HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Stop teasing us! :D Give us the real deal! :argh:

    I'm happy with AppGuard along with Hitman Pro and HitmanPro.Alert and have been for a long time now. I recently renewed A LOT of licenses due to the recent update releases. Hitman Pro was on a hiatus for a while, but now it's being very actively developed again!
     
  2. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
  3. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    I want to use Hitman Pro.Alert Will it work fine with my setup? DefenseWall + Shadow Defender + Hitman Pro.

    Best Wishes,
    Amit
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,552
    Location:
    Outer space
    Interesting screenshot :D

    I have used v1 of Alert with Defensewall together, no problems. Though it probably doesn't check DW's built-in banking browser, but perhaps Erik can say more about it.
     
  5. DX2

    DX2 Guest

    Trying this out, very very light. Along side of AppGuard and 360
     
  6. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    So it will work fine even in FF sandboxed by DW? Alert is great for when banking right? Is it better to use it in normal FF sandboxed by DW or DW's built in banking browser?

    Best Wishes,
    Amit
     
  7. DickP

    DickP Registered Member

    Joined:
    May 27, 2011
    Posts:
    12
    Just curious regarding the upcoming anti-exploit, will hmpalert take action before, or after EMET? Does it terminate the browser or trace and remove the exploit code?
     
  8. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    I've installed it. Working fine with DW. Does it mitigate and protect against MITM or MITB? How is it made compatible with other security suites or AVs when most offer both MITM and MITB protection?

    Best Wishes,
    Amit
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert shows an Alert when it found a MITB. Existing security suites mostly do not warn when there is a zero-day Zeus, Citadel, Tinba, Cridex, Sinowal/Mebroot/Torpig stealing information from the browser. I know this for a fact because HitmanPro removes these from computers despite presence of AVs.

    Since the launch past wednesday we've received several calls from users which got warnings from Alert but their AV failed to detect malware. After running dozens of tools, no tool found the presence of a zero-day 64-bit Sinowal (I found it manually). It already sat on their systems for 10 days! when they decided to try Alert.

    You are right that AVs do MITB, but they are almost all signature based. Alert is forensic based and warns the user instantly. No signatures needed.

    About MITM, I can't comment on features that have not released yet ;)
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Any anti-exploit tool should terminate (or suspend) the thread that is using a pivoted stack or executing a ROP chain. This because the thread first got owned via a vulnerability (a component like Java or Adobe reader crashed in the process) and is now executing malicious payload; keeping the thread alive is downright dangerous. Also the process memory is very likely heap-sprayed with exploit code (browser has eaten most of your memory) to get around DEP and ASLR. Keeping the process or thread alive does not make sense as your process and its threads got totally owned.

    Are you aware of tools rolling up threads that are executing exploits, keeping browsers alive?
     
  11. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    Oh I see. Thanks. And I'm glad MITM feature is on the way.:D:thumb:
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    A quick question, will this tool only alert you if the system has already been infected, or can it also prevent the hijack in the first place, sort of like a HIPS?

    And is it different from tools like for example G Data BankGuard and Trusteer Rapport? ;)
     
    Last edited: Jul 7, 2013
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ erikloman

    Tried installing again from the link in your Sig. Saw a black flyout 1st followed by a green of the same size. Then my comp INSTANTLY rebooted ! It didn't install ?

    No log, but i found one from last week when i tried.

    View attachment alertexe.log
     
  14. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Today I noticed a second fly-out when starting Chrome. It has happened once before. So it seems like it happens intermittently and randomly.

    Nothing bad happened though after that. I could browse the web as usual.
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,303
    Location:
    the Netherlands
    @ erikloman,

    I didn't try the HitmanPro.Alert beta, but since Wednesday July 3rd, I use HitmanPro.Alert 2.0.8.

    Saturday July 6th, I noticed some odd behavior with HitmanPro.Alert, but only once, up to now:

    At some time, the computer idle, with no browser open, or with IE9 with multiple tabs open (I can't recall, unfortunately), the system went into hybrid sleep mode, as it was supposed to.
    Some time later, I woke up the computer from hybrid sleep, and subsequently HitmanPro.Alert behaved oddly:

    - HitmanPro.Alert's green flyout did not only appear with opening the browser,
    - but also with about half or one third of all (multiple) new browser tabs that I opened,
    - even after I closed the browser, opened it again and tried again.
    - Also, each flyout was a double flyout,
    - and clicking the flyout did not open the HitmanPro.Alert Settings window.
    - A Windows reboot fixed all of that strange behavior.

    I haven't been able to reproduce this issue,
    not with waking up the computer after it went into hybrid sleep with no browser open,
    nor with waking up the computer after it went into hybrid sleep with IE9 with multiple tabs open.
    Perhaps sleep mode had nothing to do with the issue.

    Nevertheless, I guess it may be useful to report my findings.

    Finally,
    some probably relevant system information:

    Windows Vista SP2 x86
    IE9
    G Data IS 2014
    SpywareBlaster 5.0
    EMET 4.0 with all EMET mitigations for iexplore.exe and also "Deep Hooks" enabled in EMET\ Apps\ Application Configuration.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,552
    Location:
    Outer space
    Yes, it works with browsers set as Untrusted(sandboxed) by DW, I'm not familiar with how DW's built-in banking browser actually works, so I can't say if Alert+FF Untrusted is better than DW's banking browser. Perhaps Surfright can add protection for DW's browser in Alert, but it is probably more work than with a normal browser and the market share is very little, so I doubt they will to that.
     
  17. DickP

    DickP Registered Member

    Joined:
    May 27, 2011
    Posts:
    12
    There was certain misunderstanding: I didn't doubt the necessity of killing the process (e.g. EMET does exactly this), my questions were
    (1) Does this cause undesired interference if both EMET and the upcoming hmpalert try to take action at the same time?
    (2) In addition to termination, will hmpalert be able to find the file containing the exploit and remove it?

    Thank you.
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Oh I indeed misunderstood. We agree on the termination :)

    1) I think the tool that gets called first, the tool that hooked into critical functions last, is going to handle the exploit first.

    2) hmpalert monitors process injections system wide. It is able to pinpoint the source of injection (across process boundaries). In terms of exploits, they are mostly not files but downloaded content living in memory (perhaps also in a cache file). I'd say maybe on your question.
     
  19. DickP

    DickP Registered Member

    Joined:
    May 27, 2011
    Posts:
    12
    1) Did you mean that hmpalert and EMET might be competing for killing a process, and the result (who gets it first) can vary from case to case? So would you test out hmpalert's compatibility with EMET? The scenario sounds similar to two AV trying to remove the same file?

    2) Besides in-memory exploit, isn't it rather common nowadays that malicious PDF files contain exploit code, which can enable remote execution? In that case, hmpalert can pinpoint which PDF is responsible and remove it?

    Since you told us that the monitoring is not limited to browsers, is it safe to say that hmpalert will be a general-purpose anti-exploit tool (which would be wonderful)?

    Thanks!
     
  20. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    Hi Erik, Any chance of getting this to work with Comodo Dragon? (Chromium based)
     
  21. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,838
    +1 on that
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 2.0.9 Build 34 Released

    Changelog
    • ADDED: Support for Avant Browser, Baidu Spark Browser, Comodo Dragon, SRWare Iron and Yandex Browser.
    • FIXED: Compatibility with Kaspersky Antivirus 2013
    • FIXED: Compatibility with Sandboxie 3.76
    • IMPROVED: Browser detection algorithm
    Existing users are automatically updated within the next 24 hours.

    Download
    http://dl.surfright.nl/hmpalert.exe
     
  23. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    New user here....on Comodo Dragon...:)
    I will post news about it on Comodo forum....
     
  24. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    Ah thanks.

    Okay I'm confused here. Are you saying Hitman Pro.Alert protects my browser? I thought it alert about MITB and uses Hitman Pro to remove the threat.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,552
    Location:
    Outer space
    Sorry, I used wrong wording, it is indeed not protection as in blocking, perhaps inspection is a better word.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.