HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. 800ster

    800ster Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    207
    Have been testing ctp4 and only problem found is that with active vaccination enabled I cannot run my 3rd party file manager (xplorer²); it just closes immediately. Works OK if set to passive. Win 8.1 x64 and 64-bit version of xplorer².
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    To answer your first question, only the developers know. There may or may not be another CT build, and they've stated there will be a RC build so I don't know that even they know.

    As to your 2nd question. I got a lot of those dumb emails stating they have a confirmation of an airline flight, I am not taking. They attach a zip file that purports to be a scan of your ticket. I tested one in a virtual machine. Extracting it from the zip file if you have file extensions turn off it looks like a doc file. Except it is an exe file. When I executed it, HMPA immeditately warned of a threat and shut it down.

    So I'd have to say it does pretty well
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I am using win7 x64 and also same file manager. Works fine. I've even protected it with HMPA
     
  4. 800ster

    800ster Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    207
    Odd, I tried protecting it as well but did not help, might be 8.1 specific. I'll wait for the next version and try it out again.
     
  5. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    Try installing xplorer2 in C:\Program Files\. That will work.
     
  6. 800ster

    800ster Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    207
    I currently have a portable install outside of C:\Program Files so that will be the problem then. Is this going to be a potential issue with any portable app, even when it goes GA? Thanks
     
  7. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    Depends. If you put the portable app in "C:\Program Files\" it should work. If not, could you share the portable version of xplorer2 that is not working? I'd like to take a look at it. Could be that the portable app doesn't like to be debugged by HMPA.
     
  8. 800ster

    800ster Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    207
    I'll test this out when I get a chance to re-install. The portable version is no different to the install version, I just unzip the setup file (that can be downloaded from zabkat.com) rather than install it. If it is a problem I can just as easily install correctly so don't worry, Peter2150 said above that it works fine for him.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yeah mine is installed in c:\Program files

    P
     
  10. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,271
    Location:
    UK
    Anybody got dchanger working with active vaccination?
     
  11. Eric Nemchik

    Eric Nemchik Registered Member

    Joined:
    Oct 3, 2014
    Posts:
    3
    Is there a list available of all of the EventIDs that HitmanPro.Alert would put in the Event Log and what each of those correspond to?
    I read somewhere that events would be put into the log with ID 301 but I see an event 300 and I'm wondering what all of them mean.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    Yes good point, but I wouldn't be surprised if compatibility between MBAE/HMPA/EMET will always be a problem (no matter who is causing it) because they all use advanced exploit mitigations.

    But anyway, HMPA does offer more bang for the bucks, when it comes to features (+ cloud AV), the question is also who performs the best when it comes to blocking exploits.
     
  13. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,853
    Got a CryptoGuard FP during an installation of a game on Steam. XCOM: Enemy Unknown. What's worse is I can't try and reinstall the game for whatever reason. Here is the message:
     

    Attached Files:

  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,643
    Location:
    USA
    I think it was CTP3 I was testing.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,643
    Location:
    USA
    Did they ever add a scroll bar to the settings? I was not able to access half the settings on my laptop since I do not have a scroll wheel on my Laptop. Also could someone point me to the link for CTP4?
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,643
    Location:
    USA
    I just found CTP4 build 92. Is this the latest build?
     
  17. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,304
    Location:
    Kent. UK by the sea
    Hi Cutting_Edgetech
    Yes that the latest Beta released build. :thumb:

    Take Care
    TheQuest :cool:
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,643
    Location:
    USA
  19. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,853
    Got the alert again while playing the game this time (I had disabled CryptoGuard to allow the game to install). Don't know why readme files are triggering CryptoGuard.
     

    Attached Files:

  20. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,477
    Is this going to be a pre-req (installling apps to C:\Program Files\) to have HMPA work correctly?

    I hope not.
     
  21. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    Active Vaccination by HitmanPro.Alert offers rather powerful protection. Because nowadays, nearly 90% of modern malware employs anti-reverse-engineering (Anti-RE) techniques to prevent detection:
    Modern-malware.png

    Typically, the more complex the Anti-RE techniques implemented, the longer it will take for a malware analyst to properly analyze a piece of malware and determine how to combat it. By refusing to run inside a malware analyst’s automated sandbox or honeypot, modern malware will effectively complicate the development and publication of virus signatures, as malware analysts need to manually analyze these samples.

    There are 4 categories and Active Vaccination addresses two of them, as they are technically possible to thwart without marking legitimate software as a threat:
    Anti-RE.png

    Active Vaccination by HMPA causes the malware to simply self-terminate as it wants to conceal its hostile intentions - the malware will not cause any harm to your computer or data. Next to its many memory and code mitigations, this is another unique way how HMPA stops the majority of attacks and malware without using virus signatures.

    So if legitimate software refuses to run, it's the software's choice. If you have legitimate programs that refuse to run, simply install them in the location the software vendor intended it to be installed in, or disable Active Vaccination.
     
    Last edited: Oct 17, 2014
  22. Last edited by a moderator: Oct 17, 2014
  23. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    We've stopped making our point about the PCSL test but apparently it's still not obviously clear that the test was a marketing stunt by the company that paid for it. Even though PCSL updated the test results stating that our product was not out of development, the unedited document is of course for download on the website of the company who paid for it.

    But let's make clear again what a Community Technology Preview (CTP) is. A CTP is called a CTP because the software is not finished, a prototype still under development. To date we have released 4 previews and with each preview we fix bugs and introduce new features and functionality, requesting input from the community regarding compatibility, user-friendliness, functionality, etc.
    We keep our preview builds close, we do not offer it to the general public from our website. This prevents non-tech-savvy people from running into problems that they cannot fix themselves, simply because the software is not finished, not feature complete and not fully tested. Hence the reason that we state: "This preview is NOT to be used in production environments". For CTP3, after PCSL reviewed our CTP2, we added a "not for review" phrase to the user interface even though we think that was already obvious.

    If you follow the development of HMPA and read the release notes you can see that with CTP3 and CTP4 we introduced e.g. Java Network Lockdown and general Application Lockdown. Since half of the PCSL-test involved Java exploits, this affected our CTP2 prototype software. We were still working on network lockdown which wasn't ready for CTP2 so it was pushed back for CTP3.
    If you look closely to the test data you'd see that the paying customer provided a special non-public future build for the PCSL test, which had special Java features that wasn't in the (at that time) public final product everyone was running for months. You could say the test parameters were pre-arranged in a particular direction. If PCSL would e.g. have tested the general available version, the product from the paying customer would have failed many Java tests as well (we redid all the tests, we know).
    In addition to that, no one has noticed that there was no false positive test conducted. It was conducted using only Internet Explorer as browser and, what'd you know, most of the tests involved Java ActiveX components, an IE-only feature. If a product would simply block all Java ActiveX applications to run, making legitimate use impossible as well, is that good or bad? Sure looks good in exploit tests. Also note that EMET 4.1 was tested instead of EMET 5.0, which has ASR which helps mitigate Java attacks. But since Microsoft officially ended support of Windows XP last April, it's no longer included in the list of supported Windows versions for EMET, even though it works fine if the user installs .NET.

    If you follow the development of HMPA you can read (in the release notes) that we introduced Active Virtual Machine Simulation (Anti-VM) with CTP4. Since PCSL has been doing tests with our CTP2 in a Virtual Machine, the used payloads were obviously not (made) VM-aware.
    In addition to that, our unique hardware-assisted control-flow integrity (to stop ROP attacks) was put out-of-operation simply because the tests were done in Virtual Machine. A Virtual Machine is not a reflection of the real-world, where 99% of all machines are not virtual. Our CFI technology requires a real machine as it programs the processor hardware for branch-analysis and this is technically not possible from within a virtual machine (as mentioned in our Exploit Test Tool Manual). This caused our software to fall back on stack-based analyses and development of this part was at the time of the test, in CTP2, still under development.
    Just so you know why it's still not ready for review, between CTP4 and the upcoming Release Candidate we have fixed bugs and improved many features, including Network Lockdown, Application Lockdown and Active Virtual Machine Simulation.

    The following Blackhat paper, covering millions of samples, underlies the mentioned statistic regarding anti-reverse-engineering: https://www.wilderssecurity.com/threads/prevalent-characteristics-in-modern-malware-slides.366998/
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    I think you're mixing up two things. "Active Vaccination" does not have anything to do with blocking exploits. And what Mark Loman probably means with the graphics, is that if malware employs Anti-RE techniques, 80% of them use the Anti-VM method.
     
  25. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    Correct, HMPA does a whole lot more than just anti-exploit. This recent Threatpost is perhaps interesting as well: http://threatpost.com/recognizing-evasive-behaviors-seen-as-key-to-detecting-advanced-malware/108888

    BTW, some exploit kits try to stay away from virtual machines as well: http://malware.dontneedcoffee.com/2014/09/astrum-ek.html
    screenshot_2014-09-07_012.png
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.