HitmanPro.Alert 3.7.x CTP BETA releases

[enaph]

Surprise... Due to overwhelming feedback on the Private CTP1 build we decided to make the CTP2 release a Public Beta!

In order to keep the BETA and CTP feedback separated from the Support and Discussion thread we created this new thread dedicated to discuss BETA and CTP builds. Otherwise people might think reported issues in the BETA and CTP builds are also in the stable releases.

We need your feedback to make sure the new HitmanPro.Alert mitigations run alongside other security products.

New Features in version 3.7

• Real-time Anti-Malware
  Works with the HitmanPro cloud.
  
  
• Credential Theft Protection
  Preventing theft of authentication passwords and hash information from memory, registry and disk. Prevents Mimikatz-style attacks.
  
  
• Local Privilege Guard
  Prevents exploits of the operating system kernel. Prevents an attacker from using the privilege information of another process.
  
  
• Code Cave mitigation
  Stops backdoors in trusted code.
  
  
• Sticky Keys mitigation
  Prevents misuse of the Microsoft sticky key feature. Usually used by attackers to gain persistence.
  
  
• Asynchronous Procedure Call (APC) mitigation
  Stops code injection via APC (ex. DoublePulsar and Atom Bombing attack).
  
  
• Application Verifier mitigation
  Prevents misuse of the Application Verifier feature of Windows (eg. Double Agent attack).
  
  
• Malicious Process Migration
  Detects remote reflective DLL injection used to move laterally between processes.

Changelog (compared to CTP1)

• Added DoublePulsar detection to APC mitigation
• Added Compatibility with QEMU/KVM hypervisor
• Improved Anti-Malware component
• Improved CodeCave mitigation
• Improved Local Privilege Guard mitigation
• Improved Asynchronous Procedure Call (APC) mitigation
• Improved DLL injection respects Trustlets
• Improved CryptoGuard 4.9
• Improved Installer
• Fixed CodeCave false positives
• Fixed PrivGuard false positives
• Fixed APCViolation false positives
• Fixed BSOD installing Alert in QEMU/KVM
• Fixed BSOD caused in minifilter (introduced since 701)
• Fixed iTunes compatibility
• Fixed Compatibility with Steam Apps
• Fixed typo in German translation Offene Browser

Notes

• Do NOT run this build on production environments. This is BETA software.
• This build has Microsoft co-signed drivers.
• This build triggers a PrivGuard false positives when running Sandboxie sandboxed processes. We are looking into this and aiming to get this fixed as soon as possible.

Download
http://test.hitmanpro.com/hmpalert3b708.exe

Make sure to report the Technical Details of a potential false positive.
If you hit a compatibility issue, make sure you mention which version of Windows you are running and what security products you have installed.

Happy testing and let us know how this build runs on your computer in this brand new thread :thumb:

 

[mekelek]

finally, nice.
is someone planning to test it on malware samples section?

 

[aragornnnn]

Tried a few samples and "Lightning ransomware" managed to sneak through HitmanPro's defences

 

[Malware Person]

nice! I will try it out

 

[enaph]

HitmanPro.Alert 3.7 Build 709 CTP3

This build addresses a few minor issues in CTP2.

Changelog (compared to 708 )

• Added Sandboxie compatility to Local Privilege Guard (PrivGuard)
• Fixed HitmanPro/Sophos Clean triggering Credential Theft Protection (CredGuard)
• Fixed driver did not properly keep track of injection and whitelisting
• Fixed driver did not properly stop when installing only the anti-ransomware component

Notes
This build uses Microsoft co-signed drivers.

Download
http://test.hitmanpro.com/hmpalert3b709.exe

 

[ravi prakash saini]

I hope they release the final version before I win a key in giveaways

 

[_CyberGhosT_]

I hope they release the final version before I win a key in giveaways

The current Giveaway is only for Hitman Pro and not the "Alert"
If you buy Hitman Pro Alert, the HMP scanner will activate with the same key,
I don't think the HMP scanner key will activate HMP.A though. I hope I said that clearly lol.
We can ask @Erik Loman and see what he says.

 

[_CyberGhosT_]

Has been a nightmare blocking everything, Instead of improving, is a vaginal crab.
Everything is detected as an exploit attack. And the worst of it, Is the error between Hp and hpa Scanner.
Can not work together, Due to a mismatch hook between the 2.

I have noticed this too, it was not reacting to a HMP scan, but for some reason it is again.


Is this what your seeing too ?
@Erik Loman
Windows 10 x64

 

[ravi prakash saini]

thanks for clearing the doubt,I have never used it so all hit man looks same to me

 

[erreale]

I have noticed this too, it was not reacting to a HMP scan, but for some reason it is again.
View attachment 154151

Is this what your seeing too ?
@Erik Loman
Windows 10 x64
View attachment 154152

Same here!

 

[_CyberGhosT_]

Same here!

The scanner still works, but it is annoying, they will fix it.
Thanks for posting that you have the issue too, what version of Win10 are you on ?
knowing that will help them sort it faster.

 

[_CyberGhosT_]

See, for me the scan does complete, even though HMP.A throws the block message:

 

[erreale]

The scanner still works, but it is annoying, they will fix it.
Thanks for posting that you have the issue too, what version of Windows 10 are you on ?
knowing that will help them sort it faster.

Windows 10 Creators Update 1703

 

[_CyberGhosT_]

He is so poorly adjusted, That even lock me diskpart, sfc scannow, dism
Windows disk tools, even defragmenters.
I did not want to offer it to any colleague or company for the same reason.

What version of Windows are you on ?
in your search bar type this and take a SS of the windows version: "winver.exe" without the quotes
see:

He will need more than just "1703"

 

[_CyberGhosT_]

I reported it over at the HMP.A beta thread and let him know that I tagged him here at MalwareTips, so he will visit when he gets the message.
If I remember correctly, Disabling CredGuard will solve this issue for now, till
they can resolve it altogether.
EDIT: I can confirm that disabling CredGuard will resolve it for now.

 

[_CyberGhosT_]

Thanks CYBERGHOST_t
So that's the error. I'm going to deactivate it immediately.
too i need to know about how to unbann the locks process detected as attacks.
I don't want to uninstall HMPA. because Is the only way for my processes to work again.

If I understand you correctly, you don't have to Unlock HMP just turn off CredGuard, seen here:
With the "white" box around it, and reboot, and you should be ok

 

[Tekkstepper]

CTP3 + East-Tec Eraser (newest version) dont like each other. I'm not sure if its enough info I post here. If you need more (logs or whatever), please tell me and I do my best to provide all you need.

C:\Program Files (x86)\east-tec Eraser\etEraser.exe

CryptoGuard

Mitigation CryptoGuard Platform 10.0.15063/x64 v709 06_4e PID 9624 Application C:\Program Files (x86)\east-tec Eraser\etEraser.exe Description east-tec Eraser 12.9.5 Filename C:\Program Files (x86)\east-tec Eraser\etEraser.exe C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-pro-see-in-action-1-en[1].png C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-pro-box[1].png C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-logo[1].png WBH 2e1f18161d0e13100e1e241a1f1a0e13100e1e24 Process Trace 1 C:\Program Files (x86)\east-tec Eraser\etEraser.exe [9624] 2 C:\Program Files (x86)\east-tec Eraser\etRiskMonitor.exe [9136] 3 C:\Windows\System32\svchost.exe [1408] c:\windows\system32\svchost.exe -k netsvcs -s Schedule 4 C:\Windows\System32\services.exe [928] 5 C:\Windows\System32\wininit.exe [808] wininit.exe Thumbprint b2833aef8187f8e4c40346dbf04bb0c36bed3bae8f75f44c169aeb793ffac6db

 

[XhenEd]

CTP3 + East-Tec Eraser (newest version) dont like each other. I'm not sure if its enough info I post here. If you need more (logs or whatever), please tell me and I do my best to provide all you need.

C:\Program Files (x86)\east-tec Eraser\etEraser.exe

CryptoGuard

Mitigation CryptoGuard Platform 10.0.15063/x64 v709 06_4e PID 9624 Application C:\Program Files (x86)\east-tec Eraser\etEraser.exe Description east-tec Eraser 12.9.5 Filename C:\Program Files (x86)\east-tec Eraser\etEraser.exe C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-pro-see-in-action-1-en[1].png C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-pro-box[1].png C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-logo[1].png WBH 2e1f18161d0e13100e1e241a1f1a0e13100e1e24 Process Trace 1 C:\Program Files (x86)\east-tec Eraser\etEraser.exe [9624] 2 C:\Program Files (x86)\east-tec Eraser\etRiskMonitor.exe [9136] 3 C:\Windows\System32\svchost.exe [1408] c:\windows\system32\svchost.exe -k netsvcs -s Schedule 4 C:\Windows\System32\services.exe [928] 5 C:\Windows\System32\wininit.exe [808] wininit.exe Thumbprint b2833aef8187f8e4c40346dbf04bb0c36bed3bae8f75f44c169aeb793ffac6db

That's expected. The dev would say that CryptoGuard is working as intended.

What is recommended with any "secure delete" software is to temporarily disable CryptoGuard when doing the secure deletion.

 

[Tekkstepper]

Okay, you are right. Makes sense that it detects the crypto task.

Maybe its interesting to somebody:

Zemana AntiLogger Privacy guard dont work...well you can activate it, but keyboard isnt working with both. I guess its because of key stroke encryption. Hitman+Zemana is encrypting key strokes.

And: I installed the newest Bitdefender (the giveaway for german IPs). When I start a scan wit Bitdefender, HitmanPro detects a harmful thread. I can provide more Info when I arrive at home.

cheers

 

[enaph]

HitmanPro.Alert 3.7 Build 710 CTP4

This build focuses on improvements on code injection and related fail-safe mechanisms. Additional UI elements for Anti-Malware exclusions are on our roadmap.

Changelog

• Added code injection fail-safe mechanisms
• Improved Anti-Malware performance (changed from on-access to on-execute)
• Improved APC Mitigation
• Improved path translation for thumbprints
• Fixed detection of Protected Processes and Trustlets
• Fixed Local Privilege Guard (PrivGuard) mitigation on Windows XP
• Fixed Windows XP support was broken since build 708

Notes
This build has Microsoft co-signed drivers.

Download
http://test.hitmanpro.com/hmpalert3b710.exe