HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,218
    Location:
    The Netherlands
    Yes, running without any problems here.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    Interesting, didn't know that, but I can understand it on one hand, it is kind of a killer feature.
     
    Last edited: Feb 18, 2015
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,230
    Location:
    USA
    At this point we don't know that CryptoGuard has been made a premium feature. The last thing Erik said is that it would remain free in v3. It may be a bug in the RC builds causing the issue with the unlicensed installs. Hopefully he will speak to this.
     
    Last edited: Feb 22, 2015
  4. AlertBetaTester

    AlertBetaTester Registered Member

    Joined:
    Dec 14, 2014
    Posts:
    9
    Thanks Mark, Here's the Antivirus configuration (paid versions, not free trials):

    HitmanPro 3.7.9 - Build 238 (64-bit)
    Norton Security with Backup (2015)
    Webroot SecureAnywhere (2015)
    Malwarebytes Anti-Malware (Premium, v2.04.102:cool:

    I am running everthing directly (no sandboxie), with Windows 7 x64 SP1 (with all Windows patches/updates installed). This CPU is an Intel Core i7 CPU 920 @ 2.67 GHz. HMPA is using the Intel CPU for ROP mitigation. FYI, there is some sort of accelerator software built into the paid version of PowerDVD 14 Ultra (that is not included in the 30-day trial version) and is required if no built in hardware accelerator is equipped with your PC. I noted this, when first installing the trial version on a laptop equipped with a hardware accelerator, and then later the full paid version required on my Intel Core i7 CPU 920 tower, which is where I am running this configuration with HMPA RC 153.

    Hope this helps. Best Regards.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,366
    Location:
    Among the gum trees
    I just wanted to clarify, CryptoPrevent is a different program. HMP.A has CryptoGuard. ;)

    http://www.foolishit.com/vb6-projects/cryptoprevent/

    http://www.surfright.nl/en/cryptoguard
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3 Build 155 Release Candidate

    Changelog
    • IMPROVED: CryptoGuard now blocks more variants of CryptoWall 3.
    • IMPROVED: An alert can now be shown on the winlogon desktop when a new keyboard is connected.
    • IMPROVED: BadUSB mitigation.
    • FIXED: CryptoGuard false positive on NET 3.5 installation (TiWorker) on some system.
    • FIXED: Compatibility issue with some 3rd party security products causing protected applications to sporadically deadlock on startup.
    • FIXED: Outlook failed to connect to some mail server on specific configurations.
    • FIXED: Crash in hmpalert service.
    Download
    http://test.hitmanpro.com/hmpalert3b155.exe

    Please let me know how this version runs on your computer :thumb:
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,366
    Location:
    Among the gum trees
    Running just fine here. :)
     
  8. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    Using W7-Pro_x64 with HitmanPro.alert build 155 and HitmanPro 238:

    1. MediaPlayerClassic-x64-1.7.8, protected with template 'Media', is stopped by hpalert 155 showing a 'NullPage' mitigation error on opening of every .mp4 and/or .wmv file!
    Unchecking the memory mitigation 'NullPage' makes MPC-x64 1.7.8 run again.

    2. Application Soft Organizer 3.51, protected with template 'Other' runs into a 'ROP' mitigation error at the opening of the application.
    Unchecking the ROP mitigation makes Soft Organizer 3.51 run again.

    Point 1. and 2. are valid too for build 143, 151, 152 and 153

    Scanning with HitmanPro 238 does not show anything.
    Question: Are these 'false positives'?


    MPC_HC-x64_hpa.b155.jpg MPC-HC_1.7.8 latest.jpg SoftOrganizer 3.51_hpa.b155.jpg
     
    Last edited: Feb 18, 2015
  9. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,410
    Running fine.
     
  10. Cactus5

    Cactus5 Registered Member

    Joined:
    Jan 17, 2015
    Posts:
    28
    Location:
    Southwest USA
    Build 155 running well here with no issues.
     
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Build 143 is still the last version without CryptoGuard and Process Protection licensed.
     
  12. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,494
    Location:
    Hollow Earth - Telos
    My HMPA RC 143 says that my trial license will expire in 4 days. That could be it for Crypto Protection.
     
  13. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,783
    Erik,
    I have another CrashDump for v153 after coming out of suspend. Do you want me to send it your way?
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    I've installed it, and I don't want to speak too soon, but I haven't got any error messages yet. But I do wonder how HMPA manages to protect sandboxed processes without the need to add the "OpenPipePath=\Device\NamedPipe\hmpalert" line to Sandboxie? Is that line really needed for protection purposes, or only to make the "fly-out" appear correctly?

    But anyway, I will let you know if it will continue to play nicely with SBIE, and if not, no big deal because I'm planning to mostly protect apps that are running outside the sandbox. I hope you will add tool-tips support soon, and "keystroke encryption" should have its own section where you can add apps to the list.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    Correct, same over here, with the difference that MPC crashes even when "NullPage" is disabled. This app also crashes with MBAE.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    I'm getting to see weird behavior from both HMPA 155 and Sandboxie 4.15.12, which version of SBIE are you guys using? So far I've seen SBIE giving error messages when launching WPS writer. I've also seen that Maxthon v3 and Vivaldi partially escape the sandbox, by refusing to run with "untrusted" integrity and also don't run in the NT AUTHORITY\ANONYMOUS LOGON user account.

    And when launching Vivaldi, HMPA tells me that it's watching for intruders (in Dutch weirdly enough), while Vivaldi is not even protected. Same goes for WPS Writer and Maxthon, they are both not protected. This is really bad stuff, seems like SBIE and HMPA are not compatible on my system. So I will uninstall HMPA once again, to see if these issues disappear.
     
  17. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Had the same problem, how ever - only with MadVR ! Maybe try EVR or haali (just for testing purpose) ?
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes please! Thanks :thumb:
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The line is needed otherwise there are no protections by Alert.
     
  20. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,264
    No problems updating build 155 (W7 64 bits).
     
  21. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,264
    No problems with Sandboxie beta 4.15.12, Firefox 35.0.1, IE11 and build 155 (W7 64 bits). Soon release of Sandboxie 4.16.
     
  22. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Yes, the rumors are true. We have decided to make CryptoGuard and Process Protection a trial > paid feature. But the reason behind this shift is not only because we want a return on our product development investment. Let me explain it a little bit.

    Over the last years you can see the shifts that attackers are taking to get money from their victims. They went from:

    1. Rogueware or Fake Anti-Virus software that scare people with fake infections so people buy this fake product.
    2. Police-themed ransomware that lock down your pc or browser, showing an indictment and a fine to scare and make people feel guilty about downloading pirated music, software or illegal pornography.
    3. Police-theme ransomware with a switched on webcam stream of you, sometimes next to real pictures of child pornography to induce fear and prevent malware victims from bringing the computer to a repair shop.
    4. Crypto-ransomware, like CryptoLocker, CryptoWall and CTB-Locker, that are encrypting your documents, photos and other data on your local disk, network drives and USB (flash) drives. The encryption is irreversible without the key.

    So for victims the stakes have seriously gone up.

    Everybody runs anti-spam, anti-phishing and anti-virus software and still people get hit by these attackers. For signature and heuristic signature based solutions, identifying these early-life malware is difficult, especially in the first hours or days of the infection.
    Know that it takes a lot more time for attackers to change the behavior of their malware than to beat a virus signature. Also know that CryptoLocker, CryptoWall and CTB-Locker all have slightly different technical approaches to attack your data (copy/read, encrypt and rename/overwrite your data). Our protection covers every approach but we do keep an eye out for new behaviors. Because even though our technology does not rely on signatures, the underlying engine needs maintenance as well, which involves a bit more work than e.g. create a virus signature for a single sample.

    So CryptoGuard is developed to universally detect and stop crypto-ransomware behavior. Not only does it stop malicious processes from attacking your files, it also prevents attackers from abusing legitimate processes to attack your valuable data (as can be seen in our demonstration video). Today’s variants often employ a hollow process to hide themselves in-memory inside trusted processes (CTB-Locker abuses C:\Windows\explorer.exe and CryptoWall 3 abuses C:\Windows\System32\svchost.exe). So in a way, the attacks take place in name of Microsoft.

    99% of the victims of these attacks are *not* tech savvy people or security software enthusiasts like you. They expect from us to stop and get rid of this malware, which is (as mentioned) also capable of transitioning from one process to another. But only our on-demand Anti-Malware has comprehensive malware removal capabilities - Alert does not. Especially for infections like these we made our two HitmanPro programs work together. Alert offers strategic (historic and real-time) threat information to our HitmanPro scanner to point out the threat for remediation – we need to attack the object that initiated and controls the attack, not the legitimate abused file.
    Since our on-demand HitmanPro removal engine already requires a license, it would frustrate and be bad service to our end-users to just keep the threat on the machine and make him or her search for another solution in the hope that one can get rid of it.

    Of course, you guys (who we provided with free annual licenses) have the time and the skills to go and hunt for an alternative remediation tool, but the majority of our customers do not. Fraud caused by banking Trojans is still largely reimbursed by banks, but loss of data is never compensated. By law, doctors have a responsibility towards their patients because patients are at a disadvantage as they do not have the knowledge, experience or skills to treat their condition. We want to give victims of crypto-ransomware the best possible care, including the solution to the problem. This is also the reason why we offer our two products for the price of just one – we identify the attack, we can also clean it for you.

    Some of you will be disappointed or disagree. We still love you guys but you are not like our mainstream customers. We hope you understand this transition.

    Update: For your convenience I created a version comparison that shows which features are free and which are trial > paid:
    HMPA-version-comparison.png
     
    Last edited: Feb 19, 2015
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    OK, thanks for making it clear! I still look forward to what each new version brings.
     
  24. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    Thank you for this clear and fully acceptable explanation.
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,366
    Location:
    Among the gum trees
    @markloman ,

    Thanks for the clarification. I can see your point too.

    If I need to buy a licence once mine expires, so be it. I think they are great products and you guys deserve the support. I've just checked the prices and for 3 PC's, a 3 year subscription is under $100 AU, so that's less than $30 AU a year - Not too bad!

    I hope the licensing issue with reinstalling the Operating System can get sorted soon as that is something I tend to do way too often. :isay:

    Cheers!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.