HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    170
    Which one( F#, C++, C#, Visual Basic, XML )?

    Are you still developing the 3.7 series or will the next be the 3.8?
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,687
    Location:
    Under a bushel ...
    Win 10 Pro x64 v1903 b18362.356.

    BSOD on reboot. But so far, fine after subsequent reboot. :thumb:

    WhoCrashed report below. Can't say that it's due to HmP.A ... test machine with other security softs installed, mostly disabled.
    Code:
    On Fri 2019/09/27 6:08:41 AM GMT your computer crashed or a problem was reported
    crash dump file: C:\WINDOWS\Minidump\092719-6171-01.dmp
    This was probably caused by the following module: ntoskrnl.exe (nt+0x1C10A0)
    Bugcheck code: 0x3B (0xC0000005, 0xFFFFF8066E24826C, 0xFFFFF30A524C2960, 0x0)
    Error: SYSTEM_SERVICE_EXCEPTION
    file path: C:\WINDOWS\system32\ntoskrnl.exe
    product: Microsoft® Windows® Operating System
    company: Microsoft Corporation
    description: NT Kernel & System
    Bug check description: This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
    This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
    The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
    
    I use Macrium Reflect and have been running with CryptoGuard v4.
    Due to @Peter2150's :thumb: on v5, will give it a whirl.
     
    Last edited: Sep 27, 2019
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,189
    Location:
    Among the gum trees
    Paul, does that machine have BlackFog Privacy 4.x on it? There is a known bug causing BSODs with it.
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,687
    Location:
    Under a bushel ...
    Yes, it does @Krusty.

    I should have made the connection because I saw that BFP post :rolleyes: though I hadn't experienced it before v4.0.1.

    That explains it then, thanks :thumb:.
     
    Last edited: Sep 27, 2019
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,189
    Location:
    Among the gum trees
    No worries. I emailed Darren to try and send a dump but even compressed it was far to large to attach. He set me up with an account at account.box.com. He posted in the other thread that it was related to Secure Boot, but my machine (that had the BSOD) does not have Secure Boot.
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,189
    Location:
    Among the gum trees
    No problem to report here so far, Mark. :thumb:
     
  7. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    803
    No more alerts with Ccleaner portable 5.61 and build 849 CTP2 (CryptoGuard v5).
     
  8. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    538
    Location:
    Hengelo
    We're now actively developing for 3.8 and will backport important improvements back into 3.7 until 3.8 becomes GA.
     
  9. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    170
    Thanks for the reply, I look forward to the developments.
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,260
    Location:
    Outer space
    CTP2 running fine so far :thumb:
     
  11. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    170
    Location:
    Canada
    Updated from CTP1 to CTP2 with no issues to report. Event log is clean.

    Oh, and thanks Mark for the detailed description and the Power Point slide. From what I can tell, item #23 under App-level should protect against this recently described Nodersok malware.
     
    Last edited: Sep 27, 2019
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,687
    Location:
    Under a bushel ...
    No Reflect imaging slowdown detected with CryptoGuard v5.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,165
    Location:
    The Netherlands
    Wow, this stuff looks very cool, it's sort of like an EDR! :thumb:

    BTW, perhaps you can also respond to some of my other questions and what I have never understood is why the "Keystroke Encryption" module doesn't work globally on almost all apps?

    https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-63#post-2850861
     
  14. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    565
    Running smooth here, W10 build 1903.

    All the minor issues I had with previous version seem to have disappeared (y).
     
  15. abbs

    abbs Registered Member

    Joined:
    Sep 14, 2018
    Posts:
    16
    Location:
    Nederlands
    Windows 10 Pro versie 1903

    HitmanPro.Alert versie 3.8.0 build 849, CTP2

    No problem na updated HitmanPro.Alert.
     
  16. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    538
    Location:
    Hengelo
    Asynchronous Procedure Calls
    This is a system-level mitigation. It shields all processes.
    Prevents code injection via Asynchronous Procedure Call (APC) from kernel and user-mode.
    It is effective against DoublePulsar (used by e.g. EternalBlue, EternalRomance) and AtomBombing attack techniques used by the Dridex malware. It is also effective against BlueKeep.

    Hollow Process Mitigation
    This is a system-level mitigation. It shields all processes.
    • Prevents abuse of a (trusted) process to act as a container for hostile code
    • Prevents manipulation of the Process Environment Block (PEB)
    • Prevents hijacking of the main thread (MTH)
    It is effective against Process Hollowing, Process Doppelgänging, Transacted Hollowing and similar attack techniques. But it also intercepts malware packers used by e.g. Emotet, Trickbot.

    Keystroke Encryption proactively scrambles keystrokes against keyloggers (we don't use encryption, you can't reverse it, we just feed keyloggers rubbish). It is an app-level mitigation and is only enabled on applications that are Browsers (category). In addition, we also shield password managers (Other category). We don't scramble the keystrokes in e.g. Microsoft Office apps. You could change this by removing e.g. Microsoft Word from the Office category and add it again under the Other category, which offers Keystroke Encryption. It was a design choice to enable it only on specific applications where users need to enter passwords.

    Hope this helps!
    Mark
     
  17. acid king

    acid king Registered Member

    Joined:
    Jan 19, 2019
    Posts:
    24
    Location:
    europe
    @markloman
    In which category would it be appropriate to place discord ?! browser or other ?!

    br.
     
  18. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    300
    Location:
    Netherlands
    W7-x64 Prof. Installed 3.8.0 CTP2 over 3.7.10 build 379. So far no issues what so ever!
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,165
    Location:
    The Netherlands
    Thanks for the info! :thumb:

    About APC code injection, I forgot that this protects against attacks like DoublePulsar. But why not add protection against more code injection techniques, since most apps don't often make use of it. Of course security software like AV's need to be whitelisted.

    About protection against Process Hollowing, thanks for confirming that it protects EVERY process, so I'm guessing you guys look at if processes are launched in suspended state.

    About Keystroke Encryption, the thing is, tools like KeyScrambler and SpyShelter protect just about all important apps system wide. Perhaps you should simply copy the list from KeyScrambler, that would give users peace of mind. I mean, why not protect MS Office out of the box, I don't see any reason not to.

    https://www.endgame.com/blog/techni...-technical-survey-common-and-trending-process
    https://www.qfxsoftware.com/ks-windows/applications.htm
     
  20. acid king

    acid king Registered Member

    Joined:
    Jan 19, 2019
    Posts:
    24
    Location:
    europe
    Hi,

    for info
    i had 1 false alert with v 3.8 build 849 CTP2
    "Risk Reduction CryptoGuard about my AppData\Local\Discord\app-0.0.305\Discord.exe
    I had placed discord in the category "Other" in terms of exploits mitigation btw

    br.
     
    Last edited: Oct 12, 2019
  21. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    538
    Location:
    Hengelo
    HitmanPro.Alert 3.7.11 Build 791 Release Candidate

    Changelog (compare to build 789)
    • Improved CryptoGuard 4 anti-ransomware module.
    Download
    https://dl.surfright.nl/hmpalert3b791.exe

    Please let us know how this version runs on your computer :thumb: We aim to update our entire community (excluding users running the newer 8xx technology previews) to this new version later this week.
     
    Last edited: Oct 14, 2019
  22. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    160
    When I tried to install Build 791, the currently installed build (789) opened instead of the installer. I had to remove build 789 first, reboot, and then build 791 installed without a problem. It is running fine.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,687
    Location:
    Under a bushel ...
    I'll rather wait for the official update on my 'prod' machine, running 8xx on my test machine.
     
  24. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    170
    The update was done fine, now there is no problem. I did not check my BADUSB problem.
     
  25. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    764
    Location:
    USA
    I got a pop-up notice on my release version of HMPA build 789 that a new version was ready to be installed. This in-application notice appeared only 24 hours after this post from Mark went up, and I haven't seen any feedback on the RC yet. Looks a bit premature to me.

    Was this intentional?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.