HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. mirage22

    mirage22 Registered Member

    Joined:
    Apr 20, 2016
    Posts:
    51
    http://www.cs.ucr.edu/~nael/pubs/micro16.pdf - Branch buffer shortcoming in Intel CPUs allows hackers to reliably install malware on systems by bypassing ASLR.

    A New Problem for you guys to solve!
     
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,630
    Location:
    DC Metro Area
    Thank You Peter2150 and mood :)
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.5.4 Build 567 BETA

    Changelog (compared to 562)
    • Improved CryptoGuard mitigation handling secure delete tools
    • Improved WipeGuard mitigation
    • Improved compatibility with Trusteer Rapport
    • Added hardware-assisted support for Intel Goldmont and Intel Kaby Lake
    • Added workaround for BSOD when Hyper-V is enabled on Windows 10 Redstone 1
    • Fixed BSOD when removed USB flash drive
    • Fixed BadUSB not disabling/enabling on certain computers
    • Fixed disabling Network Lockdown now further disables network filtering
    • Fixed compatibility issue with Zarafa
    • Fixed Windows XP support
    • Various minor issues solved
    Notes
    This build does not work on Windows 10 AU with SecureBoot enabled as the drivers in this build are not yet counter-signed by Microsoft.

    Download
    http://test.hitmanpro.com/hmpalert3b567.exe

    Please let me know how this version runs on your computer :thumb:
     
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I think they got inspired by our WipeGuard solution :)

    It is redundant. WipeGuard attaches closer to the hardware though.
     
    Last edited: Oct 20, 2016
  5. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,630
    Location:
    DC Metro Area
    All Win 10 AU or only Win 10 AU that was installed rather than upgraded?
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    All fresh installed Windows 10. So if you upgraded from Windows 7 or 8 to Windows 10, you can use the above build.
     
  7. escalibur

    escalibur Registered Member

    Joined:
    Jun 29, 2013
    Posts:
    118

    Such a shame as I'm curious is it working any better with Uplay and 3DMark. (As both of them are not working normally with HitmanPro.Alert running in background)
     
  8. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,325
    Location:
    the Netherlands
    All well on my Windows 7 x64.
    If any issue might show later, I will report, of course.
     
  9. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    The paper is not about abusing a flaw in Intel CPUs to 'reliably install malware', but about bypassing ASLR. All exploit attacks of the last few years, incl. those in commodity exploit kits, are already capable of bypassing ASLR. This specific attack on ASLR alone is abusing a flaw in Intel hardware so the attacker can guestimate, through trial and error, adresses to abuse critical functions.

    Important to mention: this specific attack cannot be performed using e.g. JavaScript. It cannot be done from remote without employing other existing exploit techniques. In order to abuse this flaw, the attacker must already be able to run code on the machine.

    So before an exploit can eventually run the payload (install malware), the attacker must employ other exploit techniques too, to bypass e.g. DEP (Data Execution Prevention). He or she can do this with Return-Oriented Programming (ROP) and we e.g. have our hardware-assisted Control-Flow Integrity (CFI) against that.

    In other words (of the game Quake), this attack on ASLR is cool but is like killing a bee with a Big Fragging Gun (BFG), while less dramatic conventional methods work too and are easier.
     
    Last edited: Oct 20, 2016
  10. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    W7-x64: installed hmpa build 567 Beta over build 565.
    No issues (yet) running HitmanPro build 280 with HitmanPro.alert build 567 Beta.
    All my W7-x64 systems are running licensed. However my trial license on my test W10 AU laptop (upgraded from W7-x64) is expired so no W10 testing.
     
    Last edited: Oct 20, 2016
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,285
    Location:
    Among the gum trees
    So far so good here.
     
  12. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    How does one whitelist a W10 UWP game because the (for example, forza_x64_release_final.exe) executable in c:\program files\windowsapps\etc. appears to be encrypted or not a valid EXE?
     
  13. guest

    guest Guest

    Updated to build 567, no issues s far.
     
  14. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,028
    No problems upgrading build 567 beta. Did a secure wipe of 350+ files with Ccleaner 5.23 and no cryptoguard-issue.
     
  15. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    No issues with 567 Beta upgrade. Everything as normal.
     
  16. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,028
    Despite HmP.A 567 beta (Improved CryptoGuard mitigation handling secure delete tools) a cryptoguard-issue with Ccleaner64.exe 5.23 (secure wiping of jpgs).

    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation CryptoGuard

    Platform 10.0.14393/x64 v567 06_17*
    PID 5152
    Application C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner64.exe
    Description CCleaner 5.23

    Filename C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner64.exe

    C:\$Recycle.Bin\S-1-5-21-1139147123-4150390050-2674437762-1000\$RREWAP0\IMG_0161.JPG
    C:\$Recycle.Bin\S-1-5-21-1139147123-4150390050-2674437762-1000\$RREWAP0\IMG_0160.JPG
    C:\$Recycle.Bin\S-1-5-21-1139147123-4150390050-2674437762-1000\$RREWAP0\IMG_0159.JPG


    Process Trace
    1 C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner64.exe [5152]
    "C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner.exe" /uac
    2 C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner.exe [6308]
    "C:\Users\****\Desktop\Nieuwe map\ccsetup523\CCleaner.exe" /uac

    Win10 1607 build 14393.321 x64/Norton Security v22.8.0.50
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,813
    This build should fix some problems mentioned in this thread.
    "BSOD after Removal of USB disk" / "Hyper-V" / ...
    But Win10-Users (which don't want to disable "Secure Boot") may have to wait for a newer beta, because it's not counter-signed from MS.
    Edit 2: Only fresh installations of Windows 10 are affected. Systems upgraded from an earlier OS to Windows 10 are not affected.
    Edit: after reading "(compared to 562)" i see that some entries in the changelog were already mentioned in previous changelogs :cautious:
    So i removed already mentioned entries (but i'm not 100% sure, don't count on my user-customized changelog):
     
    Last edited: Oct 21, 2016
  18. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    only if you have done a new [clean] installation


    "OS signing enforcement is only for new OS installations;
    systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change
    ".

    SecureBoot ON + system upgraded from an earlier OS (7, ...,10TH2) to Windows 10, version 1607
    nothing to worry (OS signing enforcement OFF)

    SecureBoot ON + new OS installation → OS signing enforcement ON → wait for proper counter-signed driver...


     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    Build 567 is looking good here on Win 7x64

    Pete
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,813
    Oh, i forgot that :oops:
    ----
    With the previous build sometimes the keystroke encryption indicator was not "animated" (Encrypting ...), but i keep an eye on that if it happens again.
    ----
    The latest beta (b567) is running fine.
    No problems with secure-deleting files with CCleaner or some other tools, and no problems after removal of USB-/Flash-drives.
     
  21. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    171
    Location:
    Baana
    Why is it that whenever I stop manually the HMP.A service, my internet connection is temporarily disrupted?

    Is this intentional?
     
  22. cantoris

    cantoris Registered Member

    Joined:
    Apr 3, 2005
    Posts:
    9
    Bitdefender emailed today to say they fixed the problem that occurs with SQL Installing/Patching in the presence of HMP.A. I've confirmed it is indeed fixed after updating Bitdefender. :-D
     
  23. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,240
    Perform malware scan after installation fails in HMPA.
    Even after installing HMP first and then installing & clicking on scan computer in HMPA 3.5.4 build 567
    BETA shows failed.
    Earlier versions of HMPA did however work when clicking on scan computer so something has changed.
     
  24. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,240
    Firewall rules are allowed for all HMPA connections AFAIK.
     
  25. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,498
    Build 567 BSODs on XP. Clean HMPA install. Launched Firefox browser -> BSOD.
    Reboot XP -> BSOD right after boot. PAGE_FAULT_IN_NONPAGED_AREA 0x10000050
    I sent you the dump Erik. Deleted HMPA files from XP via Win7 and XP boots fine.
     
    Last edited: Oct 22, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.