HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,429
    Erik,
    I sent you an AppCrash Dump a few days ago. I can resend if it ended up in your spam folder and got deleted.
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    It was indeed in my spam folder. I dug it out and will analyze it. Upon first inspection, it crashes in a third party component :cautious:
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,085
    Location:
    The Netherlands
    I know that you guys are busy, but I still don't have an answer to this question, why be so vague about the "Network Lockdown" feature?
     
    Last edited: Jan 13, 2015
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Rasheed, you may just have to be patient. They are a business trying to get a product out. Are you using HMPA, if so great, but if not, don't expect them to put a priority on answering your questions.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,085
    Location:
    The Netherlands
    Not the point, all other questions have been answered quite clearly, only when it comes to this, it's still quite vague. I want to know what type of behavior it's looking for, that's all. And it shouldn't matter if you have the product installed or not, as I have said numerous of times before.
     
  6. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Have some patience. I think we all should honor that Erik and Marc are very open: they answer many questions, offer technical details and so on. That's great.
    So if they just don't have time or just are not willing to answer one question (intellectual property?): accept it.

    Competitors of HitmanProAlert don't give any technical details and only vaque explanations. So we should be happy about the clear details we get here.
     
  7. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,579
    Location:
    South Wales, UK
    Completely agree...kudos for saying so. :thumb:
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,231
    I just installed HitmanPro.Alert for the first time. Running Win8.1 Pro x64 and Fx 35. I found that every time I tried running Fx for the first time, I'd get the HitmanPro.Alert banner, then ... no Fx window. Attempting to run Fx a second time gave me the Fx window.

    It was easy to tell what was happening: HitmanPro.Alert was letting Fx run but was hiding the window. I found that even after closing all visible Fx windows, there was a hidden Fx window remaining, and obviously firefox.exe was running in the background. I had to use NirSoft WinLister to show the window, which was in essence the only way to cleanly close Fx.

    If this is by design, it's horrible. If not, it's a pretty bad bug.

    No, I have no other Fx problems, nor do I have a system littered with a ton of crapware. I am not one of these people that runs 473 HIPS and 38 firewalls, 27 AVs and 337 AMs.
     
  9. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    779
    I can confirm I am not getting CAPI2 errors here.
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We will try to reproduce. The problem is not by design. Apps should open immediately. Firefox 35 came out a few hours ago, maybe it is related. Not sure. Please keep posting your findings.
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,801
    Location:
    Among the gum trees
    Hi Erik,

    When Firefox doesn't open for me yet shows it is running in Task Manager I don't get the fly-out at all.

    I don't know if that helps or not, but...

    Cheers,
    Krusty

    PS - I haven't seen it with FF35 in the couple of hours I've had it installed.
     
  12. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    972
    No problems Firefox 35 and build 131 (W7 64 bits/NIS 2014).
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,085
    Location:
    The Netherlands
    You're making too much a big deal about it, if the HMPA developers don't want to give any details, they can just say it, and it's fine with me. But the reason why I asked, is because it's unclear to me what type of protection it exactly gives.

    Mark Loman already explained to me that it might block certain MS Office exploits from connecting to their C&C server (phoning home). But what if anti-exploit is turned off (HMPA Free), will it still sort of work like an outbound firewall? I don't understand why this has not been explained, it's a simple and legitimate question.
     
  14. guest

    guest Guest

    Well, the only thing that prevents executables from being dropped and executed through an embedded macro seems to be the application lockdown feature (It's quite solid), but a PoC using URLDownloadToFileA() would still be able to download a file that is being hosted on my internal network. So I didn't notice anything of the Network Lockdown feature.

    But I do agree with you that some features might need some additional explanation or fine tuning. Just a short list:
    Dynamic heap spray detection (Even with spraying almost a GB of heap objects using two different ActionScript sprays, it would not trigger. The pre-allocation of certain heap pages still works great.)
    IAF filtering (Sort of EAF+ light I suppose ?)
    Hardware assisted CFI (PoC bypass in VM also worked on a Sandy Bridge machine (I still don't know how and why))
    Null Page (Afaik null dereferences are not exploitable in browsers (Correct me if I'm wrong))

    Although I still think that HMPA is a great product. Based on testing it offers roughly the same protection as EMET when you look at the Exploit Mitigations, but it adds Application Lockdown (works quite well), CryptoGuard, Active vaccination, etc (haven't tested those features) and you get it combined with HMP.

    And for me the biggest advantage of HMPA 3 over EMET 5.1 is the difference in slow down. EMET 5.1 always seemed to add an enormous slowdown to Internet Explorer, while I couldn't notice any slowdown caused by HMPA.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The crypto guard works quite well. I have a program, that does exactly what a cryptolocker would do(I didn't even realize it) and HMPA shut it down. Now I have to turn it off when I use that program.
     
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Alert enforces both Application Lockdown and Network Lockdown at kernel level. The Network Lockdown triggers in specific cases and we are still fine-tuning it.

    The Dynamic Heap Spray module keeps track of all memory allocations and progressively scans the allocations. I would love to see what kind of objects you are spraying. Maybe you can refer to an existing exploit so that we can fine-tune the progressive scan of the Dynamic Heap Spray module.

    IAF enforces that the import table of a module is only used by that specific module. So if an attacker would snoop an IAT function address from that module and it uses it, it violates the enforcement and an alert is shown.

    If your PoC works, then please responsibly disclose it so that we can address and protect our users.

    I do not see why browsers would not be vulnerable to null pointer dereferencing vulnerabilities.

    Check out this article where it mentions: "We have confirmed that this vulnerability can be exploited from within several client-side applications’ sandboxes, including Google Chrome and Adobe Reader, and from Internet Explorer’s protected mode".

    Hope this helps.
     
    Last edited: Jan 15, 2015
  17. What I understood from a malware reverse engineer I know (this was when I was asking about the impact on switching off protections of EMET 5.0 due to initial compatibility issues of EMET pre-release):

    1. For a null page violation the attacker has to run code on kernel level, so a normally a privilege violation has to proceed this intrusion
    2. Protecting null-page just cuts of the easy way to execute attacker controlled code

    When an exploit manages to escape from Low IL sandbox and User space Medium IL, there are bigger fish in the ocean to worry about. He explained to me it was a mitigation simular to as removing the current's user rights to change user autoruns through setting an ACL. It just cuts of a direct route, there are other (indirect) ways to survive re-boot which are much worst.

    So Regenpijp has a point assuming all works well, but EMET protecting it, raises the bar, so why would HPMA not follow this practice? As proven in the exploit testing thead, there are a lot of white-hat researchers and hackers capable of obfuscating javascript, but few of the criminal exploit-kit users are capable adopting these ready-to-use intrusions (available in exploit kits).
     
  18. 800ster

    800ster Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    207
    Can I confirm the status of these products as the SurfRight website is not clear. The only mention of Alert V3 is a year old news item that reads as if it is a new release and V2.6.5 is only referenced in the downloads section (not the products section). Do I assume V2.6.5. is a supported released product and V3 is still in an open-ended beta?
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Correct. Alert 3 is in Release Candidate state and only available via this thread here on Wilders.
     
    Last edited: Jan 15, 2015
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,081
    Location:
    USA
    Does hardware assisted CFI work in a VM given that the CPU is virtualized?
     
  21. guest

    guest Guest

    No, not all features of Intel CPU's are being virtualized (Not the fault of HMPA). But you'll still have all the other defenses like Stackpivot, Stack exec, Caller and Application Lockdown.
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Hardware CFI does not work in a VM.

    This is written in the Alert Exploit-Test manual (Chapter 2.5 on Page 8 in the PDF in the ZIP).

    Also the user interface shows whether hardware CFI is supported:

    HardwareCFI.png

    Hope this helps.
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,081
    Location:
    USA
    Thanks for confirming. By the way I see you're running build 136 which has a little different UI (or at least I can't figure out how to get to that display where hardware assist is mentioned in build 131). Are you going to make 136 generally available?
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The indicator is available since the CTP-series. If you do not see it, you do not have hardware assistance (either running in VM or using a not supported CPU).

    We are planning a release for tomorrow. No new features this time. Just several fixes, tweaks, stability and performance improvements.
     
  25. guest

    guest Guest

    BTW, is it possible to move a 1 PC license to another PC?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.