HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    OK cool, but I came across this article where Sophos recommends not to use the built-in browser password manager, but if HMPA (and Sophos Intercept X) can block malware from stealing cookies, shouldn't it be able to also block malware from stealing browser passwords?

    https://news.sophos.com/en-us/2024/...stealing-credentials-stored-in-google-chrome/
     
  2. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    From on machine malware that would be possible to defend, if websites use/tricks to trap users in to submitting/leaking stuff from their pw managager then in that case it's not something HMPA can prevent.

    e.g. tricks like this which are not Bitwarden unique, there are a bunch of tricks similar
    https://www.bleepingcomputer.com/ne...an-let-hackers-steal-passwords-using-iframes/
     
  3. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    Yes exactly, there isn't much that can't be done if a website somehow exploits the auto-fill feature, but this can affect other password managers too, and besides they aren't always bugfree, see link.

    But the point that I'm trying to make is that instead of warning people not to use the built-in password managers of browsers, it would make more sense to add ''out of the box'' protection against datastealers. Because all these datastealers do is to look for certain files on disk, they aren't actually that advanced. So why not add this feature to HMPA?

    https://cybernews.com/security/proton-pass-security-flaw/
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    BTW, you forgot to respond to the other thread, I wonder why this malware wasn't able to terminate Sophos Intercept X, has it some kind of advanced tamper protection?

    https://www.wilderssecurity.com/thr...new-malware-to-kill-security-software.454839/

    And perhaps you can also respond to JEAM:

    https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-679#post-3204113
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    I assume it's a false positive unless this image tried to exploit this CopyTransViewer app.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    BTW, I have some other question but this time about exploits.

    Is it enough to get remote code execution in order to load a cookiestealer, as seen with the Chrome exploit on iOS, or do they also need to escape the sandbox? I also don't know whether this is a true in-memory exploit. And I assume this type of exploit would work the same on macOS and Windows.

    And about the Chrome exploit on Windows, do you think that HMPA/Intercept X would be able to block this exploit from installing the FudMudule rootkit? I mean this is very scary stuff, it reminds me of when I joined this forum, because I was worried about advanced browser exploits that could load malware that completey bypassed AV's.

    https://www.bleepingcomputer.com/ne...s-chrome-exploits-created-by-spyware-vendors/
    https://www.bleepingcomputer.com/ne...rs-exploit-chrome-zero-day-to-deploy-rootkit/
     
  8. MtrXUser

    MtrXUser Registered Member

    Joined:
    Feb 15, 2017
    Posts:
    7
    Location:
    here
    well I wrote to the HMPA support team an (02.09.2024) email, but till now no answer/reply from them, maybe Ronny you can help me?:

    "Hi support team,

    today your HMPA said there is a update and it will be installed after reboot, but after reboot it didnt install at all.
    so I downloaded it and installed it by myself, but than it showed only the 30 days trail version, so I try to activated it with my key
    "XXXXX-XXXXX-XXXXX-XXXXX"
    but than a message popped up, saying maximum activation reached. and I couldn't activate my key because of this, need help

    best regards"
     
  9. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    It does trigger the ROP but seems to be a FP, you can use suppress alert on this one.
     
  10. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    Without full reproduction this is difficult to answer correctly, they do mention the 3CX for example which we did block with one of our regular modules.
    This reads like there is privilege escalation which cloud possibly also trigger, on the other hand you have to keep in mind that these kinds of exploits are expensive and they are not going to burn them on users they don't expect to target.
     
  11. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    Done
     
  12. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    Thanks @RonnyT! :thumb:
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    OK thanks, but surely you guys can at least investigate this stuff? I mean I assume in order to exploit the browser they first need to be using a certain exploitation technique, which I assume HMPA monitors? And the 3CX hack was not related to some exploit, it was simply a trojanized app.

    And yes, I know these type of advanced exploits are normally used in targeted attcks, but from a technical point of view it's quite interesting. But I wonder once such an exploit succesfully escapes the browser's sandbox, is there anything that can be done to block this FudMudule rootkit, or is it gameover?
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    Also, you once again didn't respond to my other posts. Perhaps you simply don't know why malware wasn't able to terminate Intercept X? And what about my suggestion to make HMPA protect data that is often targeted by infostealers? Would this be too complex? In my view, it shouldn't be diffucult to protect stuff like browser passwords and crypto wallets.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    BTW, I never really understood how advanced CryptoGuard was, so from what I understand it basically monitors all file system activity, and only when it spots something what seems to be encryption it comes into action, while rolling back the original files? Also, I didn't really understand everything about this remote ransomware stuff, how can files be encrypted on some PC when the ransomware isn't even running on the endpoint?

    https://news.sophos.com/en-us/2023/...protection-against-remote-ransomware-attacks/
     
  16. remoteguy

    remoteguy Registered Member

    Joined:
    Oct 28, 2024
    Posts:
    1
    Location:
    EU
    Seems like we got false-positive? With Windows updates:

     
  17. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
  18. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    399
    Location:
    Finland
    @Rasheed187
    For remote ransomware, check this link
    I'm using Sophos Home Premium, some of my Sophos Home managed PCs. However, they did a...bad mistake for Sophos Home users.
    For home users Sophos pulls 2-3 times of the year, component updates(hmpa.alert mainly).
    I was curious, what is the latest version of hmpa.alert...for home users. It was...2 years old. Reported it back to Sophos, took 2 weeks from them to react.
    So, Sophos Home users had used 2 years old (2022) of hmpa.alert(cryptoguard) component...
    Funny thing was, that it took 2 weeks to pull "an update" for Home Users. No good, no good at all.

    For Sophos Home users, Cryptoguard reserve 3 GB of storage space for rolling back possible ransomware attack.

    As for protection wise, i do like Home version alot. Hmpa.alert component is very effective, remote ransomware method is very good and MITRE ATT&CK® framework is a real plus. Very good web filter, without installing a "browser component".
    What i do not like:
    -MBR protection should be improved, alot
    -Process Ghosting protection
    -API unhooking methods
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    Thanks for the link, but I'm afraid it's still not clearly explained. If ransomware is not running on the local device, then I assume this device is being controlled by the infected server? So how would you spot this activity? I wonder where Ronny is, I asked him a whole of questions almost 3 months ago, but no response.
     
  20. lyldz

    lyldz Registered Member

    Joined:
    Jun 4, 2016
    Posts:
    20
    Location:
    turkey
    Really for the first time in a long time I read someone who wrote about the shortcomings of the home version users.so the product does not progress at all and still does not give me confidence.


    Thank you very much for your correct and accurate writings.
     
  21. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    I'm here :)
    We're inspecting file manipulation on the attacked machine and will block the remote IP once it triggered the CG.
    I'm pretty sure you can imagine I can't tell exactly how this works as that would give the attackers way to much ammo to tamper with it.
     
  22. Craven

    Craven Registered Member

    Joined:
    Sep 7, 2020
    Posts:
    6
    Location:
    Germany
    I have just installed HMP Alert and immediately tested it with the tool hmpalert64-test. It works perfectly, except for the two Firefox browsers, Firefox itself and the Mullvad browser. These start without HMPA intervening during any kind of “attack”. Is this a known problem or do I have to go troubleshooting? :D
     
  23. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    Are you on Windows 10 or 11?
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    Good to see you, and yes of course I understand you can't tell everything, but I'm trying to understand the basics. But in other words, HMPA/Intercept X is able to spot malicious file system behavior on the attacked machine, even if there is no local process doing the encrypting? Something like that I assume? So I guess the encrypting is being performed by remote desktop software?

    And what about my idea to beef up security in HMPA, so that it can block infostealers from stealing browser cookies and passwords? Normally speaking, if untrusted processes can't get access to the browser profile folder, they won't be able to steal this stuff, right? Or are infostealers a bit more advanced?
     
  25. Craven

    Craven Registered Member

    Joined:
    Sep 7, 2020
    Posts:
    6
    Location:
    Germany
    Hi Ronny, it happens on both my desktop PC with Windows 10 and on my notebook with Windows 11.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.