HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    HitmanPro.Alert is not an anti-virus solution and our CryptoGuard technology protects against crypto-ransomware (hence it's called CryptoGuard). If the machine is hit with other extortion malware (generally called ransomware), the current version of CryptoGuard in HMPA does not offer protection.
    The Hitler ransomware that was discovered is a development build. It is expected that the final production version will encrypt your data. That one will be stopped by CryptoGuard. That said, Hitler is currently not a real-world threat.

    Also remember, in most tests and videos (e.g. from GrujaRS) it's often only the ransomware itself that is under scrutiny. In the real-world, ransomware arrives on the machine through a dropper, exploit or Microsoft Word document with malicious macro attached to a spam e-mail. HitmanPro.Alert's Exploit Mitigations, Application Lockdown and Process Protection are pretty effective against these delivery methods. And in case of crypto-ransomware, which is by far the most prevalent ransomware, these are stopped by CryptoGuard without using signatures; meaning CryptoGuard also protects patient zero.
     
    Last edited: Aug 10, 2016
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,100
    Location:
    USA
    Are you using the "Disc Eraser" feature? This looks like a secure delete option that overwrites the file space after deletion to make the files unrecoverable. If so HMPA's CryptoGuard is detecting this as an encryption process and killing it. The answer is to temporarily disable CryptoGuard when you doing secure file deletion.

    http://www.wisecleaner.com/wisecare365/help/en/disk_eraser.html
     
  3. Frankthetank

    Frankthetank Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    3
    Location:
    Germany
    Thanks for your reply.
    Do you mean "Secure Deletion" on Menu -> Settings -> Cleaner? It's currently activated. I will try to clean without Secure Deletion is activated.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,100
    Location:
    USA
    That sounds like the correct feature; if you don't need it turn it off. That should stop the HMPA intercept. Let us know :)
     
  5. plat1098

    plat1098 Guest

    "Most," "often," and "usually" are quite satisfactory from the standpoint of effectiveness Thank you for the detailed and forthright explanations. I have to fill in the gaps with another security gadget, though. Is Bouncer an effective complement to HMP-A? Guess there's homework to do.:mad:
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    I assume HMPA doesn't need to hook ALL processes. But via API hooking it can detect the memory modification of browsers and certain system processes, which is needed to detect banking trojans and ransomware. MBAE doesn't perform system wide hooking because it only protects specific processes against exploits.

    It's very simple, HMPA can't and doesn't claim to protect against ALL malware. For example, SpyShelter will fail to protect against ransomware, even though it has a file/folder protection feature. But developers can say that SS is more geared to blocking spyware and keyloggers.
     
  7. Frankthetank

    Frankthetank Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    3
    Location:
    Germany
    Yep. You're right. By disabling the Secure Deletion, HMP.Alert won't block it anymore.
    Thanks for the advice.
     
  8. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    I'm having problem with my license, I've reinstalled my system a number of times in the past few months because of issues with Win10 and now when I try to add my license to HMPA it says that it's been activated already. Thing is I did uninstall it every time I ended up reinstalling my OS. I hope I can get this sorted.
     
  9. Even admin/high processes have no access to protected processes (as posted by Alex Ionescu protected process memory can't be tampered with), so it does not matter anyway.
     
  10. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    171
    Location:
    Baana
    Newbie question. If I receive the screen notification that HitmanPro.Alert has stopped Cerber2 (for example)... What is next for me? Will HitmanPro.Alert scan and clean up my system by removing (or quarantining) the offending executables (etc), or do I turn to other tools?
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    Please not this stuff again. MemProtect is NOT better in stopping exploits than HMPA at all. It probably simply blocks the payload from running just like Bouncer, but only if the payload is file based. If the payload is memory based, then you will still need tools like HMPA and MBAE.

    So no, it's not better at all. Perhaps Mark and Erik Loman can take MemProtect for a test-drive to solve this mystery once and for all. I mean "protected process" simply means that other tools can not inject code into it, but that's not the same as blocking the exploit from running.
     
  12. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    OK I understood but please don't tell me "it's not a bug, it's a feature"...it was rather obvious that User profile data are quite common target of malware e.g exploits or ransome...so knowing that CryptoGuard is a part of HMPA we can expect that localisation often exposed are covered by security app....and no matter is it proof of concept or real-live malware and from where it come.
    I know...we aren't able...and developers too...to predict all possible files/folders that can be the target of ransom, the possible action of malware but we should sometime learn from history, solution of competitors and extract the best things from the good practice. It's not god solution to tell users "buy another security".
     
  13. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    163
    Please pardon if the question has been asked, but... Are we waiting for a fix for the problem with HPM.A Cryptoguard blocking DasHost.exe? A scan detects no problem. Is this an HPM.A issue that needs fixing or are we waiting for Microsoft to fix it?
     
  14. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    123
    Location:
    Australia
    @Telos

    https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-164#post-2460905

    Regards.
     
  15. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,494
    Latest HMPA 3.5.546 (trial expired) causes a system hang on my W7-32bit system when creating and formatting a vhd. Everything up to formatting is fine. Once the quick format starts, the only alternative is the power switch. Uninstalled HMPA and everything is fine. From the Disk Management console, follow these steps:

    1. Select Action drop-down > Create VHD. Follow the prompts that appear.
    location: ?:\anyname.vhd
    Virtual hard disk size: 15GB
    Use fixed size.
    If the VHD options are greyed out, click in the blank space where your
    volumes are listed and it should become selectable.
    2. Right-click your new disk and then click Initialize Disk. Click OK.
    3. Right-click the new volume and then click New Simple Volume (or select
    a different volume type, if available). Follow the prompts that appear.
     
  16. I said it stops all the exploits of the HPMA test tool (link), so it beats me how you know these things without trying the software.

    That is exactly what Microsoft's protected processes feature establishes: no one can inject code into it.

    No it stops in memory access, as explained here (link) with the explanation from Microsoft (link). You are confusing Bouncer (file execution based) with Memprotect (memory based execution)
     
    Last edited by a moderator: Aug 11, 2016
  17. plat1098

    plat1098 Guest

    This information is very helpful to me. Thank you. :)
     
  18. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    Well I am at a loss now on the keyboard encryption issue, problem has still not come back since reinstalling 3.5, so for now will shut up about it. :)

    PC has been up for 2 hours 20 minutes since reboot and typing still encrypted.
     
  19. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    It really stops the exploits or only the execution of calc.exe?
     
  20. hjlbx

    hjlbx Guest

    I think this question should be answered by Florian (Excubits) and not Erik or Mark.

    This is a running debate that needs to be definitively put to rest by the MemProtect developer.

    @WildByDesign - you in on this ? Any way you can present this to Florian ?
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Absolutely, yes. I can follow up on this. I don't think that we should be cross-posting into this HMPA thread though and taking away from any HMPA-related support in this thread, out of respect for the Loman brothers.
     
  22. hjlbx

    hjlbx Guest

    That's what I'm thinking... less we get our posts chopped from this subforum.

    Move it back to the Bouncer thread where this debate started and should be decisively and definitively finished.

    30 minute task for Florian...
     
  23. When you read what is blocked with protected processes, it does not have access to the memory, so it should stop the exploit, read the Microsoft documentation.

    Do you have Windows 8 or above? Add protection column to the view of process explorer and try to kill a protected process or protected process light with any process hacker tool: won't work.

    You simply don't have access to its memory. That is why I stated that Memprotect has simular exploit protection as HPMA and problably stronger because it is inside the kernel and does not have to inject/hook into every process like HPMA (which is a very creative way of circumventing kernel modification limitations, but can't be as strong as kernel based mitigations).
     
    Last edited by a moderator: Aug 11, 2016
  24. Agree, I won't answer anything on protected processes anymore, unless it is in the Bouncer thread.

    Agree, but remember HPMA is free for Wilders Security members, so both are free. Advantage of HPMA is that it has a GUI and support is offered on this forum. On top of that HPMA also offers ransomware and keylogger protection. Best quality of all: it is a Dutch software solution :thumb:
     
    Last edited by a moderator: Aug 11, 2016
  25. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    213
    How do I get in on this?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.