- Apr 13, 2013
- 3,224
HitmanPro Alert against Ransomware Encryptors
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Nov 25, 2015
- 51
Thanks for the test cruelsister. Wonder if you could add Trend Micro to this series? 
They've recently added anti-ransom which is supposed to block un-authenticated encryption..
They've recently added anti-ransom which is supposed to block un-authenticated encryption..
- Jan 27, 2015
- 61
Thank you for pointing out that HitmanPro.Alert protects against prevalent crypto ransomware like CryptoWall, CTB-Locker, TorrentLocker, TeslaCrypt, etc. without signatures!
Of course there are more ways to modify files (as you showed by your custom attack) but my guess is that you can use an undelete tool to revert the encrypted files.
HitmanPro.Alert focusses on crypto attacks that cannot be reverted with undelete software, like the cryptoware mentioned above.
In addition, Alert can also protect file shares. This means that when an crypto attack comes from a remote client, it will block encryption of the files on the file share.
That said, please share the custom crypto solution (erik@surfright.com) so that we can investigate and improve protection for our customers (Y)
Of course there are more ways to modify files (as you showed by your custom attack) but my guess is that you can use an undelete tool to revert the encrypted files.
HitmanPro.Alert focusses on crypto attacks that cannot be reverted with undelete software, like the cryptoware mentioned above.
In addition, Alert can also protect file shares. This means that when an crypto attack comes from a remote client, it will block encryption of the files on the file share.
That said, please share the custom crypto solution (erik@surfright.com) so that we can investigate and improve protection for our customers (Y)
Great Video! Waiting on review of WinPatrol - WinAntiRansom?
Topic: Ransomware Encryptors.
Out the following which work without any conflicts against
using other layers of security software? And best detection
and removal? In your opinion?
> CryptoPrevent plus's and minuses
> Hitman Pro Alert plus's and minuses
> WinPatrol - WinAntiRansom plus's and minuses
Question for Erik Loman,
Will Hitman Pro Alert work with Dr. Web Security Space? Or Kaspersky ?
Or can any one answer the above question? Any conflicts?
With Kaspersky, Sandboxie will NOT work!
Topic: Ransomware Encryptors.
Out the following which work without any conflicts against
using other layers of security software? And best detection
and removal? In your opinion?
> CryptoPrevent plus's and minuses
> Hitman Pro Alert plus's and minuses
> WinPatrol - WinAntiRansom plus's and minuses
Question for Erik Loman,
Will Hitman Pro Alert work with Dr. Web Security Space? Or Kaspersky ?
Or can any one answer the above question? Any conflicts?
With Kaspersky, Sandboxie will NOT work!
- Jan 27, 2015
- 61
HitmanPro.Alert also provides anti-exploit (with hardware assistance!). So no need to run with MBAE. We do not recommend running two anti-exploit solutions concurrently.
- Jan 27, 2015
- 61
I know that HMPA works with Kaspersky. Have not tested with DrWeb yet. Maybe a forum member can confirm.Great Video! Waiting on review of WinPatrol - WinAntiRansom?
Topic: Ransomware Encryptors.
Out the following which work without any conflicts against
using other layers of security software? And best detection
and removal? In your opinion?
> CryptoPrevent plus's and minuses
> Hitman Pro Alert plus's and minuses
> WinPatrol - WinAntiRansom plus's and minuses
Question for Erik Loman,
Will Hitman Pro Alert work with Dr. Web Security Space? Or Kaspersky ?
Or can any one answer the above question? Any conflicts?
With Kaspersky, Sandboxie will NOT work!
- Jun 12, 2014
- 314
I am somewhat growing wary of how we always see malware that is specifically coded against the product under review, though never something that is coded against Comodo. Doesn't even have to be custom tailored, though. Dridex - an actual threat delivered through weaponized documents and not something that just exists on the reviewers machine - signed by Symantec or Comodo probably won't be "virtualized" - if you want to call crashing at the start due to restriction level untrusted "virtualization" - because it's trusted by the cloud.
Of course we will also never see videos where Comodo is trying to sandbox The Witcher 3 or the Netflix windows store app; just some examples of programs absolutely nobody uses.
Of course we will also never see videos where Comodo is trying to sandbox The Witcher 3 or the Netflix windows store app; just some examples of programs absolutely nobody uses.
@cruelsister is just showing that ransomware protections are not 100% against all encryption methodologies\routines.
Target any security soft, and eventually, vulnerabilities will be discovered. That's just a fact of IT\security soft life.
Of course Comodo isn't 100 % bullet-proof; @cruelsister never stated such a thing.
Signed malware using a valid Trusted vendor certificate is most definitely a critical security issue. However, there are multiple ways in Comodo to prevent a digitally signed malware from compromising system. The downside is that these methods require advanced configuration\use of Comodo. So not so user friendly for beginner, but the point is that Comodo gives the advanced user the ability to prevent\quash such a thing.
It is rare, but I have tested malware that smashes Comodo.
Safe files unknown to Comodo is an annoyance... yes, it is when they are auto-sandboxed. However, they can be submitted to Comodo for white-listing. This is no different than submitting false positives to other security soft vendors.
Comodo is not a solution for any and all IT threats, but it is a very good, comprehensive base-line protection. This is the best that any user can expect from a single security soft with the current state of software technology...
Same applies to SurfRight's HitmanPro.Alert; it is very good base-line protection.
- Apr 13, 2013
- 3,224
The POC malware that I used wasn't at all directed against HMPA specifically, but against the method most commonly used to protect personal documents, photos, etc. I'll be releasing a CryptoPrevent trial this weekend to see if this is indeed the case (although I'm considering a video of my cat hacking up a hairball instead; it would after all be more popular) .
And hjlbx is correct regarding signed malware. This is a very real issue and is a great deal more complicated than it may seem. Unless a mistake is made high quality malware of this can go undetected for years- GlassRAT was only recently detected because some joker uploaded it to VT! Not that I want to darken anyone’s day, but this badboy was proof against all traditional AV’s and even real-time forensics let it pass. The current push in Security is malware modeling (artificial intelligence and machine learning) and this would prevent malicious activity (kinda-sorta, we think).
Fortunately most of the high quality malware has been targeted and shouldn’t intrude on the home user- unless something like GovRAT happens to have been infecting the Bank that you use.
And hjlbx is correct regarding signed malware. This is a very real issue and is a great deal more complicated than it may seem. Unless a mistake is made high quality malware of this can go undetected for years- GlassRAT was only recently detected because some joker uploaded it to VT! Not that I want to darken anyone’s day, but this badboy was proof against all traditional AV’s and even real-time forensics let it pass. The current push in Security is malware modeling (artificial intelligence and machine learning) and this would prevent malicious activity (kinda-sorta, we think).
Fortunately most of the high quality malware has been targeted and shouldn’t intrude on the home user- unless something like GovRAT happens to have been infecting the Bank that you use.
Last edited:
Nice vid @cruelsister, thank you for your work
What about Gen.4 of Cryptowall? Will I be protected by HMPA, too? I don't have any sample to try it out, also, my testing PC is not virtualized yet.
What about Gen.4 of Cryptowall? Will I be protected by HMPA, too? I don't have any sample to try it out, also, my testing PC is not virtualized yet.
- Apr 13, 2013
- 3,224
Cryptowall 4 (like CW3) just dies in a system protected by HMPA. I didn't see the point of using it as there was nothing at all to see.
Although the lay press would like you to believe otherwise, Cryptowall and its variants really aren't that nasty.
Although the lay press would like you to believe otherwise, Cryptowall and its variants really aren't that nasty.
Similar threads
