HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    I've updated the download link so it is now served from our HTTPS site. Thanks! :thumb:
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,330
    Location:
    Outer space
    So far so good with 779 RC on Win7 x64.

    Nice, I already wondered why it was still served over HTTP even though the normal version both on surfright.nl and hitmanpro.com are served over HTTPS.
     
  3. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    896
    Location:
    Baden Germany
    HMP.A just auto updated to build 779.
    No issues so far.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,009
    Location:
    USA
    Manually updated from 777 to 779; everything working just fine :thumb:
     
  5. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    926
    779 does not install over 777: “Failed to install program. Error 0”.
     
  6. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    197
    Automatic update on this version. So far alright everything. Windows 10 pro 64bit version 1809 build 17763.437
     
  7. abbs

    abbs Registered Member

    Joined:
    Sep 14, 2018
    Posts:
    22
    Location:
    Nederlands
    No problems Automatic update to build 779 , on Windows 10Pro (64bits) 1809
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,886
    Location:
    Under a bushel ...
    +1

    Btw I've forgotten, on my v1803 machine it is still build 775 'No update available') ... how to I automatically get betas / RCs again? Besides manually downloading I mean ...
     
  9. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,140
    Location:
    the Netherlands
    Stable builds (like the current build 775) are not automatically updated to beta/RC versions. Stable builds are only automatically updated when a new build is released as stable.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Just upgraded my win 7 box to 779. Smooth as silk.

    Thanks Mark and guys

    Update. Just installed on a VM machine running Win 10 Pro X64 build 1809. Running very smooth.
     
    Last edited: Apr 18, 2019
  11. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    300
    Location:
    Netherlands
    W7x64, installed build 779 over build 775, no issues what so ever!
     
  12. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    manually upgraded to build 779 from 775 yesterday. No problems or issues.
     
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    HitmanPro.Alert 3.8.0 Build 839 Community Technology Preview 1

    We've been working on new mitigations and serveral new features for HitmanPro.Alert. We already introduced a novel mitigation called Heap Heap Protect with build 77x, but today we are releasing the first preview of our other new technologies.
    With attackers getting increasingly more successful at compromising networks via Remote Desktop (RDP) - to extort money with ransomware, setup a supply chain attack, etc. - we've developed a mitigation that revokes a user' ability to introduce and run new code - even if you are an administrator. Of course, as an administrator you may occasionally want to unlock your session (e.g. for an user-mode application update) and to do so you can supply the 2FA token file that you generated previously from the console session. You can also put this 2FA token file on a USB flash drive connected to your local machine and connect it as a resource drive to the remote session.
    With CryptoGuard v5 we're introducing a completely new anti-ransomware engine. Not that the existing CryptoGuard is not good enough but we wanted to really monitor every file on the system to detect ransomware manipulation. In addition, we wanted the engine to get some teeth as well so we added retaliation that terminates processes that attack your files.
    To top it off we added visualization of the trace data collected by HitmanPro.Alert since it was installed on your machine. This is an EDR style interface (Endpoint Detection and Response) that can help you investigate an attack. We have this technology in HitmanPro.Alert since 2015 and we leverage it not only for attack detection but now for visualization as well.
    And of course, unlike any other solution out there, HitmanPro.Alert is still less than 5 megabytes (MB)! :D

    New Features
    • RDP Guard to lockdown Remote Desktop (RDP) sessions.
      • Blocks access to new binaries that are introduced in RDP sessions.
      • Strips processes from administrator privileges.
      • Allows to generate 2 factor token file to unlock an RDP session.
    • CryptoGuard v5
      • Complete redesign and rewrite of the award winning and world's first anti-ransomware module (est. 2013) to also monitor unknown file types, increase performance and reduce I/O overhead.
    • New user interface panels
      • Event List panel to view the alerts (finally replaces the standard Windows Event Viewer).
      • Event Process Tree panel to provide graphical representation of an attack.
      • Protected Volumes list panel to view the volumes and network shares that are protected by CryptoGuard.
    Added
    • CryptoGuard can run in either v4 or the new v5 mode.
    • CryptoGuard v5 block modes: Terminate, Isolate and Audit.
      • Terminate: terminates and isolates the ransomware process (new default)
      • Isolate: detects and isolates the ransomware by revoking write access (old default)
      • Audit: detects ransomware, but takes no action on it (new)
    • View Protected Volumes monitored by CryptoGuard
    • RDP Guard includes a new shell extension that shows an overlay icon on binaries that have been introduced in a RDP session. The extension also helps with unlocking the RDP session via a token file located on a drive shared with the RDP session.
    • Process Tree view with timeline to graphically animate how an attack took place. Includes clickable objects, dropped files per process, time between processes, exit state, hyperlinked SHA-256 hashes that open report on VirusTotal, etc.
    • Anti-Malware now relies on a new network manager module to detect when internet connection is lost or restored.
    • Excalibur.db, is regulary truncated (to prevent the file to become too large on high activity machines).
    • Alert Events are now also stored in excalibur.db, the local event trace database.
    • Ability to suppress previous alerts via the new Event List interface panel.
    Improved
    • Inner workings of the keystroke encryption engine.
    • Keystroke encryption engine now correctly handles the Windows 10 Emoji Picker (shortcut Win + . ).
    • Service is now hardened against an unsolicited stop command.
    • Alert processes are now harden by enabling several Windows 10 mitigations.
    Fixed
    • Fixed restoring a Windows restore point.
    • Alt-Tab window could get stuck when the foreground process had keystroke encryption active.
    Removed
    • Credential Theft Protection no longer shields the SAM database on the disk (CredGuard SAM). Too many legitimate applications access the SAM database.
    Notes
    • Do NOT install this on a machine of which you only have access over Remote Desktop as it will lock you out from admin access, you need hands on keyboard to generate the 2fa token.
    • Do NOT return from this 8xx CTP to version 7xx stable without first removing c:\programdata\hitmanpro.alert\excalibur.db
    Screenshots
    Capture3.PNG
    Figure 1: Advanced interface

    Capture4.PNG
    Figure 2: Remote Desktop Lockdown (RDP Guard)

    Capture1.PNG
    Figure 3: Attack visualization via Event List > Actions > View Process Tree

    Capture2.PNG
    Figure 4: Visualization helps to gain insight into what e.g. a temporary malicious PowerShell process has been doing. Here it downloaded a ransomware from a remote web site and started it, causing our CryptoGuard to step in.

    Capture6.PNG
    Figure 5: Protected Volumes is an overview of all the locations protected by CryptoGuard against crypto-ransomware

    Download
    https://dl.surfright.nl/hmpalert3b839.exe

    We still need to work on a few things, like texts on the Event List details panel, but we're also looking for your input. Thank you! Happy Easter! :thumb:
     
    Last edited: Apr 21, 2019
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,886
    Location:
    Under a bushel ...
    Imaged and manually updated from 3.7.9 Build 779, no problems. Win 10 x64 Pro v1809 17763.437.

    CryptoGuard Experimental v5.

    If I click on 'Last Event (1 alerts)' (Advanced interface), Event List panel opens (no content) with spinning blue circle, then disappears. HmP.A does not crash.
    I often previously had snap-in loading problems with Event Viewer also though ... could be related?
     
    Last edited: Apr 21, 2019
  15. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    840
    No problems upgrading/updating build 839 CTP1 (using CryptoGuard Experimental v5).

    A request: an option to copy the info (select text and rightclick) from the Event list.

    Win10 1809 build 17763.437 x64/Norton Security v22.17.0.183
     
    Last edited: Apr 21, 2019
  16. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    840
    No problems with the Event list panel here.
     
  17. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    840
    Wrong/old date 'Laatste melding". Most recent one is from last week.

    1.PNG
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Updated to 380. Looks good so far. Win 7 Pro x64 Will test on VM for win 10 later

    I like the fact Cryptoguard protects all the drives. Well done
     
  19. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,850
    Location:
    Canada
    No problems updating to build 839 CTP1. Windows 10 x64. Using CryptoGuard Experimental v5

    Thank you, well done:)
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I spoke to soon on Cryptoguard. I image to my other internal drives, and the impact on image time was huge. If you image once weekly it won't matter, but for corporate users it will be bad. I am staying with v4 cryptoguard as I don 't really need the protection as I use Pumpenickel
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Mark

    The anti malware module needs an exclusion feature. I have to keep it off without that.
     
  22. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
    Can you put some statistics in how much delay and/or MBs performance drop you are experiencing, and if possible steps to reproduce?
     
    Last edited: Apr 21, 2019
  23. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
    You can do that now:
    - Open Event list and click on the alert -> Suppress Alert.

    This should stop the AM module from blocking further execution of the flagged file.
    Seems you have to reboot to get this fixed, guess we can improve that by releasing the file lock after suppression.

    You can mitigate also by switching AM on/off saves a reboot.
     
  24. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
    Does that stick over a reboot?
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Worked nicely. Thanks.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.