HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,143
    Location:
    Hengelo, The Netherlands
    Last edited: Jun 9, 2017
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,143
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.7 Build 708 Community Technology Preview 2 (CTP2)

    Surprise... Due to overwhelming feedback on the Private CTP1 build we decided to make the CTP2 release a Public Beta!

    In order to keep the BETA and CTP feedback separated from the Support and Discussion thread we created this new thread dedicated to discuss BETA and CTP builds. Otherwise people might think reported issues in the BETA and CTP builds are also in the stable releases.

    We need your feedback to make sure the new HitmanPro.Alert mitigations run alongside other security products.

    New Features in version 3.7
    • Real-time Anti-Malware
      Works with the HitmanPro cloud.

    • Credential Theft Protection
      Preventing theft of authentication passwords and hash information from memory, registry and disk. Prevents Mimikatz-style attacks.

    • Local Privilege Guard
      Prevents exploits of the operating system kernel. Prevents an attacker from using the privilege information of another process.

    • Code Cave mitigation
      Stops backdoors in trusted code.

    • Sticky Keys mitigation
      Prevents misuse of the Microsoft sticky key feature. Usually used by attackers to gain persistence.

    • Asynchronous Procedure Call (APC) mitigation
      Stops code injection via APC (ex. DoublePulsar and Atom Bombing attack).

    • Application Verifier mitigation
      Prevents misuse of the Application Verifier feature of Windows (eg. Double Agent attack).

    • Malicious Process Migration
      Detects remote reflective DLL injection used to move laterally between processes.

    Changelog (compared to CTP1)
    • Added DoublePulsar detection to APC mitigation
    • Added Compatibility with QEMU/KVM hypervisor
    • Improved Anti-Malware component
    • Improved CodeCave mitigation
    • Improved Local Privilege Guard mitigation
    • Improved Asynchronous Procedure Call (APC) mitigation
    • Improved DLL injection respects Trustlets
    • Improved CryptoGuard 4.9
    • Improved Installer
    • Fixed CodeCave false positives
    • Fixed PrivGuard false positives
    • Fixed APCViolation false positives
    • Fixed BSOD installing Alert in QEMU/KVM
    • Fixed BSOD caused in minifilter (introduced since 701)
    • Fixed iTunes compatibility
    • Fixed Compatibility with Steam Apps
    • Fixed typo in German translation Offene Browser
    Notes
    • Do NOT run this build on production environments. This is BETA software.
    • This build has Microsoft co-signed drivers.
    • This build triggers a PrivGuard false positives when running Sandboxie sandboxed processes. We are looking into this and aiming to get this fixed as soon as possible.
    Download
    http://test.hitmanpro.com/hmpalert3b708.exe

    Make sure to report the Technical Details of a potential false positive.
    If you hit a compatibility issue, make sure you mention which version of Windows you are running and what security products you have installed.

    Happy testing and let us know how this build runs on your computer in this brand new thread :thumb:
     
    Last edited: May 30, 2017
  3. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    805
    Location:
    Da mean streets of Brooklyn
    --deleted CPT1 comments per request.--

    Re-edit: No BadUSB so far. No impacts on startup/restart so far. BadUSB and Keystroke Encryption work well so far.

    When trying the anti-malware, this mitigation came up at 99% complete and is reproducible:

    mitcredguard.PNG
     
    Last edited: May 30, 2017
  4. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    463
    Location:
    The Netherlands
    Got a crash when running a scan with HitmanPro from HitmanPro.Alert:

    hitmanpro.JPG
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,143
    Location:
    Hengelo, The Netherlands
    I though that was fixed in this build. Guess not :ouch:

    We plan on rolling another update later this week with several minor fixes. A fix for this will definitely go in.
     
  6. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    463
    Location:
    The Netherlands
    Great, for now no other issues to report :thumb:
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,674
    Location:
    North Carolina, USA
    Hello @erikloman,

    All of the issues that I experienced and discussed with you in PM with CTP1 seem to be fixed now, except for the Credential Theft Protection (CredGuard) alert when running a HitmanPro scan (also reported by others).
    I will be watching over several reboots to see how it goes but so far great improvements over CTP1...
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,659
    When testing against real malware is where this build shines. A new feature, a red fly out when malware has been detected. Cool.
     
  9. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    Yes, this is a good new feature.

    Will there be an updated build of HitmanPro, or are you doing the fix within HMP.A? :doubt:
     
  10. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    684
    Location:
    Baden Germany
    I uninstalled CTP1, prior to installing CTP2,
    but CTP2 remembered the alert count.

    How to reset alert count?
     
  11. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,674
    Location:
    North Carolina, USA
    Hello @Hiltihome,

    Open the "Windows Event Viewer" > "Windows Logs" > "Application" - under "Actions" > "Clear Log"
    HTH...
     
  12. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    684
    Location:
    Baden Germany
    @puff-m-d:
    ̶t̶̶h̶̶a̶̶t̶̶ ̶̶d̶̶o̶̶e̶̶s̶̶ ̶̶n̶̶o̶̶t̶̶ ̶̶w̶̶o̶̶r̶̶k̶̶ ̶̶f̶̶o̶̶r̶̶ ̶̶c̶̶t̶̶p̶̶.̶
    I deleted hmpalert.xml, but after reboot the alert count is back.

    edit, deleting all events cleared the counter, but that's not elegant.
    THX


    (WIN7-64, bitdefender-free-2016, fresh install, 3 weeks back)
     
    Last edited: May 30, 2017
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,674
    Location:
    North Carolina, USA
    Hello @Hiltihome,

    HMP.A stores its alerts in the Windows Application Logs and allows you to view them via a snap-in (Custom View) by clicking on either "Number of alerts" or "Last alert" in the HMP.A GUI. I am fairly sure that it is pulling the counts from there also hence when you clear the application logs the counter resets to zero. As far as I know, that is the only way to reset the counter...
     
  14. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    398
    Location:
    Earth
    No issues out of CPT2 so far, running well and using an acceptable lvl of resources :thumb:
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,171
    Location:
    USA
    I did a fresh install of HMPA 3.6.7 build 602 (no upgarde, and HMPA has never been installed on this image) on Windows 10 X64 Professional. I'm also using Eset Internet Security 10, and AppGuard. Immediately after installation I noticed that the bad USB Protection was disabled. I enabled it, but after rebooting it was disabled again.

    I made HMPA a power app in AppGuard which gives it the right to do much more than other applications, but I had the following blocked events below in my AppGuard Activity Report. I suspect this is related to HMPA's new mitigation for EternalBlue, and Double Pulsar. What do you think Erik/Mark? Do you think this activity is related to HMPA alert's added protection for EternalBlue, and Double Pulsar? I have never had AppGuard block this activity before in my years of using AG. I had the Task Manager open, and I was using msconfig when these blocked events occurred in AppGuard.

    05/30/17 18:20:54 Prevented <MSCONFIG MFC APPLICATION> from writing to <\registry\machine\bcd00000000>.

    05/30/17 18:20:59 Prevented <Task Manager> from reading memory of <Local Security Authority Process>.

    05/30/17 18:22:28 Prevented <pid: 6644> from writing to <\registry\machine\bcd00000000>.

    05/30/17 18:23:01 Prevented <pid: 4384> from reading memory of <Local Security Authority Process>.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,171
    Location:
    USA
    I just noticed i'm not receiving the flyout that notifies me that Firefox is being protected like I use to. It does however still inform me i'm protected if I place my cursor on the border of the browser UI. I'm using Windows 10 X64 Professional.
     
  17. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    320
    2017-05-30 16_10_49-.png 2017-05-30 16_17_15-FarCry®4 (Not Responding).png CPT2 I get this (SBIE) and this (FarCry4).

    Should be moved to beta thread.
     
    Last edited: May 30, 2017
  18. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    240
    Location:
    United States
    No problems thus far. Resource usage is respectable. Ran two scans, both of which were quick, but I was testing process hacker and it detected it as a Trojan:


    Properties
    Name processhacker-3.0.639-setup.exe
    Location C:\Users\Poopshoot\Downloads
    Size 5.2 MB
    Time 10.3 days ago (2017-05-20 09:36:56)
    Entropy 8.0
    Product Process Hacker Setup
    Publisher Process Hacker
    Description Process Hacker Setup
    Version 3.0.5166.639
    LanguageID 9
    SHA-256 B66E3046BB4F00A3A48256AC6580B59A71D81CB0018DCE66A7766F56B6AAC7C5

    Detection Names
    Kaspersky not-a-virus:HEUR:RiskTool.Win32.ProcHack.gen


    I'm guessing just a false positive, but thought I'd throw it out there
     
  19. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    67
    Location:
    Australia
    CTP2 running well on Win10X64 CU.

    I noticed that this happening and realized to change the "Saftey Notification" from "once per login session" to "At application start". Not sure if this is your issue.

    Regards.
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,171
    Location:
    USA
    Thanks! That was it. I looked for a setting controlling the flyout, but did not have any luck finding it.
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,171
    Location:
    USA
    I'm using Process Hacker 2.39.124 on Windows 10 X64, and I have not experienced any detections. It says i'm using the latest stable build. I noticed it says you are using version 3.0.639. What is that, a beta version? Where did you get it from? Are you sure it's legit?
     
  22. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,308
    Yes, it's legit.

    https://wj32.org/processhacker/nightly.php
     
  23. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    The problem with Sandboxie will be fixed soon:
     
  24. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    746
    Updated here, MPC-BE still doesn't work. Appears for only one second, then auto-closes. Set the action mode to "Audit only" but still the same results.

    Following installers don't work, getting Lockdown for all.

    Mitigation Lockdown

    Platform 6.1.7601/x64 v708 06_2a
    PID 1424
    Application D:\Unchecked\SubtitleEdit.exe
    Description Subtitle Edit Setup 3.5.3

    Filename C:\Users\Subhro\AppData\Local\Temp\is-79927.tmp\SubtitleEdit.tmp
    Created By D:\Unchecked\SubtitleEdit.exe

    Command line:
    "C:\Users\Subhro\AppData\Local\Temp\is-79927.tmp\SubtitleEdit.tmp" /SL5="$40792,5532970,141824,D:\Unchecked\SubtitleEdit.exe"

    Process Trace
    1 D:\Unchecked\SubtitleEdit.exe [1424]
    2 C:\Windows\explorer.exe [2812]
    C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
    3 C:\Windows\System32\svchost.exe [820]
    C:\Windows\system32\svchost.exe -k DcomLaunch
    4 C:\Windows\System32\services.exe [704]

    Thumbprint
    81365dfe79e039f471a8ba1b59e119cd896c2af09c1c6130b63c5ae1e2e33d93

    Mitigation Lockdown

    Platform 6.1.7601/x64 v708 06_2a
    PID 5080
    Application D:\Unchecked\peazip-6.4.1.WIN64.exe
    Description PeaZip Setup 6.4.1

    Filename C:\Users\Subhro\AppData\Local\Temp\is-NODLQ.tmp\peazip-6.4.1.WIN64.tmp
    Created By D:\Unchecked\peazip-6.4.1.WIN64.exe

    Command line:
    "C:\Users\Subhro\AppData\Local\Temp\is-NODLQ.tmp\peazip-6.4.1.WIN64.tmp" /SL5="$20770,7039495,149504,D:\Unchecked\peazip-6.4.1.WIN64.exe"

    Process Trace
    1 D:\Unchecked\peazip-6.4.1.WIN64.exe [5080]
    2 C:\Windows\explorer.exe [2812]
    C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
    3 C:\Windows\System32\svchost.exe [820]
    C:\Windows\system32\svchost.exe -k DcomLaunch
    4 C:\Windows\System32\services.exe [704]

    Thumbprint
    d5dab80444204b1f8aa9c7c96373f0e052ac432ea238ffff14932a83c6e9581b

    Mitigation Lockdown

    Platform 6.1.7601/x64 v708 06_2a
    PID 3620
    Application D:\Unchecked\pdfshaper_cfree_7.3.exe
    Description PDF Shaper Free Installation 7.3

    Filename C:\Users\Subhro\AppData\Local\Temp\is-013FE.tmp\pdfshaper_cfree_7.3.tmp
    Created By D:\Unchecked\pdfshaper_cfree_7.3.exe

    Command line:
    "C:\Users\Subhro\AppData\Local\Temp\is-013FE.tmp\pdfshaper_cfree_7.3.tmp" /SL5="$407EA,7289112,189952,D:\Unchecked\pdfshaper_cfree_7.3.exe"

    Process Trace
    1 D:\Unchecked\pdfshaper_cfree_7.3.exe [3620]
    2 C:\Windows\explorer.exe [2812]
    C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
    3 C:\Windows\System32\svchost.exe [820]
    C:\Windows\system32\svchost.exe -k DcomLaunch
    4 C:\Windows\System32\services.exe [704]

    Thumbprint
    f0286d38b6246fab11b7d752626220ae0cf89c3ca96f618a9ab579fd8946b69f

    Mitigation Lockdown

    Platform 6.1.7601/x64 v708 06_2a
    PID 4040
    Application D:\Unchecked\ImageMagick.exe
    Description ImageMagick 7.0.5 Q16 (64-bit) Setup 7.0.5

    Filename C:\Users\Subhro\AppData\Local\Temp\is-4LR57.tmp\ImageMagick.tmp
    Created By D:\Unchecked\ImageMagick.exe

    Command line:
    "C:\Users\Subhro\AppData\Local\Temp\is-4LR57.tmp\ImageMagick.tmp" /SL5="$607E0,24577323,121344,D:\Unchecked\ImageMagick.exe"

    Process Trace
    1 D:\Unchecked\ImageMagick.exe [4040]
    2 C:\Windows\explorer.exe [2812]
    C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
    3 C:\Windows\System32\svchost.exe [820]
    C:\Windows\system32\svchost.exe -k DcomLaunch
    4 C:\Windows\System32\services.exe [704]

    Thumbprint
    2bc4c2245a5e135c98bee2c2fb79653ea33ade85f81bd4bb158590ca543712aa
     
  25. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    398
    Location:
    Earth
    With CPT2 it no longer reacts to the HMP scan, very good.
    Thanks Mark & Erik