HitmanPro.ALERT Support and Discussion Thread

I hope HMPA/BDTS resolve this issue, so I can remove the current temporary explorer exception. Explorer has a dll plug-in architecture and appears to be the primary user desktop process. I am not comfortable with a permanent exception for this reason. I also don't think BitDefender can be allow-listed in this case, since it may be an interaction with the BitDefender DLLs and HMPA DLLs within the Explorer process. I don't know enough about the respective architectures to be sure.

 

Yes, but you would think that if HMPA doesn't monitor Bitdefender at all, this kind of stuff can be prevented. Or perhaps it's actually Bitdefender's behavior blocker who monitors HMPA, that's another option.

BTW Ronny, you never replied to my question about if HMPA can block TrickBot from spying on the browser.

https://www.cisecurity.org/insights...verage-hat-trick-a-malware-with-multiple-hats

 

FWIW, I'm on BitDefender Total Security version 26.0.33.139 on a Windows 7 Home x64 machine and I haven't experienced the black screen. But I did notice that BD is not running -- their icon in the Notification Area shows up, but it's grayed out, and when hovering the mouse pointer over it I am informed that "Bitdefender Services are not responding."

Not sure if renaming HMPALERT.DLL and restarting EXPLORER.EXE will help in this case, but I'll give it a shot when I get the chance.

UPDATE: Followed the instructions and this is what happened:

• The PC loaded as far as the Welcome screen with a spinning circle, but would go no further. (This had not happened on the previous reboot or two -- unrelated to this issue -- after BD had stopped running.) A further reboot led to a screen offering to enter Safe Mode or start Windows normally. I chose to start normally.
• This time Windows 7 did launch completely. However, the BD icon is still grayed out, with the same notice as reported above. So the suggested workaround seems to have made no improvement in this case.

 

The latest BitDefender Total Security update, build 26.0.34.145 appears to have resolved my issues regarding the earlier conflict with HMPA and blank desktop on user login. I rebooted with all the HMPA exploit protection settings at default, and post-reboot was able to login without any issue to a normal desktop. All applications are also working with default HMPA exploit protection settings. No HMPA exclusions were required.

Bitdefender Total Security, Build 26.0.34.145, HitmanPro.Alert, Version 3.8.22 build 947

 

I had to manually uninstall BD, as it was no longer updating on its own. Clicking on Reinstall from the uninstallation wizard did the trick. Everything's good again.

 

https://www.safetydetectives.com/best-antivirus/hitmanpro/

Despite the writer's claim to have "researched and tested hundreds of cybersecurity products," he doesn't seem to understand the nature and purpose of HMP.A. He criticizes the program for not catching viruses; for lacking a firewall, parental controls, and a password manager; and for not blocking phishing websites. These are features of a cybersecurity (AV) suite, whereas HMP.A sits squarely within the "anti-exploit" category and is not intended to provide any of those functions (that's what the full-fledged Sophos suite is for). He also says that HMP.A "is supposed to detect any malware file before you download or run it on your system," but if I understand how the program works, it's designed to block malware when the malware tries to do something, not before it runs and certainly not before it's downloaded.

IMHO the most serious criticism in the review is the claim that the keystroke encryption function doesn't work.

Thoughts/comments/reactions, especially about HMP.A's keystroke encryption?

 

Spot on...not sure who this reviewer is but he is completely clueless about how HPA works...so best to avoid his ramblings.

As for the keystroke encryption...my only comments would be that sometimes it works 'too well'...and in fact it can be a bit glitchy...but otherwise does a sterling job.

 

I agree with everything you said!

 

Wow, I don't use Alert any more but even I had to shake my head. Since when should this "need" a vpn? That's for your antivirus or your stand-alone apps. There were other mis-steps in that article but no need to nit-pick. I used it alone for a while w/VoodooShield and no AV but strictly speaking, isn't Alert a security layer? Hmmm.

Thanks for posting that interesting read.

 

Well, now I'm confused, do you also get HitmanPro when you install HMPA? Because according to the reviewer, HMPA does scan for malware? And it's true that HMPA is not an AV, that's what he perhaps misunderstood. HMPA is basically an exploit and behavior blocker.

 

Yes, HMP.A does include HMP: https://www.hitmanpro.com/en-us/alert

 

OK, so then the reviewer wasn't completey wrong if he saw that certain of his malware samples were able to infect the system? Perhaps SurfRight should explain it a bit better what exactly HMPA is meant for and that it's not the same as HitmanPro.

 

My understanding of it is that HMP is an on-demand scanner, while HMP.A offers real-time protection.

Hopefully @RonnyT or someone else from Sophos/SurfRight will step in to provide more information.

I rely more on HMP.A's real-time protection than on the on-demand aspect; when I do a manual scan, it only ever seems to find cookies. But that could be simply a function of my main AV's effectiveness.

OTOH, a number of times the real-time protection feature has intercepted an attack of one kind or another.

 

Well, perhaps they should but I do not think that I have come across any other reviewer who has made this very amateurish mistake...it smacks of incompetence which is worrying when he is putting his views out there in this fashion.

 

Does HMP.A protect against token/cookies exfiltration from locally executed malware? The attack basically allows for malware to exfiltrate the browser token from a logged in website, so that the attacker doesn't need to obtain passwords/2FA at all.

 

Not sure about that particular exploit, but in general HMP.A mitigations should identify an exploit and prevent malware from executing their payload. In other words the malware should be shut down prior to taking action to exfiltrate anything.

So in context, perhaps the proper question would be to ask if that specific malware has an exploit mechanism that is detected by HMP.A. The available mitigations and risk hardening functions are quite broad and include most known exploit patterns. It is a behavior blocker.

The downside of making assumptions like this is that this product is not subjected to regular public performance analysis such as is typical with AV suites. So objective performance metrics are rather opaque with this one. I run it alongside my AV program for an extra security layer.

 

Yes, it should block this. But it would be nice if this could be demonstrated by Sophos in a video.

HMPA is designed to block certain malicious actions of malware that is already running on the system. So it's not only designed to block exploits.

 

Well, this is indeed a bit confusing, so I don't blame the reviewer. Because AFAIK, HMPA doesn't have any realtime AV scanner, so probably that's why the malware that was tested was never spotted.

 

Are you still there Ronny? I wondered if you could comment on this, see link. I'm trying to figure out if Sophos Intercept X could spot this advanced supply chain attack via behavior blocker or not?

https://www.wilderssecurity.com/thr...cxdesktopapp-30-mar-2023.451024/#post-3139568

 

Correct, HMPA doesn't detect file-based "static" malware (dormant). So you could have a folder full of them be totally undetected by HMPA.

And as you stated previously, "HMPA is designed to block certain malicious actions of malware that is already running on the system".

 

I decided to read the review again and I think I know where the confusion is coming from. According to HMPA's anti-malware component, which is in fact HitmanPro, you get realtime protection against malware. So this should be cleared up, is this some kind of realtime cloud based scanner, or can it only perform on demand scanning?

I have never used HMP, but I assumed it was an on demand scanner similar to Malwarebytes Free, so without a realtime scanner. So I'm sorry to say, but SurfRight/Sophos is mostly to blame for this ''unfair'' review. HMPA should not be marketed as a full blown AV, but more as a behavior blocker, with on demand scanning provided by HMP. Also, the reviewer made a good point about HMPA not having a firewall, a tool that's focused on anti-spying should offer this.

 

Basically, malware that is delivered via exploits should be blocked from running at all. Malware that is somehow already running on the system, should be blocked from encrypting files, keylogging of browsers, code injection and browser password/cookie stealing. Not to forget that it should alert about browsers that are infected by banking trojans.

So that's basically the job of HMPA, it's not meant to detect malware downloaded by the user themselves. HMP should detect this, but not in realtime if I'm correct, this should really be cleared up by Ronny. About the keystroke encryption, it only works on browsers and not on almost ALL other apps like KeyScrambler and SpyShelter do offer. I'm not sure why it failed in the reviewer's test.

 

I believe that is the generally intended workflow of HMPA + HMP.

Step 1, HMPA "alerts" and stops the execution of a malware based on a detection of "suspicious behavior" based on the HMPA exploit mitigations and/or risk reduction hardening modules. Step 2, run the HMP scanner to detect and remove the malware files.

IMO, this all takes place if the original malware gets past your primary AV. Anyone not running an AV is taking a risk. HMPA will likely only prevent damage by malware that you downloaded as it tries to execute.

 

No, this is not completely what I meant.

It depends on how malware is delivered whether HMPA will block malware from running at all. If it's downloaded by the user, it won't block the malware from running. If it's downloaded automatically via exploit, then it will block it from running.

The risk reduction features are only of use when malware has bypassed a realtime AV like Win Defender. In this case, HMPA will block suspicious behaviors from malware that is already running in memory. You can then indeed use HMP to clean the malware.

 

Do you have a source for this statement?

I always assumed that if any malware actually runs, HMPA should catch it in the act. But just by downloading and storing a malware file in it's inactive form would not be enough to trigger HMPA.