malware ‘stinger’. Hitman Pro 3 is designed to search for malware ‘stingers’ and intelligently work from there to locate related objects like registry keys and values, files and folders (what we call traces). So if you want to use Hitman Pro 3 to cleanup dormant (once with malware related) objects, you expect something that it (logically) may not do.

Hitman Pro 3 is designed to locate and take out auto-starting and active malware (expecially resilient trojans and rootkits) and as many related objects as possible. Looking at the MBAM log, Hitman seems to have succeeded in its foremost mission since the top of the log states:

• Memory Processes Infected: 0
• Memory Modules Infected: 0

MBAM found no infections in memory. When you take a closer look at the log, all other so called infected items are actually lifeless orphans, remnants or undesired settings. I will try to explain the remaining entries:

{0b7fe966-c2dc-4af7-8a5f-e4141b92546e}
The CLSID is no longer there. It is most likely a remnant of another piece of malware that was cleaned up by Norton. Not a security issue and it does not impact system stability or performance. We might add an orphan cleaner to Hitman Pro in the future to handle these keys but it is not high on our wanted list.

Image File Execution Options
These registry entries are somewhat evil. With this particular key one could start his own program instead of the proces name mentioned in the key. Looking at the process names, these keys could prevent popular programs to start and might run a malicious program instead. Since MBAM didn’t find any (except for Adware.Weemi, which is I think unrelated) these registry keys are harmless but undesired.

HKEY_CURRENT_USER\SOFTWARE\AvScan
Harmless remnant. Not a security issue and does not impact system stability or performance. Probably a remaining key from an infection earlier in time.

SearchScopes
In Internet Explorer you can set different search providers. But the domain mentioned in this key (search-gala.com) is not a threat. It is not listed as bad on any public DNS blacklists (which Hitman Pro automatically consults) and McAfee SiteAdvisor and Norton Safe Web both say it is safe. As mentioned before, Hitman is a behavioral analysis system and will use information available on the Internet to make a classification. There is no logic reason for Hitman to restore this setting. MBAM probably finds it bad because of a harcoded signature (their automated analyzers probably stumbled upon this domain during malware analysis).

Adware.Weemi
This malware is similar to Adware.OneStep. Since I couldn’t easily locate the dropper of Weemi in our Scan Cloud I looked for a OneStep sample and found one from May 2009. I infected one of our analysis systems with it and ran Hitman Pro 3.5. All malicious files were detected and removed, as well as the dropper as the infection, including traces in the registry. I noticed that the OneStep malware relies on a service and since it is related, I expect that Weemi uses one as well. A service was not mentioned in the MBAM log file – likely taken out by Hitman. Out of curiosity I ran MBAM before removing the OneStep infection and it did *not* detect one trace from the OneStep sample or the dropped and running infection during a full system scan.

Anyway, without the dropper I decided to extract the mentioned Adware.Weemi files from our Scan Cloud for a closer look (we actually have these because Hitman Pro did find and identified the files on other computers). I saw that these files (exactly like the OneStep files) were signed (Microsoft Authenticode), issued by VeriSign to Weemi.com. Note that the Weeni.com domain is registered since 2007 (payed for until 8/7/2010). It is not blacklisted as a bad domain and is even a safe site according to Norton Safe Web. But signed files have a significantly lower threatscore than unsigned files in Hitman Pro – the signed OneStep files were detected anyway because they were actually doing things or were about to (during boot or through the web browser). Looking back at the MBAM log and knowing that MBAM did not find any active or autostarting malware, I expect that this could be the reason why these particular Weeni files weren’t detected by Hitman Pro (the one in Application Data was taken out since it was probably active or autostarting).

I don’t think the remaining Weeni files pose a threat but I think one would want them removed anyway. But perhaps the 5 AV partners in our cloud weren’t able to identify them at the time of the scan.

Rogue.WindowsEnterpriseSuite
Apparently another AV solution removed all PE files belonging to this rogue (since the screenshot of Hitman doesn't contain any objects related to the rogue's folder mentioned in the MBAM log). Only a sqlite-database file remained which is a non malicious data file. If Hitman Pro would take out this rogue, it could have removed the folder and its contents when (at the time of removal) it was debated on security related websites - our dynamic Gossip Rating system is responsible for triggering the removal of complete folders and it contents when it’s highly likely to belong to scareware (note that besides the Gossip Rating one of the PE files inside the folder must be identified as malicious as well). But since the folder is still there and not empty I suspect that either at scantime the rating of the malicious program had a low Gossip Rating (program not heavily debated) or some files were removed by another AV solution before Hitman. The current Gossip Rating for ‘Windows Enterprise Suite’ is currently 17, which is high enough to warrant removal of the complete structure. But whatever the case, the mentioned file and folder is nothing but a harmless nuisance and something for people with Rupophobia

CCleaner
Due to the nature of the behavioral scan, it is possible that by using CCleaner to cleanup eg. the Internet Explorer cache, Hitman might not be able to determine if a particular file came from the Internet (and make an assesment for the domain and URL). But in the event where origin information could not be determined, the internal threatscore would be high enough anyway for Scan Cloud identification. But remember that, depending on details found on the scanned computer and real-time changing information in our cloud, on public blacklists and increasing debates on security forums, Hitman Pro results could vary. Hitman Pro is an intelligent system based on association mining using live but always changing information.


Anyway, I don’t think MBAM found anything so serious on the system that it shouldn’t be used on the Internet. The question you might want to ask yourself is not what other AV solutions are able to find but wether or not the threat is neutralized and everything works again as it should. So we will add something for the Image File Execution Option entries since they could prevent running these processes. It will be in the upcoming build 79 of Hitman Pro 3.5. We are currently busy adding support to handle the TDL3 Alureon rootkit – which is actually finished but we are just checking if all other features are still working as they should since we redeveloped our disk scanning technology and rewrote parts of our malware removal engine.

Update: Oops, my bad. Removal of Image File Execution Option is already in Hitman Pro 3.5 since build 58. But it works only if the malware that is activated through it was still on the system. Thanks Erik.

 

Re: Anyone tried out Hitman Pro?

Our central systems (Scan Cloud) have a real-time connection with the Prevx databases (which is cloud based as well). NOD32 and G Data update hourly and Avira and a-squared are updated every four hours in our Scan Cloud.

 

Re: Anyone tried out Hitman Pro?

Thanks Mark for the info!

TH

 

Re: Anyone tried out Hitman Pro?

Interesting stance on your product.

This is how I interpereted it, please correct me if I am wrong: Hitman still sees files associated with the malware still on the computer but you (the programmers) really don't care because you (the programmers) think it is dormant and nothing else should call these files. The user can safely browse the internet because nothing has been detected in memory. What I (the technician) did prior to to running Hitman removed enough of the malware to cause Hitman not to remove everything.

Is that pretty much your take on it?

So in your eyes, run hitman prior to running anything else and see what happens?

This software was really designed for the novice user in mind. Nice idea, bad implementation (read this as room for growth). I really like the idea of one utility using multiple databases and scanners to scan a system (bascially what most of us techs do anyway). I really don't like that it really doesn't do a thorough cleaning. It would be great if it could delete your temp files, the folders within content.ie5 under each user, the prefetch folder in windows, verify the hidden files within system32, windows, drivers, the individual user profiles, all users, common files. Check dates of last modified vs commonly last modified files, disable the system restore, and if you can and it isn't too much of a bother check the company signature of dll's and exe's and anything that does not have a company associated with it verify off of a known database.
Ultimatly I would like 1 utility to take the place of 5. Is that hard to do? I want a fast and thorough scanner (I will take thorough over fast), not what hitman currently is.

 

Possible False Positive

I just updated Faststone Image Viewer to 4.0. I did a scan with Hitman and it is finding it 'malicious'.
I did NOT remove it as I had Faststone 3.9 for months and Hitman did not find any problems.
Could this new version 4.0 be a false-positive?
Perhaps anyone from Hitman that is reading this could check it out.
Thank you.

 

Re: Possible False Positive

What files are exactly identified as malware? I just installed Faststone Image Viewer 4.0 and the current Hitman Pro version doesn't target any of the files as malware. If you expand the item in the list, what is the name of the infection? Perhaps you have a polymorphic virus on your system like Virut.

 

Re: Anyone tried out Hitman Pro?

1. There is just 1 threat left that Hitman Pro failed to see (Adware.Weemi).
2. There are some registry entries and 2 data files that usually can only be removed based on its name.

It is not that the programmers don't care. A regular AV company has large research teams with 50-100 employees that build signatures or definitions. Just because they need to keep up with the 30.000+ new malicious files that appear on the Internet every day. And knowing that creating a signature for a particular threat sometimes takes a day or two, and that some of today’s rootkits are extremely sophisticated, we are all taken by the nose when you read the detection rates of popular AV solutions in AV laboratory tests. So to keep up or even stay ahead, new approaches are needed. We are a very small company (actually we are just three guys) and designed Hitman Pro 3 to be signatures-less. We invented a Behavioral *Scan* to detect known (and foremost unknown) threats. To complement our scanner we developed a Scan Cloud wich contains multiple technologies including 7 AV scanners from 5 AV partners, to classify or even name the potential threats.

AV tests focus on recognition of static samples under laboratory conditions. But everybody here knows that once your machine is infected, undoing this infection is not an easy task for AV software once it becomes aware of it - something no one seems to be talking about but the existance of perhaps millions of threads started by people asking for help on security forums is a nice indication of the real world. We do not create any detection (nor removal) signatures but developed an intelligent removal engine instead. But it is only capable of relating registry objects and data files when the threat is still on the system. So if you first run lots of tools you basically remove forensic information that Hitman Pro needs in order to build its case against the registry objects and data files.

Hitman Pro *does* check all those locations but it just does not vacuum those locations. But we do plan to add a vacuum option to cleanup orphan registry entries and folders that contain temporary files. Note that emptying the prefetch folder doesn't improve system performance, stability or security - gaining something positive from this is a myth.

You must have read our documentation as this is *exactly* what Hitman Pro does.

We do our best to improve our product. Currently it is quick, very easy to use and it is very thorough as long as Hitman Pro can build its case against related registry and data files.

 

Re: Anyone tried out Hitman Pro?

Image File Execution Option entries are already analyzed as of build 58

But as the entries in the MBAM log point to files that don't exist, Hitman Pro cannot build a case against those entries and so they are not removed by Hitman Pro.

MBAM reports on 752 registry keys. Most people just read numbers. As long as Product X reports more entries than Product Y, these people have more trust in Product X

I think we cannot do without a crap cleaner.

 

Re: Possible False Positive

I wrote FastStone and got this response: Thanks a lot for your report. It is a false positive. We use
NSIS(trusted and widely used by many software vendors) to create the
setup file and sometimes it causes false warnings like this. We have
just rebuilt the setup file using different options. Hopefully this
issue has been resolved.
I did another scan with Hitman and it went through with NO warning.
KOR-

 

Re: Anyone tried out Hitman Pro?

I didn't read the documentation because I have little faith of anything actually doing this, as after all scans have been completed I go in to the folders that I have listed and manually verify files, first sorting by company then once the files have been sorted by company I start looking at file names and extensions of files that have no company associated to them. Then once I am done with that I sort by date, looking for either skewed dates and recent dates.

How does your software detect and remove timebombs and/or the unknown, none are really successful with this.

So I gather before you run any other utility it is best to run yours, then see if the other utilites pickup anything worth while including my final manual scan.

anyone have any good screen capture software that hitman won't detect as a threat, I want to make a video of my next pc cleansing to post (or at least to ftp).

 

Re: Anyone tried out Hitman Pro?

I suggest you try this one:

http://camstudio.org/

 

Re: Anyone tried out Hitman Pro?

Which capture software does Hitman Pro detect as a threat? In an earlier post you also reported on a false positives.

Do you have Early Warning Scoring (EWS) enabled?

When EWS enabled, Hitman Pro lists files that range from little to medium suspicious (read: mostly non-malware). You use this mode only when you don't have an internet connection or when you suspect there is still some malware active on you computer. EWS is for experts only as the user must filter the results. For this reason EWS is off by default.

 

Re: Anyone tried out Hitman Pro?

The previous user said Hitman found the following as malicious, which is a popular image viewer/basic editor.

http://www.faststone.org/

More specifically - Faststone Image Viewer:
http://www.faststone.org/FSViewerDownload.htm

I use this software, without Hitman finding it as malicious, but I'm using an older version (3.6).

 

Re: Anyone tried out Hitman Pro?

Never turned it on. But should be recieving the infected soon so I will be able to do a slight interview with the client to find out what is going on with the pc and be able to post up what is wrong with it before I even start out. I am anxious to see if hitman actually works and will have video proving one way or the other (if it is infected, if not I will take an image of a good pc and get it royaly infected but that may not happen this weekend if I have to get a pc infected (no av or antimalware software loaded, going out to different crack sites and torrent sites maybe even download some infected torrents, this will take a little bit of time to accomplish which I don't have a lot of this weekend to do).

 

Re: Anyone tried out Hitman Pro?

Hi,

hmm, I don't know whether this app is soo good.
It have some problems, described on their homepage with mention upcoming version 2.5..

But there is no update since over one year, even on the blog.

That's strange.

regards,

iNsuRRecTiON

 

Re: Anyone tried out Hitman Pro?

What's with the desktop shortcut icon in Win 7? I delete it, later on run a scan on a file using the context menu option and the desktop shortcut icon appears again. Also, to run HMP I have to allow it with the UAC prompt as well as turn off SRP. I've made an unrestricted rule with SRP for Program/Files HitmanPro35.exe and for the re-appearing desktop shortcut but SRP still blocks running of HMP. The only way it will run is to disable SRP.

 

Re: Anyone tried out Hitman Pro?

Try FastStone Capture.

 

Re: Anyone tried out Hitman Pro?

The last freeware version was 5.3, available here. I run it without Hitman detection problems.

 

Re: Anyone tried out Hitman Pro?

Adding to this, I've uninstalled this for now because somethings not right. To do a right click scan, I have to disable AppGuard, SRP, System Protect, and allow the UAC prompt only to have it dump another HMP shortcut to the desktop.

 

Re: Anyone tried out Hitman Pro?

Hi Greg. This is a bug in build 78.

See this post for a workaround.

 

Re: Anyone tried out Hitman Pro?

Thanks!

 

Re: Anyone tried out Hitman Pro?

As far as my test pc goes:
Issue - Can't get out to any internet sites or ftp

Fix - run winsock fix

Issue resolved.....no need to run other utilites to clean up, only to verify. Going to run hitman anyway, but I do not see a reason for any in depth scanning for now or video. Will have to royaly infect a test pc.