HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    What browser (+add ons) are you using?
    What version of Windows are you using?
    What AVs are installed?
    Are you using Sandboxie, MBAE or EMET?

    Thanks :thumb:
     
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,429
    I'll PM you. ;)
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,297
    1st a question? Does version 3 run on XP. I have an XP tablet I'd like to try it on.

    2nd. A live test. Results Excellent.

    I received on of those sucker emails, confirming a reservation I never made, with the ticket scan attached. Attachment is a zip file, which contains an executable. Sneaky part is when extracted it uses the word icon, so if you had extensions hidden it looks like a doc file. Running it EIS was first to catch it, so I disable EIS. Ran it again, and Alert, stopped it in its tracks. I let it scan and my screen ended up a bright red.

    WELL DONE.
     
  4. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    HitmanPro.Alert version 3 supports Windows XP Service Pack 3, Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 Technology Preview.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,297
    Thanks Mark. This is Tablet PC Pro on a Lenovo Thinkpad. I am sure it's SP3, so it should work. One way to find out. :)
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    @ erikloman and markloman

    Can you tell a bit more about the "Network Lockdown" feature? :)

    EDIT: And what about an option to turn off protection via the tray-icon?
     
    Last edited: Oct 2, 2014
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    On Win XP SP2 it indeed didn't seem to work correctly, but may have also been caused by a conflict with my other HIPS.
     
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    SP2 is not supported.
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,885
    Location:
    Canada
    thank you
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,885
    Location:
    Canada
    it is fixed now :) I don't see the green border anymore
     
  11. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    @markloman @erikloman

    Regarding LibreOffice / OpenOffice exploit mitigations, shouldn't it suffice to watch only soffice.bin?
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3 build 90 CTP4

    With each Community Technology Preview (CTP) of HitmanPro.Alert 3 we introduce new features for compatibility testing. CTP1 was our first development release of HitmanPro.Alert 3 wherein we introduced our hardware-assisted exploit mitigations. A few weeks later, with CTP2, we added the ability for users to add and protect custom applications through an easy-to-use Running Applications interface. In CTP3 we enabled our network inspection driver and delivered Network Lockdown for Java applications, while we also expanded support to all Intel Core i3, i5 and i7 processors for our hardware- assisted exploit protection.

    With this fourth and last Community Technology Preview (CTP4) we introduce Application Lockdown, Virtual Machine Simulation (part of Activate Vaccination) and a second (default) Simplified User Interface. In addition we applied Network Lockdown not only to Java but also Office applications, while we improved compatibility with applications reported by the security community.

    As before, this preview is released here at Wilders Security Forum only.
    This preview is NOT to be used in production environments.

    UI-Simplified.PNG UI-Advanced.PNG Exploit-mitigations.PNG

    Release Notes
    • Added Application Lockdown feature to Exploit Mitigations’ code mitigations, which enables safe use of protected applications while preventing high risk actions. If attackers successfully bypass sandbox, memory and other code mitigations, they still cannot introduce and run new executables, or manipulate the Windows Registry to run malicious code. For example, because Microsoft Word is designed to write documents, it can no longer be abused to abnormally download, create and run binaries – Alert blocks this inappropriate behavior, effectively stopping attackers from executing malicious payloads. Application Lockdown also affects attacks that abuse e.g. macros in Office documents to hoist in malware via phishing emails.
    • Added Virtual Machine Simulation to Active Vaccination. This new feature adds to our Debugger Simulation and are both designed to make VM-aware malware believe it is attacking a virus research sandbox/honeypot, which causes it not to infect the machine and self-terminate. Vaccination turns malware’s own defenses against itself.
    • Added Minimize button to the installer and main user interface.
    • Added Simplified User Interface, which is now the default interface. Users can use the new Settings menu, next to the new Minimize window button, to reveal the Advanced Interface. The simplified user interface also warns users when important features are disabled or when the computer needs to be scanned for malware.
    • Added Network Lockdown to Office applications, including PDF programs like Acrobat Reader. This helps to stop attackers from establishing a command-and-control connection. The Network Lockdown setting can be found by clicking on the orange Security tile.
    • Added registry protection to prevent illegal registry data. This feature is part of Vaccination and blocks e.g. the persistent Poweliks malware, which is diskless and lives in the registry.
    • Added automatic activation of the trial license so Exploit Mitigations, Vaccination and Hollow Process protections are automatically enabled after installation.
    • Improved performance of Control-Flow Integrity (CFI) technology, which blocks ROP attacks by analyzing on-chip branch-traces (inside Intel® processor hardware).
    • Improved Java (Network) Lockdown compatibility with legitimate applications like Cisco ADSM. Java (Network) Lockdown is now part of Network Lockdown.
    • Improved Keystroke Encryption which now offers dependable performance.
    • Improved detection of installed web browsers by the Software Radar.
    • Fixed a 32-bit stack traversal corner-case condition that affected Intuit QuickBooks.
    • Fixed a compatibility problem with Windows 8.0.
    • Fixed a compatibility issue with Microsoft Office 2007.
    • Fixed a problem with orphaned browser plugins, e.g. Silverlight (agcp.exe) when closing Netflix in the browser.
    • Fixed a compatibility issue with Steam games installed on non-default path.
    • Fixed a compatibility issue with AdwCleaner.
    • Added Anti-VM test to the Exploit Test Tool (32-bit). This test can be used to trigger the Active Vaccination feature of HitmanPro.Alert 3. The used technique is identical to how 99% of all VM-aware malware evade sandboxes.
    • Enabled the Updater. When there is a new version, the user interface will notify you.
    Known Issues
    • Webcam Notifier works with webcams that use the Windows usbvideo.sys driver. Webcams using vendor specific drivers are currently not supported.
    • The checkbox ‘Show border around applications’ under ‘Safety notification’ is currently checked and locked on purpose.
    • HitmanPro.Alert 3 is currently not compatible with Sandboxie on Windows Vista 32.
    • Sandboxie and Norton (Internet) Security can interfere with the drawing of the notification border around protected applications.
    • Agnitum Outpost Firewall on 64-bit versions of Windows is currently incompatible with HitmanPro.Alert 3.
    • The Export Address Table Access Filtering (EAF) module of Microsoft EMET 5.0 is currently incompatible with HitmanPro.Alert 3, but our Exploit Test Tool is compatible. Microsoft EMET 4.1 Update 1 is fully compatible with HitmanPro.Alert 3.
    • Malwarebytes Anti-Exploit is currently incompatible with HitmanPro.Alert 3, but our Exploit Test Tool is compatible
    Download
    http://test.hitmanpro.com/hmpalert3ctp4.zip

    HitmanPro.Alert 3 supports Windows XP Service Pack 3, Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 Technology Preview.

    Note: This preview is NOT to be used in production environments.

    Reporting issues
    Please report issues via PM or via email: erik@surfright.com.
    Please send me a PM if you need a product key for testing purposes.

    Looking forward to hearing from you how this build runs on your computer :thumb:
     
    Last edited: Oct 3, 2014
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,582
    Location:
    USA
    CTP4 is working OK for me on both Windows 7x86 and Windows7x64. After uninstalling CTP3 and rebooting I installed CTP4 and scanned the systems. I would recommend an immediate reboot after installing CTP4 as both of my systems had "blue screen" crashes when I tried to use them after initially installing CTP4. However after the reboot the systems are stable again. Regarding the UI note that you have to click the "gear" and select "Advanced Interface" if you want to see the icons of protected programs, etc.

    @ Erik thanks for this latest update!
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Thanks for your report. I will have a look what is going on with the "blue screen" during CTP3 -> CTP4 upgrade path. This should not happen as no files are being replaced during upgrade. They are only _scheduled_ to be replaced on reboot.
     
  15. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    663
    Uninstalled pre-CTP4, rebooted and installed CTP4 without a problem. Scan also ok (W7 64 bits).
     
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,429
    "Note: This preview is NOT to be used in production environments."

    This is my personal computer so, I am willing to take the risk. ;)

    edit: word added
     
    Last edited: Oct 3, 2014
  17. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    663
    Right after installation of CTP4 keystroke encryption doesnt work (both IE11 and FF 32.0.3 sandboxed and unsandboxed W7 64 bits). After restart laptop keystroke encryption works fine. Good job. Very useful feature.
     
  18. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    930
    Just a nit, but the uninstaller for Alert does not leave a zero-footprint after uninstalling.
    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HMPALERT
    
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,582
    Location:
    USA
    I just upgraded to build 90 and could not replicate the bluescreen, so maybe it was just a system specific anomaly? Build 90 is working fine.
     
  20. Eric Nemchik

    Eric Nemchik Registered Member

    Joined:
    Oct 3, 2014
    Posts:
    3
    I have a question about the feature on 2008r2 (or newer) where HMPA can deny access to network shares
    If I am reading it right this is how it works;
    Machine A) is 2008r2 and has c:\shares\ shared out, and DOES have HMPA installed
    Machine B) is xp and has \\server\shares\ mapped as S:\ drive, and DOES NOT have HMPA installed
    Machine B gets infected with Crypto and tries to affect files on it's mapped drive S:\
    Machine A will see the attempted attack and restrict Machine B from accessing it's shares while other machines (Machine C & D) can still access the shares.

    Is this how it works?
    If so, once I clean up Machine B how can I restore it's ability to access Machine A?
     
  21. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    663
    How to reset the alerts to 0? 6 Alerts caused by using hmpalert64-test.exe.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,297
    Overall great here. Two little niglets.

    1. On IE11 (Win7x64) when I run sandboxed(SBIE), I get the green flyby showing protection and the GUI shows it, but the little protected at the top of the screen doesn't show up. Unsandboxed it does. This doesn't occur with Firefox

    2. Steam. I can protect steam and the train simulator runs fine, but if I run Sandboxed which I do, the train simulator fails. This wasn't a problem with the last beta. Also when
    Steam was protected there was no icon under the blue Mitigation box.

    Pete
     
    Last edited: Oct 3, 2014
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,297
    A minor feature request.

    Something triggers an alert and shuts down what was running. A scan is recommended. At this point, I would like the option of just scanning what triggered the alert, as opposed to the whole system.

    Pete
     
  24. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    930
    Total slow-down on my XP-SP3 and eventual BSOD trying to use the system. Even after reboot. System seems responsive as long as I do not launch a cmd-line file manager that I use. Normally it displays instantly. With Alert it takes seconds to display and after that, the problems start.

    Too bad there is no feature to temporarily disable HMPA without uninstalling. Is such a feature being planned?

    CTP4Crash.jpg
     
    Last edited: Oct 3, 2014
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes thats how it works!

    You can release Machine A by toggling cryptoguard off/on. In a following version you can selectively release a machine from a list.
     
Loading...