HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
    BTW, I totally forgot to congratulate you guys with the takeover of SecureWorks. You're not going to believe it but months ago I wanted to give you guys a tip about this, when I read that Dell was planning to sell it. Are there any new technologies that can be ported to Sophos Intercept X, I mean from SecureWorks?

    https://www.sophos.com/en-us/press/...reworks-accelerate-cybersecurity-services-and
     
    Last edited: Dec 8, 2024
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
    Yes, I was talking about on machine malware. But I wanted to ask you what you think about Chrome's new feature, do you think this is enough to block infostealers? And is it an option to integrate such a feature into HMPA?

    https://www.bleepingcomputer.com/ne...ms-to-stop-hackers-from-using-stolen-cookies/
     
  3. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    Seems to work here, but beware that the first thing this old tool triggers is a HeapHeap alert, you have to whitelist/suppress that specific alert before the test will trigger the correct modules.
    Make sure to expand the alerts and check if you have HeapHeap or e.g. StackPivot etc type of interceptions.
     
  4. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    We're looking in to this and see if we can come up with something that monitors wider then only chrome cookies, but most of them we noticed trigger cookieguard before exfiltration so that's a start.
    Also some people are trying to bypass that new Chrome protection which is also on our radar.
     
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    If "something" can reach files over smb/cifs on a share and they have write permissions there is nothing on the server stopping you from tampering with the contents of a file (unless we keep an eye out).
     
  6. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
  7. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    For testers and dare devils I have just released a new RC ;)
    Wishing you all a very Merry Christmas and a Happy New Year!
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
    Yes, that's what I meant, if something could be done to block those bypasses of Chrome's built-in protection. But again, I believe HMPA should have built-in protection against infostealers that try to steal data from a lot of popular apps, not just browsers.

    https://www.bleepingcomputer.com/ne...re-bypasses-google-chromes-cookie-encryption/

    OK, I see. But I still can't picture this, I assumed they needed to use some type of remote desktop tool, but apparently this isn't even necessary. But if HMPA protects the server itself, this would already be enough to block remote ransomware, no? Because apparantly, you guys are talking about a scenario where the server has been hacked.
     
    Last edited: Dec 21, 2024
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
    BTW, what I meant is that if you block the first stage of the exploit chain, then perhaps it can't even trigger the privilege escalation in Windows? Or doesn't HMPA have a chance when Windows privilege exploits are being used?

    I think it's stuff that you guys need to be testing. I'm now talking about the Chrome zero day exploit that installed the FudModule rootkit. I also wonder if it's possible to detect this FudModule rootkit via HMPA.

    And about my other question, whether it's enough to do any damage with remote code execution without escaping the browser's sandbox, it's actually explained in this article, and the answer is yes.

    So if a tool like HMPA could prevent this, this would be a major selling point, why not use this in marketing? Of course you guys still need to test these exploits, I'm sure Sophos has got ways to get access to these exploits.

    https://www.bleepingcomputer.com/ne...-defi-game-to-exploit-google-chrome-zero-day/
     
  10. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    No this is used in business networks by attackers, they take an unprotected machine, map a drive, run the encryption on that unprotected machine and save the files back to the share.
    So the file server never sees any malicious process running, only changed files coming in.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
    OK, so with unprotected machine you mean a PC or server? And why would this machine be unprotected, I mean HMPA/Intercept X runs on all endpoints right?

    But anyway, what do you think about my conclusion about the way exploits work? So if hackers exploit Chrome in stage 1, can they already steal cookies and passwords, without actually having to load malware from disk? So I assume this malware runs purely in-memory, and I assume HMPA could stop this?
     
  12. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    Keystroke Encryption no longer working in Norton Private Browser

    Norton 360 has recently undergone an overhaul to a new and not-improved version that uses the Avast engine. As a result, I can no longer type anything in the Norton Private Browser, as anything I type there is showing up scrambled anymore.

    I'm reporting this so that the HMP.A team can look into it. I would rather not turn off Keystroke Encryption, as I can't pick and choose which applications to disable it in.
     
  13. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    683
    Location:
    Planet Earth
    Tx, I'll see if we can reproduce and mitigate
     
  14. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    Thanks! :thumb:

    A few more data points, in case they're useful: Just for clarity, disabling Keystroke Encryption did eliminate the letter scrambling. Also, the Norton Private Browser is on version 131.0.27624.87, while HMP.A is at 3.8.26, build 983.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
    BTW Ronny, I really think you guys should implement out of the box protection against infostealers that manage to run on the system. Why not make a list of popular apps that are targeted by infostealers and protect their folders from being accessed? I say this, because I have been reading about the latest crypto hacks, see third link.

    Also, I wondered what you think about UpSight Security, are they really on to something, or is it mostly hype? They claim to use LLMs (AI) in order to block malware attacks that others might miss apparantly. I remember that Cylance also claimed that AI was the future like 10 years ago, but we all know how that ended.

    https://upsight.ai/product
    https://upsight.ai/technology
    https://www.wilderssecurity.com/thr...ew-macos-malware-against-crypto-firms.455657/
     
    Last edited: Jan 11, 2025
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
    BTW, another thing that I forgot to ask, we all know that Windows has built-in exploit protection, but similar to the Windows Defender GUI, it's very unhandy to use. This alone makes HMPA and MBAE worthwhile.

    But isn't it true that HMPA offers even more exploit mitigations? Where can I find this information? I think this should be made more clear on the HMPA website, because it's a major selling point. In the past you did have these type of comparisons.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
    BTW, did you see this article? It describes a few methods that infostealers use to bypass Chrome's ''cookie protection'' feature. Would be nice if HMPA monitored this stuff.

    https://www.elastic.co/security-labs/katz-and-mouse-game
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,098
    Location:
    The Netherlands
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.