Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.
Send it to me via PM.
HitmanPro.Alert 3 Build 120 Release Candidate
During development we planned and released four versions of HitmanPro.Alert 3 as open beta to a limited group, a security software enthusiast community. With each of these Community Technology Preview (CTP) builds we introduced new features for directed and focused testing of the planned features.
CTP1, released in July 2014, was our first development release of HitmanPro.Alert 3 wherein we introduced our hardware-assisted exploit mitigations. A few weeks later, with CTP2, we added the ability for users to add and protect custom applications through an easy-to-use Running Applications interface. In CTP3 we enabled our network inspection driver and delivered Network Lockdown for Java applications, while we also expanded support to all Intel® Core™ i3, i5 and i7 processors for our hardware-assisted exploit protection. With the fourth and last Community Technology Preview (CTP4), released in September 2014, we introduced Application Lockdown, Virtual Machine Simulation (part of Active Vaccination) and a second (default) Simplified User Interface. In addition we applied Network Lockdown not only to Java but also Office applications, while we improved compatibility with applications reported by the security community.
This Release Candidate introduces BadUSB Protection, Import Address Table Filtering (IAF) (part of Control-Flow Integrity), Heap Spray Pre-Allocation (part of Dynamic Heap Spray), default Keystroke Encryption for password manager applications and several improvements to CryptoGuard and Application Lockdown. The program is now feature complete and comes with 10 built-in languages. Though, depending on feedback, minor things might still change before the General Availability release.
Added BadUSB Protection, which warns users when they connect a USB device with keyboard functionality. USB devices can potentially contain hostile firmware to infect the computer with malware, or open it for remote attackers. New connected USB keyboards are blocked until the user recognizes and allows them.
Background information on BadUSB: http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
Added Import Address Table Filtering (IAF) to the Control-Flow Integrity module. This new exploit mitigation feature hides IAT function addresses (e.g. VirtualProtect) and validates that both IAT function caller and IAT table belong to the same module. This effectively helps prevent attackers from bypassing Windows security features like ASLR.
Added ability to unblock objects blocked by CryptoGuard. It allows users to view and unblock processes or remote computers that were attacking local photos, documents, or other data.
Added automatic exploit protection and Keystroke Encryption for password manager applications, including KeePass, 1Password, Password Safe and Enpass.
Added Heap Spray Pre-Allocation to the Dynamic Heap Spray module. Whereas the Dynamic Heap Spray mitigation handles the larger heap spray attack, the Heap Spray PreAllocation mitigation pre-allocates commonly used memory addresses, like 0x0c0c0c0c, to stop less-creative attackers from spraying it with hostile code.
Added DEP (Data Execution Prevention) alerts when attackers try to execute code in memory areas marked for read/write only.
Added 9 languages: Portuguese (Brazil), Chinese (Simplified), Chinese (Traditional), Dutch, French, German, Italian, Russian and Spanish.
Improved Application Lockdown to block attacks that abuse Microsoft PowerShell or macros in Office documents.
Improved Webcam Notifier, which now practically supports every webcam (not only camera’s that rely on usbvideo.sys). HitmanPro.Alert will warn the user and block the video stream until the user allows it.
Improved the CryptoGuard detection logic to handle crypto-ransomware that rename the attacked data, like CTB-Locker.
Improved protection of the 32-bit Internet Explorer browser on 64-bit Windows.
Improved detection of running (interactive) applications so more software can be manually added Exploit Mitigations.
Improved the safety notification border around protected applications. It will now reveal which modules are active when the user clicks on the HitmanPro.Alert icon in the lower right corner of the border. In addition, when the border is visible and the user types in e.g. the web browser, the encrypted keystrokes are shown in real-time.
Improved the security of Alert’s modules in applications to prevent skilled attackers from disarming protection.
Improved network performance on Windows 8 (WFP driver).
Improved HTTP filtering (TDI and WFP drivers).
Improved the “Attack Intercepted” dialog, which now automatically resizes depending on the alert contents.
Improved high-DPI display support.
Improved compatibility with Microsoft EMET 5.1.
Improved upgrade from HitmanPro.Alert version 2 to version 3.
Exploit Test Tool:
Added the ability to detonate exploit tests in other applications like Internet Explorer, so it’s now even easier to check the pc’s security posture (i.e. verify capabilities of all installed security software combined).
Added ROP – CALL preceded VirtualProtect() test, which can only be blocked by HitmanPro.Alert when performed on physical hardware (i.e. not in a virtual environment).
Added DEP, IAT Filtering, and two Lockdown tests.
Improved ROP and Heap Spray tests in the Exploit Test Tools so they no longer trigger incorrect security features of Microsoft EMET.
Remarks and known issues
HitmanPro.Alert 3 is not compatible with Sandboxie on Windows Vista.
Agnitum Outpost Firewall on 64-bit versions of Windows is currently incompatible with HitmanPro.Alert 3.
Please let me know how this version runs on your computer
Installed build 120 over build 116. No problems. Date in Dutch (maandag 1 december 2014) doesnt change into another language.
Thats intentional and conform how Windows works. On English Windows you can choose Dutch date and time. HitmanPro follows that setting.
By the way, it is already December 4th. The screenshot shows December 1st. You should adjust your clock
Is HMPA 3 compatible with all versions of Windows?
Last alert: maandag 1 december 2014. Clock is ok
YES. XP-10TP. Both 32-bit and 64-bit (except 64-bit XP).
I see I can disable everything except cryptoguard. Is there a way to install this via command line to do just that for servers? also, does this block cryptowall 2.0?
I do not recommend running Alert 3 on servers. There will be a special version for servers.
This version blocks Cryptolocker, CryptoDefense, CryptoWall 1 and 2, TorrentLocker and CTB-locker and variants.
It prevents local and remote (shared files) crypto-ransomware attacks at the file system level.
Very nice Erik.
I will have a look at it.
What's the approximate release date of the final version?
@erikloman I am probably doing something horribly wrong but, I cannot get text typed into google chrome or word actuallt to show up as scrambled. I tried both exploit test tools and yes it is enabled in the panel.
You are using the Exploit Tester? Do you see the orange encryption indicator in the bottom of Chrome? Are you running inside Sandboxie?
When its done
Only fixes and tweaks until release.
Erik, could you explain what KdbGuard is?
I am getting scrambled text typed also, but on earlier build, only seen while using Pale Moon (so far), and has just started happening. IE11 seems ok, and had to log-in here with IE.
No way to disable HMPA to check, and re-enable? Will update to build .120 and check also. Thanks.
That is the keystroke encryption.
Yes I was using the exploit tester, I have a green window around chrome and when i click then little icon bottom right it shows Safe Browsing, Exploit Mitigation and Keystroke Encryption. Not using sandboxie.
And in the exploit tester you see the plain characters typed in Chrome? (No scrambling in the tester).
Reboot computer and try again. Looking forward to hear from you.
Congrats on the new release, I will wait on the final version. It does look very exciting.
Updated to RC from CTP4. Rebooted and got a blue screen saying sth like "..your system recovered from crash..sorry...and error "SERVICE_EXCEPTION"...hmpalert.sys"
It collected some data and rebooted in properly after 2 minutes..
And i could see relevant entry in event viewer. Attached for your referance..
System: 8.1 64 bit, ESS 8
Also, after reboot, i am seeing as my trial license expired and none of the mitigation's enabled. Before upgrade, i remember having 8 days of trial..
Would love to receive that MEMORY.DMP in the screenshot.
Separate names with a comma.