Update HitmanPro.Alert 3.7.x CTP BETA releases

Discussion in 'HitmanPro (Sophos)' started by pablozi, May 30, 2017.

  1. pablozi

    pablozi Level 22
    Trusted

    Jun 14, 2011
    1,154
    4,915
    Null Island
    Windows 10
    Default-Deny
    Official Website:
    www.hitmanpro.com
    Release Notes:
    https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/#post-2680368
    Build version:
    Beta releases may be unstable and contain unreported bugs
    Surprise... Due to overwhelming feedback on the Private CTP1 build we decided to make the CTP2 release a Public Beta!

    In order to keep the BETA and CTP feedback separated from the Support and Discussion thread we created this new thread dedicated to discuss BETA and CTP builds. Otherwise people might think reported issues in the BETA and CTP builds are also in the stable releases.

    We need your feedback to make sure the new HitmanPro.Alert mitigations run alongside other security products.

    New Features in version 3.7
    • Real-time Anti-Malware
      Works with the HitmanPro cloud.

    • Credential Theft Protection
      Preventing theft of authentication passwords and hash information from memory, registry and disk. Prevents Mimikatz-style attacks.

    • Local Privilege Guard
      Prevents exploits of the operating system kernel. Prevents an attacker from using the privilege information of another process.

    • Code Cave mitigation
      Stops backdoors in trusted code.

    • Sticky Keys mitigation
      Prevents misuse of the Microsoft sticky key feature. Usually used by attackers to gain persistence.

    • Asynchronous Procedure Call (APC) mitigation
      Stops code injection via APC (ex. DoublePulsar and Atom Bombing attack).

    • Application Verifier mitigation
      Prevents misuse of the Application Verifier feature of Windows (eg. Double Agent attack).

    • Malicious Process Migration
      Detects remote reflective DLL injection used to move laterally between processes.

    Changelog (compared to CTP1)
    • Added DoublePulsar detection to APC mitigation
    • Added Compatibility with QEMU/KVM hypervisor
    • Improved Anti-Malware component
    • Improved CodeCave mitigation
    • Improved Local Privilege Guard mitigation
    • Improved Asynchronous Procedure Call (APC) mitigation
    • Improved DLL injection respects Trustlets
    • Improved CryptoGuard 4.9
    • Improved Installer
    • Fixed CodeCave false positives
    • Fixed PrivGuard false positives
    • Fixed APCViolation false positives
    • Fixed BSOD installing Alert in QEMU/KVM
    • Fixed BSOD caused in minifilter (introduced since 701)
    • Fixed iTunes compatibility
    • Fixed Compatibility with Steam Apps
    • Fixed typo in German translation Offene Browser
    Notes
    • Do NOT run this build on production environments. This is BETA software.
    • This build has Microsoft co-signed drivers.
    • This build triggers a PrivGuard false positives when running Sandboxie sandboxed processes. We are looking into this and aiming to get this fixed as soon as possible.
    Download
    http://test.hitmanpro.com/hmpalert3b708.exe

    Make sure to report the Technical Details of a potential false positive.
    If you hit a compatibility issue, make sure you mention which version of Windows you are running and what security products you have installed.

    Happy testing and let us know how this build runs on your computer in this brand new thread :thumb:
     
  2. mekelek

    mekelek Level 21

    Feb 24, 2017
    1,012
    4,410
    Hungary
    Windows 10
    Kaspersky
    finally, nice.
    is someone planning to test it on malware samples section?
     
    harlan4096 likes this.
  3. aragornnnn

    aragornnnn Level 11

    Aug 18, 2016
    524
    6,236
    Warehouse Employee @ Nike ELC Belgium
    Belgium
    Windows 10
    Kaspersky
    Tried a few samples and "Lightning ransomware" managed to sneak through HitmanPro's defences :eek:
     
  4. Malware Person

    Malware Person Level 4

    Jun 8, 2016
    156
    244
    United States
    Windows 10
    BitDefender
    nice! I will try it out
     
    ravi prakash saini likes this.
  5. pablozi

    pablozi Level 22
    Trusted

    Jun 14, 2011
    1,154
    4,915
    Null Island
    Windows 10
    Default-Deny
    HitmanPro.Alert 3.7 Build 709 CTP3

    This build addresses a few minor issues in CTP2.

    Changelog (compared to 708 )
    • Added Sandboxie compatility to Local Privilege Guard (PrivGuard)
    • Fixed HitmanPro/Sophos Clean triggering Credential Theft Protection (CredGuard)
    • Fixed driver did not properly keep track of injection and whitelisting
    • Fixed driver did not properly stop when installing only the anti-ransomware component
    Notes
    This build uses Microsoft co-signed drivers.

    Download
    http://test.hitmanpro.com/hmpalert3b709.exe
     
  6. ravi prakash saini

    Apr 22, 2015
    604
    3,199
    india
    Windows 10
    Kaspersky
    I hope they release the final version before I win a key in giveaways:p:p:p
     
    _CyberGhosT_ likes this.
  7. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,170
    27,465
    Retired
    Central US
    Linux Mint
    Default-Deny
    The current Giveaway is only for Hitman Pro and not the "Alert"
    If you buy Hitman Pro Alert, the HMP scanner will activate with the same key,
    I don't think the HMP scanner key will activate HMP.A though. I hope I said that clearly lol.
    We can ask @Erik Loman and see what he says.
     
  8. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,170
    27,465
    Retired
    Central US
    Linux Mint
    Default-Deny
    I have noticed this too, it was not reacting to a HMP scan, but for some reason it is again.
    HMP_Scan_Error.png

    Is this what your seeing too ?
    @Erik Loman
    Windows 10 x64
    Winver.png
     
  9. ravi prakash saini

    Apr 22, 2015
    604
    3,199
    india
    Windows 10
    Kaspersky
    thanks for clearing the doubt,I have never used it so all hit man looks same to me
     
    _CyberGhosT_ likes this.
  10. erreale

    erreale Level 4

    Oct 22, 2016
    191
    791
    Italy
    Windows 10
    Isolation
    _CyberGhosT_ likes this.
  11. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,170
    27,465
    Retired
    Central US
    Linux Mint
    Default-Deny
    The scanner still works, but it is annoying, they will fix it.
    Thanks for posting that you have the issue too, what version of Win10 are you on ?
    knowing that will help them sort it faster.
     
  12. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,170
    27,465
    Retired
    Central US
    Linux Mint
    Default-Deny
    See, for me the scan does complete, even though HMP.A throws the block message:
    HMP_SS2.png
     
    monsterturckpa likes this.
  13. erreale

    erreale Level 4

    Oct 22, 2016
    191
    791
    Italy
    Windows 10
    Isolation
    Windows 10 Creators Update 1703
     
    _CyberGhosT_ likes this.
  14. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,170
    27,465
    Retired
    Central US
    Linux Mint
    Default-Deny
    What version of Windows are you on ?
    in your search bar type this and take a SS of the windows version: "winver.exe" without the quotes
    see:
    Winver2.png
    He will need more than just "1703"
     
  15. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,170
    27,465
    Retired
    Central US
    Linux Mint
    Default-Deny
    #15 _CyberGhosT_, Jun 6, 2017
    Last edited: Jun 6, 2017
    I reported it over at the HMP.A beta thread and let him know that I tagged him here at MalwareTips, so he will visit when he gets the message.
    If I remember correctly, Disabling CredGuard will solve this issue for now, till
    they can resolve it altogether.
    EDIT: I can confirm that disabling CredGuard will resolve it for now.
     
    shmu26 and monsterturckpa like this.
  16. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,170
    27,465
    Retired
    Central US
    Linux Mint
    Default-Deny
    If I understand you correctly, you don't have to Unlock HMP just turn off CredGuard, seen here:
    With the "white" box around it, and reboot, and you should be ok
    HMPA_SS2.png
     
    BugCode likes this.
  17. Tekkstepper

    Tekkstepper New Member

    Jun 8, 2017
    2
    14
    Germany
    Windows 10
    Comodo
    CTP3 + East-Tec Eraser (newest version) dont like each other. I'm not sure if its enough info I post here. If you need more (logs or whatever), please tell me and I do my best to provide all you need.

    C:\Program Files (x86)\east-tec Eraser\etEraser.exe

    CryptoGuard

    Mitigation CryptoGuard Platform 10.0.15063/x64 v709 06_4e PID 9624 Application C:\Program Files (x86)\east-tec Eraser\etEraser.exe Description east-tec Eraser 12.9.5 Filename C:\Program Files (x86)\east-tec Eraser\etEraser.exe C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-pro-see-in-action-1-en[1].png C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-pro-box[1].png C:\Users\MyName MyFirstName\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARUTQZB4\heimdal-logo[1].png WBH 2e1f18161d0e13100e1e241a1f1a0e13100e1e24 Process Trace 1 C:\Program Files (x86)\east-tec Eraser\etEraser.exe [9624] 2 C:\Program Files (x86)\east-tec Eraser\etRiskMonitor.exe [9136] 3 C:\Windows\System32\svchost.exe [1408] c:\windows\system32\svchost.exe -k netsvcs -s Schedule 4 C:\Windows\System32\services.exe [928] 5 C:\Windows\System32\wininit.exe [808] wininit.exe Thumbprint b2833aef8187f8e4c40346dbf04bb0c36bed3bae8f75f44c169aeb793ffac6db
     
  18. XhenEd

    XhenEd Level 27
    Content Creator Trusted

    Mar 1, 2014
    1,607
    8,423
    Philippines
    Windows 10
    Default-Deny
    That's expected. The dev would say that CryptoGuard is working as intended.

    What is recommended with any "secure delete" software is to temporarily disable CryptoGuard when doing the secure deletion. :)
     
    _CyberGhosT_ likes this.
  19. Tekkstepper

    Tekkstepper New Member

    Jun 8, 2017
    2
    14
    Germany
    Windows 10
    Comodo
    Okay, you are right. Makes sense that it detects the crypto task.

    Maybe its interesting to somebody:

    Zemana AntiLogger Privacy guard dont work...well you can activate it, but keyboard isnt working with both. I guess its because of key stroke encryption. Hitman+Zemana is encrypting key strokes.

    And: I installed the newest Bitdefender (the giveaway for german IPs). When I start a scan wit Bitdefender, HitmanPro detects a harmful thread. I can provide more Info when I arrive at home.

    cheers
     
  20. pablozi

    pablozi Level 22
    Trusted

    Jun 14, 2011
    1,154
    4,915
    Null Island
    Windows 10
    Default-Deny
    HitmanPro.Alert 3.7 Build 710 CTP4

    This build focuses on improvements on code injection and related fail-safe mechanisms. Additional UI elements for Anti-Malware exclusions are on our roadmap.

    Changelog
    • Added code injection fail-safe mechanisms
    • Improved Anti-Malware performance (changed from on-access to on-execute)
    • Improved APC Mitigation
    • Improved path translation for thumbprints
    • Fixed detection of Protected Processes and Trustlets
    • Fixed Local Privilege Guard (PrivGuard) mitigation on Windows XP
    • Fixed Windows XP support was broken since build 708
    Notes
    This build has Microsoft co-signed drivers.

    Download
    http://test.hitmanpro.com/hmpalert3b710.exe
     
Loading...
Similar Threads Forum Date
Update HitmanPro.Alert 3.6.x BETA Releases HitmanPro (Sophos) Jun 9, 2017
Update HitmanPro.Alert 3.6 Build 602 BETA HitmanPro (Sophos) May 30, 2017
Update HitmanPro.Alert 3.6.7 build 601 BETA HitmanPro (Sophos) May 30, 2017