HitmanPro.ALERT Support and Discussion Thread

Not sure how effective it is, but HMPA does indeed perform realtime scanning on execution.

 

I guess it depends on what we mean by "realtime scanner." In the case of HMPA, I've understood it as that HMPA monitors the processes that are running on a system and then (hopefully) intercepts suspicious processes as they're starting. An AV suite might scan malware files as they're downloaded into the user's PC, but HMPA is designed to stop them from actually doing harm, instead of blocking the download.

 

That sounds correct. HMPA does not use malware signatures to examine files like an AV program does, but rather watches for malicious processes that attempt to execute. So user downloads are not monitored.

 

What do you mean, that it acts similar to a realtime AV?

No, if malware downloaded by the user is executed, then HMPA won't block the malware from running, instead it will try to block the malware from performing certain suspicious activities. While an AV will actually try to block the malware from running at all.

Yes exactly, see above. If we're talking about a realtime scanner, then we're talking about AV's. HMPA is not an AV, but an exploit and behavior blocker. But the question remains why in HMPA's GUI there is a reference to realtime scanning, because HMP doesn't do this either AFAIK. So no wonder the reviewer was confused. I also wonder where Ronny and Mark Loman are? They should clear things up.

 

That distinction is not entirely clear. If the malware isn't able to perform "certain suspicious activities", that is functionally equivalent to blocking it from running its intended code. True, that an AV should block it from the start assuming it's not a zero-day, and that there is an available AV signature for the malware. If not, you would hope that HMPA stops any "suspicious activities". That would most likely prevent any damage from occurring.

 

No offence, but I don't see what's so hard to understand. It's very simple, an AV's goal is to block malware from executing, so it doesn't even get a chance to perform suspicious activity. HMPA can also block malware from executing, but only if it's loaded by some exploit.

If the user downloads malware manually and an AV fails to detect it, then HMPA comes into action. This is what's called behavior blocking. In other words, HMPA is NOT a realtime scanner, it's a behavior (and exploit) blocker. And HMP can be used to clean malware from disk or memory. SpyShelter and OSArmor are also behavior blockers, but some of HMPA's risk reduction features are quite unique, not found in other tools.

 

Never mind ...

 

Now you're making it sound like I'm the one who doesn't understand it LOL. I get your point, but it's simply not the way you should look at it, that's what I'm saying. There is a difference between a realtime scanner and a behavior blocker, keep this in mind.

 

It depends on what you mean with similar to a realtime AV.
It scans files when they execute.
Most AV's also scan files on read/write, so if you download a file it will get scanned or if you open a folder which is full of malware it gets scanned. But HMPA doesn't do that. It also doesn't have a local signature database.

As you said it's even in the GUI, so I don't know where you get the idea that it doesn't.
It's also in the release notes for build 723 here: https://www.hitmanpro.com/en-us/whats-new/hitmanpro.alert
A simple search in this thread shows an explanation by Ronny in the first paragraph:
https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-647#post-2954249

 

BTW, for anyone interested, the couponcode MEGA-DEAL is still working for 20% discount.

 

HMPA - Anti-Malware

https://hitmanpro.zendesk.com/hc/en-us/articles/4405871468305-HMPA-Anti-Malware

 

Is this the info you wanted

https://hitmanpro.zendesk.com/hc/en-us/articles/4411166494097-HMPA-Risk-Reduction

 

The first sentence in that Zendesk article is enlightening: "The anti-malware module runs a cloud scan on the executable that is about to be started on your machine, if the cloud scanner verdict is malicious the attempt will be blocked".

I do recall when this Anti-Malware feature was added to HMPA, but it seems like there was never much discussion of what exactly it is, and how it works, beyond the switch to enable/disable the feature.

Unlike when Hitman Pro is running a scan, there is no UI for HMPA Anti-Malware. Does it cloud scan every executable, every time they run? I had noticed HMPA occasionally making a network connection to a remote server, but other than that, the activity is not very visible to the user.

 

I also think that HitmanPro.Alert has a different function than a complete antivirus program. It complements and strengthens malware protection.
However, it did raise one issue that I haven't seen examined anywhere. Whether there is a conflict between HitmanPro.Alert and the main antivirus protection in case of a malware attack. Just because they run side by side smoothly, without any problems, without any issues, in malware free times, does not prove that they will properly fend off malware without any conflict with the main virus checker in the event of a malware attack. The problem is that if the main anti-virus detects the malware attack, they try to block the same memory area. This can cause problems, resulting in a system crash. I wonder if anyone has investigated this and with what results? Several very good virus protections can also protect against some attacks like HMPA and in such cases there can be collisions.

 

I think this issue may have been discussed (hundreds of pages ago?), but was once an issue with HMPA & Malwarebytes running together. In that case, one or the other has to yield, or stand down. I believe the HMPA devs solved that one.

Maybe this could also be an issue with any other anti-malware program with an aggressive behavior blocking module. But I would assume that if your AV catches the malware first, based on signature detection, the threat would likely be quarantined before HMPA ever sees it in action. But IMO, that doesn't rule out a zero-day with no known signature causing a ****storm between multiple installed real-time protection modules.

 

Yes for Chromium based browsers we specifically created CookieGuard, as soon as non browsers start to request the cookies and decryption from the browser then Alert will intercept and block.
We see that for example where Youtube downloader (YTD) is used and get's terminated for that same reason, though it's probably not a "stealer" in that sense, we leave the decision to whitelist with the user.

 

HMP is a so called '2nd opinion' scanner, so it has nothing to do with prevention, it will only come in (and was designed) to scan your system and see what your main AV missed and/or had left.
So in no case you can compare HMP with a AV/Internet security suite, as it doesn't do prevention. On top of that we scan for 3rd party tracking cookies, and use a forensic approach in deciding what to scan (doesn't do full scan's either).
On top of that there is the remnant scan, where traditional AV's have a tendency to only clean up the main malicious files our remnants system was specifically designed to clean op the rest of that mess, being malicious or PUP/PUA.

HMPA is real-time Anti-Exploit and Anti-Ransomware protection, with a added cloud AV (known bad hash lookup's on execution, which is in no case full fledged AV suite) designed to run next to other Security suites, which carry e.g. Spam filters, URL filters, and push VPN services from the looks now a days. Executing a ROP attack, or starting any unknown binary with a Hollow Process 'trick' is not something they seem to focus on. We have a load of those techniques covered.
Add to that the Lockdown features that protect your Office things from introducing malicious stuff to the machine e.g. Word macro, or One note exploitation etc is also something traditional suites are having issues blocking things, as they lack granular whitelisting, that's where we come in, and on top of that our Anti-Ransomware module blocks and roll's back cryptographic file attacks.

No product can offer 100% security and we're not claiming that either so there might be new tricks or corner-cases that we're not seen in the wild before.
The real differentiator there is 'how fast can a vendor respond and roll a generic prevention mitigation' not talking about pushing a signature detection as that is "traditional AV" detection way of doing things.
Our product aims to protect against tricks and abuse, and does not decide if that was a 'legit' vendor doing some shady trick (thing anti-cheat, license protection) or that it was malware, it gets detected and terminated.
To mitigate breaking things we have very narrowed down whitelisting capabilities in this case and we can allow certain things without blowing a huge hole in the protection.

More info can be found here:
https://hitmanpro.zendesk.com/hc/en-us/categories/4405871255953-HitmanPro-Alert-Product-Info

 

Ah the "it depends" well it depends, if the malware is know bad to the cloud services then it will be blocked on execution.
So let's say it's not known by hash (either new, or polymorphic) then this is where "depends" comes in, let's say you did not download it via a protected application under HMPA (else Lockdown would be in play).

You copy it from a local network drive, or usb stick for the sake of keeping is as simple as possible.
Now if that code is executed, it won't be blocked by the AV module as there is no known bad verdict for it. As long as it doesn't "exploit" tricks (read doesn't trigger any of our Risk reduction features).
Then it will be allowed to run. As soon as it's starts doing weird tricks e.g. Code Cave, Syscall, load a (malicious)stager in memory e.g. Cobalt strike then we kick in and terminate.

So it is entirely possible to deliberately infect your machine with "neatly written" malware, what should not be possible is that this could be introduced to the machine by e.g. Phishing attacks on production applications e.g. via email/browser, office macro's etc.

 

True, this is the main reason "adding more security software on your machine makes it more secure" is not true, in fact it might make it worse as described above.
See every security software that wants to inspect something has to get that info from somewhere so let's say it's a hook, they hook an interesting API and get the info, but the other application also hooks that same function.
Now they both have to make sure that they hand over the contents of the code from one to an other, via their trampoline, so if that chain breaks strange things can happen.

We aim to be as compatible as possible, but there are no guarantees and code changes on both ends (ours and vendors which we try to stay compatible with) so occasionally you can run in to something that happened with Bitdefender lately.

 

Excellent rundown!

The reviewer of HMP.A writing here (which prompted the current discussion) would do well to absorb and understand the information you just gave.

 

Thanks for the reply. Is Firefox more immune to these type of attacks or is implementing protection for it more challenging?

 

Hi @RonnyT

Excellent clarification/explanation

Thanks +100

 

Cookie stealing: the new perimeter bypass
https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass/

Firefox rolls out Total Cookie Protection by default to all users worldwide
https://blog.mozilla.org/en/mozilla...protection-by-default-to-all-users-worldwide/

 

OK, so HMPA also offers a cloud based AV that has nothing to do with HMP's on demand scanning features. Cool, but is it then true that this cloud AV simply isn't good enough, because this is what's often stated in reviews. Is this cloud AV developed by Sophos itself, or is it using VirusTotal or what? Are there any protection statistics that we can find about this? Because the thing is, if the cloud AV is average, it might make HMPA look bad and take away from its other cool features like risk reduction.

To be honest, I never really paid attention to the anti-malware part so that's why I probably didn't notice that realtime scanning was already added back in 2017, so my bad. To me HMPA is all about the risk reduction features.

 

To clarify, I don't think that Total Cookie Protection will stop malware from stealing cookies, it's actually meant to protect against tracking and fingerprinting, pretty cool feature from Firefox.

BTW, to clarify what I meant. It's true that certain malware that is already allowed to run will probably be terminated by HMPA's risk reduction features, which indeed defeats the malware. The problem is that if this malware uses certain tricks that HMPA doesn't monitor, you're still toast. So best case scenario is to block malware from running at all, which is the job from an AV. So HMPA should always be used in conjunction with AV, especially if HMPA's cloud scanner is probably not that advanced.