Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.
I've updated the download link so it is now served from our HTTPS site. Thanks!
So far so good with 779 RC on Win7 x64.
Nice, I already wondered why it was still served over HTTP even though the normal version both on surfright.nl and hitmanpro.com are served over HTTPS.
HMP.A just auto updated to build 779.
No issues so far.
Manually updated from 777 to 779; everything working just fine
779 does not install over 777: “Failed to install program. Error 0”.
Automatic update on this version. So far alright everything. Windows 10 pro 64bit version 1809 build 17763.437
No problems Automatic update to build 779 , on Windows 10Pro (64bits) 1809
Btw I've forgotten, on my v1803 machine it is still build 775 'No update available') ... how to I automatically get betas / RCs again? Besides manually downloading I mean ...
Stable builds (like the current build 775) are not automatically updated to beta/RC versions. Stable builds are only automatically updated when a new build is released as stable.
Just upgraded my win 7 box to 779. Smooth as silk.
Thanks Mark and guys
Update. Just installed on a VM machine running Win 10 Pro X64 build 1809. Running very smooth.
W7x64, installed build 779 over build 775, no issues what so ever!
manually upgraded to build 779 from 775 yesterday. No problems or issues.
HitmanPro.Alert 3.8.0 Build 839 Community Technology Preview 1
We've been working on new mitigations and serveral new features for HitmanPro.Alert. We already introduced a novel mitigation called Heap Heap Protect with build 77x, but today we are releasing the first preview of our other new technologies.
With attackers getting increasingly more successful at compromising networks via Remote Desktop (RDP) - to extort money with ransomware, setup a supply chain attack, etc. - we've developed a mitigation that revokes a user' ability to introduce and run new code - even if you are an administrator. Of course, as an administrator you may occasionally want to unlock your session (e.g. for an user-mode application update) and to do so you can supply the 2FA token file that you generated previously from the console session. You can also put this 2FA token file on a USB flash drive connected to your local machine and connect it as a resource drive to the remote session.
With CryptoGuard v5 we're introducing a completely new anti-ransomware engine. Not that the existing CryptoGuard is not good enough but we wanted to really monitor every file on the system to detect ransomware manipulation. In addition, we wanted the engine to get some teeth as well so we added retaliation that terminates processes that attack your files.
To top it off we added visualization of the trace data collected by HitmanPro.Alert since it was installed on your machine. This is an EDR style interface (Endpoint Detection and Response) that can help you investigate an attack. We have this technology in HitmanPro.Alert since 2015 and we leverage it not only for attack detection but now for visualization as well.
And of course, unlike any other solution out there, HitmanPro.Alert is still less than 5 megabytes (MB)!
RDP Guard to lockdown Remote Desktop (RDP) sessions.
Blocks access to new binaries that are introduced in RDP sessions.
Strips processes from administrator privileges.
Allows to generate 2 factor token file to unlock an RDP session.
Complete redesign and rewrite of the award winning and world's first anti-ransomware module (est. 2013) to also monitor unknown file types, increase performance and reduce I/O overhead.
New user interface panels
Event List panel to view the alerts (finally replaces the standard Windows Event Viewer).
Event Process Tree panel to provide graphical representation of an attack.
Protected Volumes list panel to view the volumes and network shares that are protected by CryptoGuard.
CryptoGuard can run in either v4 or the new v5 mode.
CryptoGuard v5 block modes: Terminate, Isolate and Audit.
Terminate: terminates and isolates the ransomware process (new default)
Isolate: detects and isolates the ransomware by revoking write access (old default)
Audit: detects ransomware, but takes no action on it (new)
View Protected Volumes monitored by CryptoGuard
RDP Guard includes a new shell extension that shows an overlay icon on binaries that have been introduced in a RDP session. The extension also helps with unlocking the RDP session via a token file located on a drive shared with the RDP session.
Process Tree view with timeline to graphically animate how an attack took place. Includes clickable objects, dropped files per process, time between processes, exit state, hyperlinked SHA-256 hashes that open report on VirusTotal, etc.
Anti-Malware now relies on a new network manager module to detect when internet connection is lost or restored.
Excalibur.db, is regulary truncated (to prevent the file to become too large on high activity machines).
Alert Events are now also stored in excalibur.db, the local event trace database.
Ability to suppress previous alerts via the new Event List interface panel.
Inner workings of the keystroke encryption engine.
Keystroke encryption engine now correctly handles the Windows 10 Emoji Picker (shortcut Win + . ).
Service is now hardened against an unsolicited stop command.
Alert processes are now harden by enabling several Windows 10 mitigations.
Fixed restoring a Windows restore point.
Alt-Tab window could get stuck when the foreground process had keystroke encryption active.
Credential Theft Protection no longer shields the SAM database on the disk (CredGuard SAM). Too many legitimate applications access the SAM database.
Do NOT install this on a machine of which you only have access over Remote Desktop as it will lock you out from admin access, you need hands on keyboard to generate the 2fa token.
Do NOT return from this 8xx CTP to version 7xx stable without first removing c:\programdata\hitmanpro.alert\excalibur.db
Figure 1: Advanced interface
Figure 2: Remote Desktop Lockdown (RDP Guard)
Figure 3: Attack visualization via Event List > Actions > View Process Tree
Figure 4: Visualization helps to gain insight into what e.g. a temporary malicious PowerShell process has been doing. Here it downloaded a ransomware from a remote web site and started it, causing our CryptoGuard to step in.
Figure 5: Protected Volumes is an overview of all the locations protected by CryptoGuard against crypto-ransomware
We still need to work on a few things, like texts on the Event List details panel, but we're also looking for your input. Thank you! Happy Easter!
Imaged and manually updated from 3.7.9 Build 779, no problems. Win 10 x64 Pro v1809 17763.437.
CryptoGuard Experimental v5.
If I click on 'Last Event (1 alerts)' (Advanced interface), Event List panel opens (no content) with spinning blue circle, then disappears. HmP.A does not crash.
I often previously had snap-in loading problems with Event Viewer also though ... could be related?
No problems upgrading/updating build 839 CTP1 (using CryptoGuard Experimental v5).
A request: an option to copy the info (select text and rightclick) from the Event list.
Win10 1809 build 17763.437 x64/Norton Security v18.104.22.168
No problems with the Event list panel here.
Wrong/old date 'Laatste melding". Most recent one is from last week.
Updated to 380. Looks good so far. Win 7 Pro x64 Will test on VM for win 10 later
I like the fact Cryptoguard protects all the drives. Well done
No problems updating to build 839 CTP1. Windows 10 x64. Using CryptoGuard Experimental v5
Thank you, well done
I spoke to soon on Cryptoguard. I image to my other internal drives, and the impact on image time was huge. If you image once weekly it won't matter, but for corporate users it will be bad. I am staying with v4 cryptoguard as I don 't really need the protection as I use Pumpenickel
The anti malware module needs an exclusion feature. I have to keep it off without that.
Can you put some statistics in how much delay and/or MBs performance drop you are experiencing, and if possible steps to reproduce?
You can do that now:
- Open Event list and click on the alert -> Suppress Alert.
This should stop the AM module from blocking further execution of the flagged file.
Seems you have to reboot to get this fixed, guess we can improve that by releasing the file lock after suppression.
You can mitigate also by switching AM on/off saves a reboot.
Does that stick over a reboot?
Worked nicely. Thanks.