Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.
Well, MBAE stops MBAE test also when you rename it
What about owners of MBAE in the router license? Is alert also free for them?
Me too having the same issue on windows 8.1 update 64 bit with Sandboxie V 4.13.1 (64bit). I think this might be specific to 64 bit system as everyone reported this issue is using a 64 bit OS. Also it only affects Firefox and palemoon in my observations (maybe specific to firefox based browsers)
That is incorrect. If you rename the mbae-test.exe it will not be protected or stopped by MBAE.
But just for clarity, the option to manually add applications to HitmanPro.Alert's exploit mitigations is deliberately omitted in the Community Technical Preview. But all web browsers (incl. Maxtheon, Palemoon, Comodo Dragon, etc.) as well their plug-ins (incl. Adobe Flash and Java), and Office applications like Word are out-of-the-box protected. In addition we also added built-in support for our Exploit Test Tools (with 19 attacks) and the MBAE Test Tool (mbae-test.exe). Naturally, the anti-exploit technologies in HitmanPro.Alert can be applied to virtually any application.
I imagine you are talking about Sitecom Cloud Security, based on our UTM router technology? Sitecom is not our brand. It is a very different product and technology with separate licenses. Licenses for Sitecom Cloud Security will not work on HitmanPro or HitmanPro.Alert.
Does this mean that I can run/enable CTP1 with Firefox? (my main browser)
Yes, I meant HitmanPro in sitecom routers.
Start is back and HMPA3 public preview seem to be incompatible.
On my older PC, running WIN8.1-64-pro, I had only the mouse pointer on a black background.
Taskmanger was accessible, but explorer.exe was not running and could not be started.
After replacing Start is back, with Start8, everything was fine.
Maybe just an individual issue, bur I wanted to point on it.
Congratulations, truly is a piece of brilliant work. Well done to all involved.
As for some feedback in my very limited testing so far, the PDF manual was well written and all the exploits in the test(64bit) ran successfully if followed correctly.
My system W7 64, with Chrome,Office and Phantom PDF, (no Java or resident flash although i will install when through testing is done)
Unable to check box for scan for malware upon install (during install dialogue prompt)
Registered and recognized my existing license with HMP, thats nice
recognised all my apps, like office PDF etc
Show green border checkbox cannot be unchecked
Something interesting with the keylogger test though for example;
I opened chrome then clicked at the top where you type your search, i opened HMPAlert test 64 bit , then keylogger test, clicked back into chrome where you type your search. I proceeded to type but my keystrokes we also encrypted in chrome as well as the testing app. See following Pic
Thanks for reporting, much appreciated!
I've investigated it myself but I cannot find any issue between StartIsBack and HitmanPro.Alert 3. What other security software do you have on your machine? Thanks!
After a reboot and running the test tool again i am unable to reproduce the above, and all seems to work correctly.
Could someone please explain to me the difference between "passive" and "active vaccination" ?
Thanks for the list. Checkboxes without white text are not functional (greyed out). This means that, indeed, 'Scan for malware' on the install dialogue, 'Show border around applications' (Safety notification) and 'Running applications ...' (Exploit mitigations) are currently not available.
From your screenshot I can see that keystroke decryption is not taking place at that particular moment, resulting in garbled text (attacker would capture the garbled text as well). You found a bug. If you type outside the browser the issue should automatically resolve. We're investigating it. Fortunately this bug does not happen often and has to do with some particular key combinations.
Good question! The purpose of the vaccination feature is to make malware think it is running inside a virtualized environment. It deliberately makes sandbox-aware malware belief it entered an automated analysis system or the computer of a malware researcher, causing the malware to disable itself.
Passive vaccination adds static objects to the Windows configuration so that it looks like Windows is running in VMware or VirtualBox.
Active vaccination also adds the static objects but in addition actively makes unknown processes belief it is being monitored for reverse engineering.
Hope this helps!
Perfect, thank you for responses.
I will keep on fiddling with this software and ill keep you posted if i find any more issues.
Tried it, here are some first hand comments
- brings EMET+ to 64 bits (which is quite a feat, to realize this before Microsoft does)
- efficient software package considering it contains a disassembler, injects code etc.
- smartly adding some CPU related features (allthough a bit overmarketed in my opinion)
For DIYBOB-nerds (do it yourself best of breed) like me who like freebies, a combo (EMET5 and MBAE free for Browser) is still a viable and cheap alternative on 32 bits OS-ses. On modern CPU's with 64 bits OS-ses the game is on HPMA vs MBAE (leaving AppGuard out of this discussion because it offers also other protection).
With my limited testing it was a draw (exploitkit wise), HMPA offers some additional functionality over MBAE, HMPA markets more features against overflow conditions (smartly prooved by its own test), but MBAE has more layers (in case the actual overflow is missed, which theoretically helps to protect against future unknown bypasses). Interesting battle IMO, which also will depends on ironing out incompatibilities of HMPA release candidate.
Okay, should have added "and add that to guarded programs", but since HMPA will also offer this feature in final release, I will retract this ctritique/take my words back (probably correct Dunglish but incorrect English, but trust you understand what I intended to say).
@markloman and @erikloman being a fellow Dutch, may I suggest a final touch?
Hook 'create file' and 'url download to file/cache' in HMPA and invoke an automated scan for executable binaries with HitmanPro when it occurs in browsers and plug-ins. This will add a second layer and provide realtime HMP 'dropper' scanning.
I do not think you understand how important this feature is.
Hardware-assisted CFI allows Alert 3 to query the CPU on which branches it took before reaching a checkpoint.
This in contrast to EMET which can only traverse the stack to see what is going to happen next. Since the stack is under control of an attacker, you can serve EMET a fake stack, which obviously has consequences.
To illustrate, Alert can block this attack just by analyzing the branches the CPU took:
We've included a 'Jared DeMott' like exploit in our Exploit Test Tool to illustrate (ROP via Call). You'll see that EMET doesn't detect and Alert does.
NOTE: MBAE currently does not mitigate ROP attacks at all.
Hope this helps.
The explanation helps, it overcomes the critism insiders/experts have on the ROP-protection of EMET (which some call a laugh), it is an important benefit over EMET ROP mitigations.
Unless you think I am the only one with limited understanding of the impact, it might help to add the explanation above in chapter 2.5?
Would love to see this implemented. I have been looking for a way to automate scanning of downloads, considering i ( and guessing alot of others ) dont use realtime AV.
Very nice upgrade from 2.X! The only issue I've had is the Nexus toolbar/launcher crashes when Active Vaccination is enabled. Nexus will load if Alert is switched to Passive Vaccination. Hopefully legit apps can be whitelisted/excluded in the future (?)
We're fixing this in an upcoming release, no worries.
It would be nice if SurfRight could also offer a third party exploit test, to proof how effective the new HitmanPro.Alert is. After all, MBAE is known to block all exploit kits. On the other hand, HMP.A v3 seems to be a lot more advanced at first sight.
Congrats with the new HitmanPro.Alert! I will soon take it for a testdrive.
By the way, will it stop Sandboxie from running apps sandboxed, or will the exploit protection don´t work in sandboxed processes?
Excellent release I have be testing it and it works fine the perfect and user friendly replacement of EMET specially taking into account that the protection is much more extended.
What would be the price of the paid version? yearly, lifetime?
Do you plan to have versions with and without HP?
I think it was confirm that you plan to include a tray icon...? when it will be ready? (if it's true)