HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Send it to me via PM.
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3 Build 120 Release Candidate

    During development we planned and released four versions of HitmanPro.Alert 3 as open beta to a limited group, a security software enthusiast community. With each of these Community Technology Preview (CTP) builds we introduced new features for directed and focused testing of the planned features.

    CTP1, released in July 2014, was our first development release of HitmanPro.Alert 3 wherein we introduced our hardware-assisted exploit mitigations. A few weeks later, with CTP2, we added the ability for users to add and protect custom applications through an easy-to-use Running Applications interface. In CTP3 we enabled our network inspection driver and delivered Network Lockdown for Java applications, while we also expanded support to all Intel® Core™ i3, i5 and i7 processors for our hardware-assisted exploit protection. With the fourth and last Community Technology Preview (CTP4), released in September 2014, we introduced Application Lockdown, Virtual Machine Simulation (part of Active Vaccination) and a second (default) Simplified User Interface. In addition we applied Network Lockdown not only to Java but also Office applications, while we improved compatibility with applications reported by the security community.

    Release Candidate
    This Release Candidate introduces BadUSB Protection, Import Address Table Filtering (IAF) (part of Control-Flow Integrity), Heap Spray Pre-Allocation (part of Dynamic Heap Spray), default Keystroke Encryption for password manager applications and several improvements to CryptoGuard and Application Lockdown. The program is now feature complete and comes with 10 built-in languages. Though, depending on feedback, minor things might still change before the General Availability release.

    Install.png Welcome.png Advanced.png Your applications.png CryptoGuard.png

    Release notes

    • Added BadUSB Protection, which warns users when they connect a USB device with keyboard functionality. USB devices can potentially contain hostile firmware to infect the computer with malware, or open it for remote attackers. New connected USB keyboards are blocked until the user recognizes and allows them.
      Background information on BadUSB: http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
    • Added Import Address Table Filtering (IAF) to the Control-Flow Integrity module. This new exploit mitigation feature hides IAT function addresses (e.g. VirtualProtect) and validates that both IAT function caller and IAT table belong to the same module. This effectively helps prevent attackers from bypassing Windows security features like ASLR.
    • Added ability to unblock objects blocked by CryptoGuard. It allows users to view and unblock processes or remote computers that were attacking local photos, documents, or other data.
    • Added automatic exploit protection and Keystroke Encryption for password manager applications, including KeePass, 1Password, Password Safe and Enpass.
      Background: http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-masterpasswords/
    • Added Heap Spray Pre-Allocation to the Dynamic Heap Spray module. Whereas the Dynamic Heap Spray mitigation handles the larger heap spray attack, the Heap Spray PreAllocation mitigation pre-allocates commonly used memory addresses, like 0x0c0c0c0c, to stop less-creative attackers from spraying it with hostile code.
    • Added DEP (Data Execution Prevention) alerts when attackers try to execute code in memory areas marked for read/write only.
    • Added 9 languages: Portuguese (Brazil), Chinese (Simplified), Chinese (Traditional), Dutch, French, German, Italian, Russian and Spanish.
    • Improved Application Lockdown to block attacks that abuse Microsoft PowerShell or macros in Office documents.
    • Improved Webcam Notifier, which now practically supports every webcam (not only camera’s that rely on usbvideo.sys). HitmanPro.Alert will warn the user and block the video stream until the user allows it.
    • Improved the CryptoGuard detection logic to handle crypto-ransomware that rename the attacked data, like CTB-Locker.
    • Improved protection of the 32-bit Internet Explorer browser on 64-bit Windows.
    • Improved detection of running (interactive) applications so more software can be manually added Exploit Mitigations.
    • Improved the safety notification border around protected applications. It will now reveal which modules are active when the user clicks on the HitmanPro.Alert icon in the lower right corner of the border. In addition, when the border is visible and the user types in e.g. the web browser, the encrypted keystrokes are shown in real-time.
    • Improved the security of Alert’s modules in applications to prevent skilled attackers from disarming protection.
    • Improved network performance on Windows 8 (WFP driver).
    • Improved HTTP filtering (TDI and WFP drivers).
    • Improved the “Attack Intercepted” dialog, which now automatically resizes depending on the alert contents.
    • Improved high-DPI display support.
    • Improved compatibility with Microsoft EMET 5.1.
    • Improved upgrade from HitmanPro.Alert version 2 to version 3.
    Exploit Test Tool:
    • Added the ability to detonate exploit tests in other applications like Internet Explorer, so it’s now even easier to check the pc’s security posture (i.e. verify capabilities of all installed security software combined).
    • Added ROP – CALL preceded VirtualProtect() test, which can only be blocked by HitmanPro.Alert when performed on physical hardware (i.e. not in a virtual environment).
    • Added DEP, IAT Filtering, and two Lockdown tests.
    • Improved ROP and Heap Spray tests in the Exploit Test Tools so they no longer trigger incorrect security features of Microsoft EMET.
    Remarks and known issues
    • HitmanPro.Alert 3 is not compatible with Sandboxie on Windows Vista.
    • Agnitum Outpost Firewall on 64-bit versions of Windows is currently incompatible with HitmanPro.Alert 3.
    Download
    http://test.hitmanpro.com/hmpalert3rc.zip

    Please let me know how this version runs on your computer :thumb:
     
  3. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    663
    Installed build 120 over build 116. No problems. Date in Dutch (maandag 1 december 2014) doesnt change into another language.
     

    Attached Files:

  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Thats intentional and conform how Windows works. On English Windows you can choose Dutch date and time. HitmanPro follows that setting.

    By the way, it is already December 4th. The screenshot shows December 1st. You should adjust your clock ;)
     
    Last edited: Dec 4, 2014
  5. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,031
    Location:
    USA
    Is HMPA 3 compatible with all versions of Windows?
     
  6. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    663
    Last alert: maandag 1 december 2014. Clock is ok ;)
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    YES. XP-10TP. Both 32-bit and 64-bit (except 64-bit XP).
     
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Doh. Indeed.
     
  9. Fardooste

    Fardooste Registered Member

    Joined:
    Nov 24, 2014
    Posts:
    6
    I see I can disable everything except cryptoguard. Is there a way to install this via command line to do just that for servers? also, does this block cryptowall 2.0?
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I do not recommend running Alert 3 on servers. There will be a special version for servers.

    This version blocks Cryptolocker, CryptoDefense, CryptoWall 1 and 2, TorrentLocker and CTB-locker and variants.

    It prevents local and remote (shared files) crypto-ransomware attacks at the file system level.
     
    Last edited: Dec 4, 2014
  11. guest

    guest Guest

    Very nice Erik. :)

    I will have a look at it.
     
  12. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,031
    Location:
    USA
    What's the approximate release date of the final version?
     
  13. JohnMiller

    JohnMiller Registered Member

    Joined:
    Nov 6, 2014
    Posts:
    47
    @erikloman I am probably doing something horribly wrong but, I cannot get text typed into google chrome or word actuallt to show up as scrambled. I tried both exploit test tools and yes it is enabled in the panel.
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You are using the Exploit Tester? Do you see the orange encryption indicator in the bottom of Chrome? Are you running inside Sandboxie?
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    When its done ;)
    Only fixes and tweaks until release.
     
  16. guest

    guest Guest

    Erik, could you explain what KdbGuard is?
     
  17. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,284
    Location:
    Surrey, England.
    I am getting scrambled text typed also, but on earlier build, only seen while using Pale Moon (so far), and has just started happening. IE11 seems ok, and had to log-in here with IE.
    No way to disable HMPA to check, and re-enable? Will update to build .120 and check also. Thanks.
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    That is the keystroke encryption.
     
  19. JohnMiller

    JohnMiller Registered Member

    Joined:
    Nov 6, 2014
    Posts:
    47
    Yes I was using the exploit tester, I have a green window around chrome and when i click then little icon bottom right it shows Safe Browsing, Exploit Mitigation and Keystroke Encryption. Not using sandboxie.
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    And in the exploit tester you see the plain characters typed in Chrome? (No scrambling in the tester).
     
  21. JohnMiller

    JohnMiller Registered Member

    Joined:
    Nov 6, 2014
    Posts:
    47
    Correct
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Reboot computer and try again. Looking forward to hear from you.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    Congrats on the new release, I will wait on the final version. It does look very exciting. :)
     
  24. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    805
    Location:
    India
    Updated to RC from CTP4. Rebooted and got a blue screen saying sth like "..your system recovered from crash..sorry...and error "SERVICE_EXCEPTION"...hmpalert.sys"
    It collected some data and rebooted in properly after 2 minutes..
    And i could see relevant entry in event viewer. Attached for your referance..

    System: 8.1 64 bit, ESS 8

    Also, after reboot, i am seeing as my trial license expired and none of the mitigation's enabled. Before upgrade, i remember having 8 days of trial..
     

    Attached Files:

  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Would love to receive that MEMORY.DMP in the screenshot.
     
Loading...