HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.


  1. As video of Cruel Sister shows (even current) HPMAlert does not protect against file deletions, so Cryptoguard probably only monitors 'en masse' files overwrites. Newer variants of ransomware also encrypt the filename. So Cryptoguard would probably not notice the change since the original file is saved under a different name and original file is deleted.

    Are you still running V2.6 while you have V3.x or are you only asking (and are using your licenses, hence the explicit request to NOT suggest upgrade to latest)?
     
    Last edited by a moderator: Mar 23, 2016
  2. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    58
    Simply because it has a small footprint and version 3.x.x won't install on one of my legacy XP computers. Run it together with MBAE 1.08.1.1189 (also small footprint) without conflict. As long as HMPA 2.6.5.77 adds a layer of security I'll keep it.
     
  3. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    58
    Upgraded against a charge, yes. But, as I said, I already have a 2 years v3.x license for 3 PCs and my query relates to the usefulness of 2.6.5.77 regardless.
     
  4. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    58
    Thanks for the 1st paragraph sum-up. Have to read that again to get the full meaning...

    As for the 2nd para, to reiterate, because it has a small footprint and version 3.x.x won't install on one of my old XP computers. As long as HMPA 2.6.5.77 adds a layer of security I'll keep it (together with MBAE 1.08.1.1189).
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,169
    Location:
    .
    FWIW ~ little test > Paranoid Fish report w Active vaccination.
    http://betanews.com/2016/03/23/malware-detect-sandbox/
    * Pafish (Paranoid fish) *

    Some anti(debugger/VM/sandbox) tricks
    used by malware for the general public.
    [-] Debuggers detection
    [*] Using IsDebuggerPresent() ... OK

    [-] CPU information based detections
    [*] Checking the difference between CPU timestamp counters (rdtsc) ... OK
    [*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex
    it ... OK
    [*] Checking hypervisor bit in cpuid feature bits ... OK
    [*] Checking cpuid hypervisor vendor for known VM vendors ... OK

    [-] Generic sandbox detection
    [*] Using mouse activity ... traced!
    [*] Checking username ... OK
    [*] Checking file path ... OK
    [*] Checking common sample names in drives root ... OK
    [*] Checking if disk size <= 60GB via DeviceIoControl() ... OK
    [*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK
    [*] Checking if Sleep() is patched using GetTickCount() ... OK
    [*] Checking if NumberOfProcessors is < 2 via raw access ... OK
    [*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
    [*] Checking if pysical memory is < 1Gb ... OK
    [*] Checking operating system uptime using GetTickCount() ... OK
    [*] Checking if operating system IsNativeVhdBoot() ... OK

    [-] Hooks detection
    [*] Checking function ShellExecuteExW method 1 ... OK
    [*] Checking function CreateProcessA method 1 ... OK

    [-] Sandboxie detection
    [*] Using GetModuleHandle(sbiedll.dll) ... OK

    [-] Wine detection
    [*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
    [*] Reg key (HKCU\SOFTWARE\Wine) ... OK

    [-] VirtualBox detection
    [*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
    [*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
    [*] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... traced!
    [*] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
    [*] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
    [*] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK
    [*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK
    [*] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK
    [*] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
    [*] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK
    [*] Additional system files ... OK
    [*] Looking for a MAC address starting with 08:00:27 ... OK
    [*] Looking for pseudo devices ... OK
    [*] Looking for VBoxTray windows ... OK
    [*] Looking for VBox network share ... OK
    [*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
    [*] Looking for VBox devices using WMI ... OK

    [-] VMware detection
    [*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
    [*] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... traced!
    [*] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
    [*] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
    [*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:5
    0:56 ... OK
    [*] Looking for network adapter name ... OK
    [*] Looking for pseudo devices ... OK
    [*] Looking for VMware serial number ... OK

    [-] Qemu detection
    [*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
    [*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
    [*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK

    [-] Bochs detection
    [*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
    [*] cpuid AMD wrong value for processor name ... OK
    [*] cpuid Intel wrong value for processor name ... OK

    [-] Cuckoo detection
    [*] Looking in the TLS for the hooks information structure ... OK
    YMMV
     
    Last edited: Mar 23, 2016
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,131
    Location:
    USA
    Fair enough :) I would just suggest that you make sure you've got protection against the newer crypto-ransomware threats.
     
  7. 800ster

    800ster Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    207
    I am seeing a minor problem with the latest (beta) versions of HMPA (stock settings) where flash is crashing on certain web pages. Using Chrome 64-bit on Win10 and am seeing it consistently on the BBC website (specifically the 'live' linked pages for sports/news etc.). Don't know if people outside the UK can recreate it as the BBC pages will be different. Uninstalling HMPA fixes it.
     
  8. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    pay attention surfing on BBC.com since it is on of the most striked website according to this report.

    So my question is simple:
    real attack?
     
  9. 800ster

    800ster Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    207
    Possibly though I've seen it for over a week.
     
  10. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    436
    Location:
    The Netherlands
    Well strangely enough SurfRight support asked me to remove my Netgear switch (which has no router function) between my TP-Link router and my computer and promptly marked my problem as solved. I replied back that (as expected) the problem still remains. And even if it were to solve the problem, then I still find it strange that SurfRight sees this as a solution to simply remove a piece of hardware that's essential for my home network and never gave me any problems. o_O
     
    Last edited: Mar 23, 2016
  11. Anguel

    Anguel Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    75
    I also got some strange answers from support regarding my VirtualBox problem, they did not seem to understand what I was talking about and just sent me "some reply" not really related to the actual problem.
    Besides that, HMPA 3.1.9 build 361 seems to work fine with VirtualBox now, I use it together with KIS 2016.

    BTW: After Symantec's blacklisting of hitmanpro.com few weeks ago, now Avira's browser plugin also seems to block that link:
    http://test.hitmanpro.com/hmpalert3b361.exe
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,462
    Location:
    Under a bushel ...
    I have no such switch, so that is not a solution. Perhaps they can't see the cause, or in their view the problem is limited and not worthy of attention.
    In my case, accessing the router works - it is just very slow.
     
  13. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    436
    Location:
    The Netherlands
    I got another response from SurfRight support, this time from another person. His answer was a lot more logical. They are researching the problem and are aware of the issue. He further replied that the problem seems limited to only TP-Link routers and that a possible fix will be provided in an upcoming version. And even though this isn't a direct solution, I'm confident they will fix it. Let's hope sooner rather than later! :thumb:

    I've had several experiences like that with other support helpdesks, I wonder why sometimes this seems more a rule then an exception to give nonsense answers.
     
    Last edited: Mar 24, 2016
  14. When HPMA 3 gives problems, I would replace HPMA 2 with Secure Folders (against ransomware) and keep MBAE free (against exploits).
     
  15. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,054
    Location:
    Baden Germany
    Does HMP.A protect against new TESLACRYPT4.0, that does not change file name, nor file extension?
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,131
    Location:
    USA
    Interesting read here:

    http://www.bleepingcomputer.com/new...d-with-bug-fixes-and-stops-adding-extensions/

    This one uses RSA4096 (because apparently RSA2048 wasn't strong enough :blink: )

    Here's some interesting data about what it would take to break RSA2048:

    https://www.digicert.com/TimeTravel/math.htm

    Excerpt:

    "In putting together our video, we estimated the age of the Universe to be 13,751,783,021 years or a little over 13.75 billion years*, therefore if you tried to break a DigiCert 2048-bit SSL certificate using a standard modern desktop computer, and you started at the beginning of time, you would have expended 13 billion years of processing by the time you got back to today, and you would still have to repeat that entire process 468,481 times one after the other into our far far distant future before there was a good probability of breaking the certificate. In fact the Universe itself would grow dark before you even got close."
     
    Last edited: Mar 25, 2016
  17. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,054
    Location:
    Baden Germany
  18. hjlbx

    hjlbx Guest

  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes it does.

    image.png

    Also the samples we tested also trigger HollowProcess first.
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    No. CryptoGuard does not block this.

    You can recover from PETYA though. Our brief research shows that only MBR and NTFS are touched, so with an undelete tool you can recover.

    Ofcourse we are not waiting for the next one to hit ;)
     
  21. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I smell innovation here. I hope I'm right. :D
     
  22. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    58
    Thanks. You mean Secure Folders by SubiSoft? Locking/encrypting folders sounds like added overhead and, besides, a company that doesn't state where it's located is not for me. You have to follow the country code (+91) to find out. Maybe MBARW (once ready) will be folded into MBAE...
     
  23. SPRINTMAN

    SPRINTMAN Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    53
    Location:
    Canberra, ACT, Australia
    Would HMPA offer me anything additional to MBAM/MBAE and NS? CryptoPrevent running in std mode as well. I have HMP standalone scanner already.
    Tks in anticipation...
     
  24. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    You will get features apart from anti-ransomware and anti-exploit. There are features in HMP.A that may not be present in your current security configuration.
    http://www.hitmanpro.com/alert
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,462
    Location:
    Under a bushel ...
    No, he doesn't mean the Subisoft product, but another soft which has been abandoned unfortunately, though it does its job admirably.
    I suspect you wouldn't want that, but if you do it is still available but I would have to search for the link.
    Also, MB have intimated that MBARW will be incorporated into MBAM. Don't know if MBAE will be also.
    :oops:, this is OT.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.