- Dec 29, 2012
- 235
HitmanPro.Alert version 3 introduces Exploit Mitigations, of which its hardware-assisted Control-Flow Integrity (CFI) technology is perhaps its most striking feature.CFI is a technique to prevent flow of control not intended by the original application, without requiring the source code or debug symbols of the protected application. With CFI, HitmanPro.Alert 3 effectively stops attackers that hijack control-flow to combine short pieces of benign code, already present in a system, for a malicious purpose; a so-called return-oriented programming (ROP) attack. This capability is achieved by programming and leveraging a hardware feature in modern Intel® Core™ processors to track code execution and assist in the detection of attacks in real-time – an industry-first method not found in any other security product.
Besides a performance advantage, employing hardware traced records has a security benefit over software stack-based approaches. Stack-based solutions, like Microsoft EMET, rely on stack data, which is (especially in case of a ROP attack) in control of the attacker.
Cybercriminals and hackers are becoming increasingly more proficient in finding and attacking previously unknown vulnerabilities to bypass antivirus software as well as memory protections (DEP+ASLR) to silently infiltrate computers. Well known cases that led to the discovery of zero-day attacks, like Operation SnowMan[1], GreedyWonk[2] and Clandestine Fox[3] (all uncovered by security firm FireEye), show that attackers are adept in creating malware (shellcode) by borrowing instructions from legitimate applications running on the victim computer – a ROP attack. Antivirus software is not designed to block this as there are no malicious processes or files involved. HitmanPro.Alert version 3 is built to stop existing and future attacks whether they are conducted by exploit kits or (foreign) nation-state hackers, without requiring prior knowledge of attacks or abused vulnerabilities.
Besides Exploit Mitigations, HitmanPro.Alert 3 also offers Application Lockdown, which prevents abuse of logic-flaw vulnerabilities and stops macros in Office documents from hoisting in malware. It also protects business environments that are bound to run outdated software, including Java-based company applications.
HitmanPro.Alert 3 also offers Man-in-the-Browser Intruder Detection (Safe Browsing), Cryptolocker Protection (CryptoGuard), System Vaccination, Webcam Notifier, Keystroke Encryption, BadUSB Protection and our acclaimed HitmanPro on-demand forensics-based Anti-Malware. Together they aim to disrupt the Cyber Attack Life-Cycle:
DOWNLOAD
The file hmpalert.exe inside the ZIP archive installs the software and requires just 5 MB of free disk space. It runs on 32-bit and 64-bit versions of Windows XP SP3, Windows Vista, Windows 7, Windows 8 and Windows 8.1.
The ZIP archive also contains version 1.4 of our Exploit Test Tool which contains 27 tests to check a pc’s security posture or verify the correct working of HitmanPro.Alert. The exploit techniques performed by the Exploit Test Tool are not malicious and safe to use.
Source: Post #3199
Besides a performance advantage, employing hardware traced records has a security benefit over software stack-based approaches. Stack-based solutions, like Microsoft EMET, rely on stack data, which is (especially in case of a ROP attack) in control of the attacker.
Cybercriminals and hackers are becoming increasingly more proficient in finding and attacking previously unknown vulnerabilities to bypass antivirus software as well as memory protections (DEP+ASLR) to silently infiltrate computers. Well known cases that led to the discovery of zero-day attacks, like Operation SnowMan[1], GreedyWonk[2] and Clandestine Fox[3] (all uncovered by security firm FireEye), show that attackers are adept in creating malware (shellcode) by borrowing instructions from legitimate applications running on the victim computer – a ROP attack. Antivirus software is not designed to block this as there are no malicious processes or files involved. HitmanPro.Alert version 3 is built to stop existing and future attacks whether they are conducted by exploit kits or (foreign) nation-state hackers, without requiring prior knowledge of attacks or abused vulnerabilities.
Besides Exploit Mitigations, HitmanPro.Alert 3 also offers Application Lockdown, which prevents abuse of logic-flaw vulnerabilities and stops macros in Office documents from hoisting in malware. It also protects business environments that are bound to run outdated software, including Java-based company applications.
HitmanPro.Alert 3 also offers Man-in-the-Browser Intruder Detection (Safe Browsing), Cryptolocker Protection (CryptoGuard), System Vaccination, Webcam Notifier, Keystroke Encryption, BadUSB Protection and our acclaimed HitmanPro on-demand forensics-based Anti-Malware. Together they aim to disrupt the Cyber Attack Life-Cycle:
DOWNLOAD
The file hmpalert.exe inside the ZIP archive installs the software and requires just 5 MB of free disk space. It runs on 32-bit and 64-bit versions of Windows XP SP3, Windows Vista, Windows 7, Windows 8 and Windows 8.1.
The ZIP archive also contains version 1.4 of our Exploit Test Tool which contains 27 tests to check a pc’s security posture or verify the correct working of HitmanPro.Alert. The exploit techniques performed by the Exploit Test Tool are not malicious and safe to use.
- Install-and-Forget Signature-less protection suitable for Home Users, Power Users and IT Professionals
- Exploit Mitigations (Anti-Exploit) Aims to stop attackers from exploiting software vulnerabilities
- Fine-grained Exploit Mitigation Settings Allows experienced computer users to change individual mitigations, per application
- On-demand Malware Detection and Remediation Integrated Anti-Malware scanner
- BadUSB Protection Blocks malicious USB devices that pose as a keyboard
- Safe Browsing (Man-in-the-Browser Detection) Warns when malware manipulates the browser; behavior-based
- Active Vaccination Makes sandbox-aware malware self-terminate
- CryptoGuard Protects your data against CryptoLocker, CryptoWall, TorrentLocker, OphionLocker, CoinVault and variants; behavior-based
- Webcam Notifier Blocks the webcam when it is (secretly) accessed
- Keystroke Encryption Protects credentials against keyloggers in the browser
- Hollow Process Protection Protects the main executable of a process against unmapping
- Network Lockdown Helps to stop attacks that connect back to command-and-control
- Full 64-bit Support Offers 64-bit applications same protection as 32-bit applications
- Software Radar Automatically protects new browsers, plug-ins, media and office applications
- Easy-to-Use High DPI User Interface Suitable for Home Users, Power Users and IT Pros
- Advanced Exploit Reporting Logs advanced technical data for forensic threat analysis
- Multilingual User Interface English, Chinese (Simplied), Chinese (Traditional), Dutch, French, German, Italian, Brazilian Portuguese, Russian, Spanish
- Antivirus Compatible Runs alongside third-party antivirus or internet security software
- SEHOP Stops abuse of the structured exception handler
- Stack Pivot Stops abuse of the stack pointer
- Stack Exec Stops attacker's code on the stack
- Software Stack-based Anti-ROP Stops return-oriented programming (ROP) attacks (part of Control-Flow Integrity)
- Hardware-assisted Branch-based Anti-ROP Programs microprocessor to stop ROP attacks (part of Control-Flow Integrity)
- Import Address Table Filtering (IAF) Prevents attackers from snooping function addresses (part of Control-Flow Integrity)
- Caller Check Stops processes called from attacker-controlled memory (part of Control-Flow Integrity)
- Load Library Stops modules that load from insecure network paths
- Application Lockdown Prevents abuse of logic flaws and stops attacks that bypass mitigations (incl. Office macros)
- Enforce DEP Prevents abuse of buffer overflows
- Mandatory ASLR Prevents predictable code locations
- Pseudo ASLR for Windows XP and Windows Server 2003 Prevents predictable code locations of modules on legacy Windows (part of Mandatory ASLR)
- Bottom Up ASLR Improves code location randomization (ASLR)
- Null Page Stops exploits that jump via page 0
- Heap Spray Pre-Allocation Stops attacks that start via common memory addresses on the heap (part of Dynamic Heap Spray)
- Dynamic Heap Spray Stops exploits that start via the heap; behavior-based
Source: Post #3199
