HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    I think he meant Windows 10. But no worries, I can reproduce the issue with Virtual Box. We're investigating it tomorrow. Thanks!
     
  2. hjlbx

    hjlbx Guest

    @erikloman
    @markloman

    Is Caller Check mitigation dependent upon any HMP.A settings ?

    My impression is that it is hardware-dependent instead.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I don't use virtual box, I was refering to the WIn 10 insider build
     
  4. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    yea, that's the same issue w/vbox I reported last week sometime. build 351 (of hmp.alert) still works. i'm on a non-preview version of win10.
     
  5. snerd

    snerd Registered Member

    Joined:
    Dec 8, 2007
    Posts:
    127
    Location:
    Arkansas USA
    Sorry, I disappeared. I view inside Firefox browser. Windows 10.
     
  6. hjlbx

    hjlbx Guest

    @Peter2150

    What exactly is the purpose of C:\Windows\CryptoGuard ... ? ... LOL.
     
  7. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Apparently, Virtual Box does not play nice with lots of common software: https://forums.virtualbox.org/search.php?keywords=ldrloaddll
    I am contemplating if we should make a work around or just wait for Oracle to fix their stuff.
     
  8. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    m0unds was suggesting that build 351 works and the later ones do not, I think I did have 351 on that laptop before updating to test the latest
    I put that ldrloaddll reference in my post after finding all those comments in the virtualbox forums to make it easier to hunt down

    It depends if the workaround is a lot of effort and if you expect that VirtualBox might change any time soon to eliminate the incompatibility
    If you choose not to workaround for now it is probably worth flagging the incompatibility (or potential incompatibility) during install
     
  9. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    No worries, we haven't thrown in the towel yet ;) stay tuned!
     
  10. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    'That is the rollback folder; if you get hit by ransomware then you lost max. 3 files.' [Source]
    ?
     
  11. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Actually, the C:\Windows\CryptoGuard folder contains temporary previous versions of files (documents, photos, etc.) that are about to be changed on the disk. When your files are attacked (en masse encrypted) by crypto-ransomware, CryptoGuard will rollback the previous versions from the CryptoGuard folder so you never loose any files. You do not loose max. 3 files, you should not loose any at all.
     
    Last edited: Feb 16, 2016
  12. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    hi, *loman:
    what about this improvement?
    Can you share some more informations?

    Txs a lot!
     
    Last edited: Feb 16, 2016
  13. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    ok :)
     
  14. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    I've often wondered about how this works if I you're running a light virtualisation solution like Shadow Defender protecting the system partition and had data encrypted by Ransomeware on another non-virtualised partition.

    In a scenario where you had an exception to C:\Windows\CryptoGuard in Shadow Defender to allow pre-encryption copies of the files to be stored to the 'real' system partition when the attack took place and rebooted to clear the infection (also likely wiping any logs or journaling employed by HMPA) could you just move the pre-encrypted copy files out of C:\Windows\CryptoGuard or does HMPA have to do that work? If the latter how does it know to do that if the logs/journaling are deleted by dropping out of the virtualised session?

    Thanks
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    I have 3 internal drives. If I think there is any risk at all, when I shadow with shadow defender I just shadow all three drives. Works great. There are also some other ways of protecting stuff on other drives from Ransomware. Of course the real solution is to not let it on the system at all.
     
  16. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    Thanks! Yeah, I agree but I also use SD on my daughters laptop and she shares and updates lots of docs so committing each one is not really an option for her so it is largely just the system partition that is shadowed. I also have AppGuard in there so anything infecting her is unlikely but there are always 'shoot in foot' moments for everyone, especially for her with the amount of sharing of files with her cohort who may be less security conscious, so just wondered how such a scenario would be recovered using HMPA.
     
  17. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    yep, vbox has always been a flaky mess. this is the first time I've personally run into a software conflict with it though. I usually just avoid anything that conflicts as I have to use vbox for work.
     
  18. hjlbx

    hjlbx Guest

    @erikloman
    @markloman

    Is Caller Check mitigation dependent upon any HMP.A settings ?

    My impression is that it is hardware-dependent instead.
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    CallerCheck is part of CFI.

    There are 2 implementations, hardware-assisted and a software based implementation (like EMET).

    Both are always used. If hardware is unsupported the software based implementation remains.
     
  20. hjlbx

    hjlbx Guest

    Thanks @erikloman.
     
  21. hjlbx

    hjlbx Guest

    @erikloman

    I have ransomware samples that are blocked by CallerCheck.

    Is that one of the typical mitigations for ransomeware ?
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Ah that specific check falls under Process Protection. It is also called CallerCheck because some malware step on our trap as malware makes assumptions that hmpalert breaks, hence CallerCheck.

    It is not specific to ransomware but malware in general.
     
  23. hjlbx

    hjlbx Guest

    @erikloman - you da best !
     
  24. hjlbx

    hjlbx Guest

    @erikloman
    @markloman

    Have there been any reported conflicts between HMP.A and SpyShelter products ?

    More specifically, has the HMP.A keystroke encryption been reported as clashing with SpyShelter's anti-logger ?
     
  25. e23

    e23 Guest

    On Windows 7 64 bit HMP.Alert reenables IPv6.
    I have the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\DisabledComponents set to 0xff.
    As soon as hmpalert.exe starts the value is reset to 0x00.
    Running HMP.A version 3.1.7.357
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.