HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Well, MBAE stops MBAE test also when you rename it :cool:
     
  2. What about owners of MBAE in the router license? Is alert also free for them?
     
  3. reyes

    reyes Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    48
    Location:
    INDIA
    Me too having the same issue on windows 8.1 update 64 bit with Sandboxie V 4.13.1 (64bit). I think this might be specific to 64 bit system as everyone reported this issue is using a 64 bit OS. Also it only affects Firefox and palemoon in my observations (maybe specific to firefox based browsers)
     
  4. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    That is incorrect. If you rename the mbae-test.exe it will not be protected or stopped by MBAE.

    But just for clarity, the option to manually add applications to HitmanPro.Alert's exploit mitigations is deliberately omitted in the Community Technical Preview. But all web browsers (incl. Maxtheon, Palemoon, Comodo Dragon, etc.) as well their plug-ins (incl. Adobe Flash and Java), and Office applications like Word are out-of-the-box protected. In addition we also added built-in support for our Exploit Test Tools (with 19 attacks) and the MBAE Test Tool (mbae-test.exe). Naturally, the anti-exploit technologies in HitmanPro.Alert can be applied to virtually any application.
     
  5. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    I imagine you are talking about Sitecom Cloud Security, based on our UTM router technology? Sitecom is not our brand. It is a very different product and technology with separate licenses. Licenses for Sitecom Cloud Security will not work on HitmanPro or HitmanPro.Alert.
     
  6. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,131
    Does this mean that I can run/enable CTP1 with Firefox? (my main browser)
     
  7. Yes, I meant HitmanPro in sitecom routers.
     
  8. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,049
    Location:
    Baden Germany
    Start is back and HMPA3 public preview seem to be incompatible.
    On my older PC, running WIN8.1-64-pro, I had only the mouse pointer on a black background.
    Taskmanger was accessible, but explorer.exe was not running and could not be started.

    After replacing Start is back, with Start8, everything was fine.

    Maybe just an individual issue, bur I wanted to point on it.
     
  9. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    Congratulations, truly is a piece of brilliant work. Well done to all involved. :thumb:

    As for some feedback in my very limited testing so far, the PDF manual was well written and all the exploits in the test(64bit) ran successfully if followed correctly.

    My system W7 64, with Chrome,Office and Phantom PDF, (no Java or resident flash although i will install when through testing is done)

    • Unable to check box for scan for malware upon install (during install dialogue prompt)
    • Registered and recognized my existing license with HMP, thats nice
    • recognised all my apps, like office PDF etc
    • Show green border checkbox cannot be unchecked

    Something interesting with the keylogger test though for example;

    I opened chrome then clicked at the top where you type your search, i opened HMPAlert test 64 bit , then keylogger test, clicked back into chrome where you type your search. I proceeded to type but my keystrokes we also encrypted in chrome as well as the testing app. See following Pic

    Encryption.PNG



    Regards.
     
  10. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    Thanks for reporting, much appreciated!
    I've investigated it myself but I cannot find any issue between StartIsBack and HitmanPro.Alert 3. What other security software do you have on your machine? Thanks!
     
  11. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    Update:

    After a reboot and running the test tool again i am unable to reproduce the above, and all seems to work correctly.

    Could someone please explain to me the difference between "passive" and "active vaccination" ?

    regards
     
  12. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    Thanks for the list. Checkboxes without white text are not functional (greyed out). This means that, indeed, 'Scan for malware' on the install dialogue, 'Show border around applications' (Safety notification) and 'Running applications ...' (Exploit mitigations) are currently not available.
    From your screenshot I can see that keystroke decryption is not taking place at that particular moment, resulting in garbled text (attacker would capture the garbled text as well). You found a bug. If you type outside the browser the issue should automatically resolve. We're investigating it. Fortunately this bug does not happen often and has to do with some particular key combinations.
     
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    Good question! The purpose of the vaccination feature is to make malware think it is running inside a virtualized environment. It deliberately makes sandbox-aware malware belief it entered an automated analysis system or the computer of a malware researcher, causing the malware to disable itself.
    • Passive vaccination adds static objects to the Windows configuration so that it looks like Windows is running in VMware or VirtualBox.
    • Active vaccination also adds the static objects but in addition actively makes unknown processes belief it is being monitored for reverse engineering.
    Hope this helps!
     
  14. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    Perfect, thank you for responses.

    I will keep on fiddling with this software and ill keep you posted if i find any more issues.

    Regards.
     
  15. Tried it, here are some first hand comments
    - brings EMET+ to 64 bits (which is quite a feat, to realize this before Microsoft does)
    - efficient software package considering it contains a disassembler, injects code etc.
    - smartly adding some CPU related features (allthough a bit overmarketed in my opinion)

    For DIYBOB-nerds (do it yourself best of breed) like me who like freebies, a combo (EMET5 and MBAE free for Browser) is still a viable and cheap alternative on 32 bits OS-ses. On modern CPU's with 64 bits OS-ses the game is on HPMA vs MBAE (leaving AppGuard out of this discussion because it offers also other protection).

    With my limited testing it was a draw (exploitkit wise), HMPA offers some additional functionality over MBAE, HMPA markets more features against overflow conditions (smartly prooved by its own test), but MBAE has more layers (in case the actual overflow is missed, which theoretically helps to protect against future unknown bypasses). Interesting battle IMO, which also will depends on ironing out incompatibilities of HMPA release candidate.
     
    Last edited by a moderator: Jul 11, 2014
  16. Okay, should have added "and add that to guarded programs", but since HMPA will also offer this feature in final release, I will retract this ctritique/take my words back (probably correct Dunglish but incorrect English, but trust you understand what I intended to say).
     
  17. @markloman and @erikloman being a fellow Dutch, may I suggest a final touch?

    Hook 'create file' and 'url download to file/cache' in HMPA and invoke an automated scan for executable binaries with HitmanPro when it occurs in browsers and plug-ins. This will add a second layer and provide realtime HMP 'dropper' scanning.
     
    Last edited by a moderator: Jul 11, 2014
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I do not think you understand how important this feature is.

    Hardware-assisted CFI allows Alert 3 to query the CPU on which branches it took before reaching a checkpoint.
    This in contrast to EMET which can only traverse the stack to see what is going to happen next. Since the stack is under control of an attacker, you can serve EMET a fake stack, which obviously has consequences.

    To illustrate, Alert can block this attack just by analyzing the branches the CPU took:
    http://www.networkworld.com/article...-researcher-bypasses-all-emet-protection.html

    We've included a 'Jared DeMott' like exploit in our Exploit Test Tool to illustrate (ROP via Call). You'll see that EMET doesn't detect and Alert does.

    NOTE: MBAE currently does not mitigate ROP attacks at all.

    Hope this helps.
     
  19. The explanation helps, it overcomes the critism insiders/experts have on the ROP-protection of EMET (which some call a laugh), it is an important benefit over EMET ROP mitigations.

    Unless you think I am the only one with limited understanding of the impact, it might help to add the explanation above in chapter 2.5?
     
    Last edited by a moderator: Jul 11, 2014
  20. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    +1
    Would love to see this implemented. I have been looking for a way to automate scanning of downloads, considering i ( and guessing alot of others ) dont use realtime AV.
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,116
    Location:
    USA
    Very nice upgrade from 2.X! :thumb: The only issue I've had is the Nexus toolbar/launcher crashes when Active Vaccination is enabled. Nexus will load if Alert is switched to Passive Vaccination. Hopefully legit apps can be whitelisted/excluded in the future (?)

    Ashampoo_Snap_2014.07.11_06h26m39s_001_.png
     
  22. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    We're fixing this in an upcoming release, no worries.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    It would be nice if SurfRight could also offer a third party exploit test, to proof how effective the new HitmanPro.Alert is. After all, MBAE is known to block all exploit kits. On the other hand, HMP.A v3 seems to be a lot more advanced at first sight. :)
     
    Last edited: Jul 12, 2014
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Congrats with the new HitmanPro.Alert! I will soon take it for a testdrive. :thumb:

    By the way, will it stop Sandboxie from running apps sandboxed, or will the exploit protection don´t work in sandboxed processes?
     
  25. guest

    guest Guest

    Excellent release I have be testing it and it works fine :) the perfect and user friendly replacement of EMET specially taking into account that the protection is much more extended.

    What would be the price of the paid version? yearly, lifetime?
    Do you plan to have versions with and without HP?
    I think it was confirm that you plan to include a tray icon...? when it will be ready? (if it's true)
     
    Last edited by a moderator: Jul 11, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.