HitManPro Alert vrs Malwarebytes Anti Exploit Premium

I don't think you can compare SS and AG with WAR. AG will still monitor digitally signed apps, and with SS you can also choose to only auto-allow "Microsoft signed" files, which is much safer than to NOT monitor digitally signed apps. If Erik Loman is correct, WAR will simply stop all unsigned software from running, without even looking at malicious behavior. I still can't believe this is true, because if it is, the name of the app feels a bit misleading.

I don't think HMPA should become a white-listing tool, but it could for example add parent-child process control, so this means that the browser is only allowed to start the PDF reader for example.

 

Sorry, I forgot to reply. But yes, with HMPA you should be safe, but don't forget to first test it, because it might sometimes conflict with other tools. About protection against ransomware, most if the time it's delivered via exploit, so HMPA should easily be able to block it.

But if you might open it via mail attachment it gets trickier. There are certain ransomware variants that are a bit harder to detect with behavioral monitoring, so that's why you will sometimes see HMPA and MBARW fail. WinAntiRansom relies mostly on white-listing so it's sort of a reversed AV, it tries to allow only apps that are deemed safe, and to block everything else.

 

Don't mean to intrude here, but just need to clarify a few things:

1). Not being exactly mainstream, my channel (sadly) has quite a small home user following, but (happily) quite a large Developer following. It has lead to changes for the better in products like Qihoo, Shade, SBIE among a few others. I'm not in any way attempting to be vindictive if I point out a deficiency in a product and think that's fairly well understood. This is typified by comments like (I hope Mark won't mind my quoting him from a PM, but it shows his professionalism and concern for their user base): **removed as per TOS
https://www.wilderssecurity.com/help/terms

2). As long as I don't code the malware used in my videos myself I do share them with the developers on request.

3). "No need to test competitor's program while it is still beta"- Actually that's when there is the most need.

4). I have absolutely NO affiliation with Ruiware (trust me- they couldn't afford me).

5). "clever community cow girl"- Clever? Thank you! Cow girl?- a tad rude, don't you think?

M

 

Sorry I am from Holland. To me cow boys are manly guys driving cattle through terrains were urban people don't dare to go. Thought that would have some analogy of you testing software with live malware. In simplicity I thought that a cow girls just was the female version of this (positive) icon (go west young man ....) Apologize for using a term which obviously has a negative annotation.

Regards Kees

 

Yes but that is from the vendor's perspective, not the competitor's perspective and use it for marketing purpose. Loman brothers were really angry about that (ignoring the fact they published a comparison sheet on their website which compared their beta with other finished products), but they have a point IMO, that is why I mentioned it (using an unfinished beta and compare iit with a finished product and conclude the finished product is better, is as obvious as stating that water is wet).

 

Cow Girl = Malware Jane with gyrating HIPS. At least that is the way I imagine it...

 

People trust other consumers experience more than tests commissioned by a vendor. The way vendors interact with people doing 'semi-professional' tests, has impact on how those reviewers word/phrase their findings. When a vendor does not react or talks the test relevance and results down, the reviewer is more likely to take opposing position. When the vendor reacts by taking results seriously and update or improve their software based on the reviewers findings, the reviewer will take a milder position (simply because people like to be acknowledged for their work).

So Brett Lowry has obviously taken the position to thank you for your work and include your efforts in making WAR a better product (like Florian of Excubits embraces the help of Wildbydesign). It was not my intention to accuse you of faul play or being sponsored by Ruiware. Since you felt you the need to defend yourself, I again have to say "something gone wrong in translation" in hinsight I regret using words like Macho Marketing Machine and Clever Cow Girl, lesson learned. I hope this post nuances things.

 

Made my day!

 

I uninstalled MBAE & used HMPA for a while. Now I've gone back to MBAE. For me MBAE does pretty much the same job but is much lighter at doing it on my very old computer.

My 1st cousin Terry wrangled cattle on my uncle's ranch. She herded & branded cattle, & shot coyotes when she saw them. Dead accurate shot, even while riding. I watched her deliver a breached calf by reaching in there. grabbing the calf, & manipulating it out alive. She's retired now but there's plenty of real cowgirls like her working in Texas even now. No gyrating hips either.

 

Back to the original theme of the thread - Malwarebytes AE or Hitmanpro Alert? Seems to be a lot of other stuff in here.

 

This discussion will never go further than comparing features as documented by Malwarebytes and Surfright. Almost no Wilders member is capable of testing exploit mitigations.

 

Another area of useful comparison is compatibility with other security software.

 

but we can compare False Positives

 

The reason is because the topic starter is mostly worried about ransomware. Both HMPA and MBAE are capable of blocking ransomware attacks by simple blocking the exploit from running. But if ransomware is started by the user itself, then you need additional protection. HMPA is obvious the better choiche since it has a dedicated anti-ransom module. But HMPA is not foolproof, so combining it with a tool like WAR isn't a bad idea.

 

Have you tried running them together, and if so do they get along?

 

Agree 100%.....thats what I do and use...

 

MBAE https://www.malwarebytes.org/support/releasehistory/

HPMA http://www.surfright.nl/en/whatsnewalert/

MBAE is clearly the one with the least FP's. HPMA is planning a cloud feature to deal with FP's without needing to update/reinstall (as with latest 365 build to tackle an OFFICE false possitive). The positive side of having many FP's is that it becomes a business issue for the corperate market and they have to deal with it. HMP has a cloud feature and Sophos probably has a best practises to deal with FP's, so this feature could be up and running within near future. Good example of a disadvantage becoming an advantage.

 

Cloud based rules will be a nice trick; especially when a security soft inject dlls into another; it shouldn't flag the modified program as suspicious.

 

Why none of these utils not explain people how to deal with windows is still beyond me, disable script execution and most stuff would never work since you getting an popup that it is not possible, which would lower the attack surface 100%. The rest is already known, and Browser getting more and more security stuff too, it's dying business together with the fact that most if not all stuff needs administrative privileges.

I really would pay for an AV / IS solution which guides the user to harden Windows instead of adding gimmicks which mostly is just an toggle for Windows only related stuff, like blocking front's from HPMA which only changes stuff in registry what can be done without that you need to pay for this product first.

They still not learned anything, just thinking to add new gimmicks to the engine not changes the user behavior, it's false positive to think you are then automatically more secure. But that's what they want, not inform people and make money. - And then we get something like ransomeware - BOOM!

I'm not really sure if you can compare these tools, also not even FP because the next day you test the reputation was already updated or it gets a new gimmick with the next major update, that's what I complain about AV tests for years, it not matters in real world. To the time they tested it it's mostly already in their cloud.

Most 90% is simply fault of user. Why you need to click on jpg.exe and allow it? ... Ask yourself what#s wrong and then you got your answer.

 

You spot the thing: Security is a BIG business ! why would those vendors gave users tools/advices to secure their OS for free and then users will ditch their paid security products !

fear = money

you can secure Windows with few registry tweaks or Group policies (like disallow execution of unsigned processes); of course no vendors will ever tell you how to do, why give for free when the user can pay for the same.

in addition, you have the "beginner aspect" , they don't know how to do , so they will pay a product to do it for them.

 

@CHEFKOCH

Because those hardening settings lower functionality and need a lot of digging to implement, there wil be a market for easy to apply exploit mitigation (and ransomware protection).

You are right that exploits needs access to scripting/execution engines facilitated by the OS (dotNet, Powerscript, Command) or the hosting application (Javascript, Pythonscript, VisualBasic Script in browser, pdf reader, etc). Powerscript and dos shell can still be disabled through gpedit or regedit, but Windows 10 makes it hard to disable dotNet. I have blocked access to mscoreei.dll through Software Policy (only for basic users), so when you know a more elegant way to mitigate dotNet on Windows 10, please post.

Regards Kees

 

NET Framework is a pain. I disable (block execution of) a whole slew of parent processes via HIPS or SRP - dependent upon what I am testing at the time. I have found that I have no need of any of the NET Framework objects - except csc.exe for some Windows Control Panel access.

It is a brute-force block tactic that might not work in a really sophisticated attack involving *.dlls.

With the top 1 % of all malicious software - all protection bets are off. But there is one incontrovertible truth about "super-malware" - the likelihood that a typical user will ever encounter it is minuscule. Almost infinitesimally small. So I don't fret about such things...

 

I would say, start analyzing / reverse engineering the exploit mitigations in EMET, HMPA and MBAE and you'll notice that they do a bit more than tweaking the registry.
(With analyzing I don't mean running the HMPA Exploit Test Tool as mitigations can be implemented differently.)

CryptoGuard or MBARW can offer protection against ransomware without requiring a complete lockdown.

Bypass resistence might be a somewhat more appropriate measure of comparison as exploit mitigation software is already expected to block exploits from EKs and executables dropped by malicious VBA macro's.
Although that does require quite some manual auditing and for certain bypasses also a bit of reverse engineering. (Malwarebytes has a bug bounty program that also accepts MBAE bypasses, so coming up with bypasses is not just charity. )

 

@ropchain when you have time, have a look at MemProtect, really smart usage of Win 8.1 and up Protectecd Processes feature

 

I guess he means that by blocking process execution you can block most exploits. But I rather use a specialized anti-exe or anti-exploit tool, than to lockdown Windows completely. Most people also don't have the skills to do so, that's what he seems to forget.

Yes I agree, the most important thing is to prevent malware from running on the system, and in general that's quite easy to achieve. Especially when you combine common sense with advanced security tools.