App Review HitmanPro Alert against Ransomware Encryptors

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
void011

void011

Level 2
Verified
Nov 25, 2015
51
Thanks for the test cruelsister. Wonder if you could add Trend Micro to this series? :) They've recently added anti-ransom which is supposed to block un-authenticated encryption..
 
  • Like
Reactions: Der.Reisende
Erik Loman

Erik Loman

From SurfRight
Verified
Developer
Jan 27, 2015
61
Thank you for pointing out that HitmanPro.Alert protects against prevalent crypto ransomware like CryptoWall, CTB-Locker, TorrentLocker, TeslaCrypt, etc. without signatures!

Of course there are more ways to modify files (as you showed by your custom attack) but my guess is that you can use an undelete tool to revert the encrypted files.

HitmanPro.Alert focusses on crypto attacks that cannot be reverted with undelete software, like the cryptoware mentioned above.

In addition, Alert can also protect file shares. This means that when an crypto attack comes from a remote client, it will block encryption of the files on the file share.

That said, please share the custom crypto solution (erik@surfright.com) so that we can investigate and improve protection for our customers (Y)
 
  • Like
Reactions: jamescv7, XhenEd, darko999 and 4 others
M

Moose

Level 22
Jun 14, 2011
2,271
Great Video! Waiting on review of WinPatrol - WinAntiRansom? :)

Topic: Ransomware Encryptors.

Out the following which work without any conflicts against
using other layers of security software? And best detection
and removal? In your opinion?

> CryptoPrevent plus's and minuses
> Hitman Pro Alert plus's and minuses
> WinPatrol - WinAntiRansom plus's and minuses


Question for Erik Loman,

Will Hitman Pro Alert work with Dr. Web Security Space? Or Kaspersky ?
Or can any one answer the above question? Any conflicts?

With Kaspersky, Sandboxie will NOT work!
 
  • Like
Reactions: Der.Reisende
Erik Loman

Erik Loman

From SurfRight
Verified
Developer
Jan 27, 2015
61
Moose said:
Great Video! Waiting on review of WinPatrol - WinAntiRansom? :)

Topic: Ransomware Encryptors.

Out the following which work without any conflicts against
using other layers of security software? And best detection
and removal? In your opinion?

> CryptoPrevent plus's and minuses
> Hitman Pro Alert plus's and minuses
> WinPatrol - WinAntiRansom plus's and minuses


Question for Erik Loman,

Will Hitman Pro Alert work with Dr. Web Security Space? Or Kaspersky ?
Or can any one answer the above question? Any conflicts?

With Kaspersky, Sandboxie will NOT work!
Click to expand...
I know that HMPA works with Kaspersky. Have not tested with DrWeb yet. Maybe a forum member can confirm.
 
  • Like
Reactions: XhenEd, Der.Reisende and Moose
FleischmannTV

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
I am somewhat growing wary of how we always see malware that is specifically coded against the product under review, though never something that is coded against Comodo. Doesn't even have to be custom tailored, though. Dridex - an actual threat delivered through weaponized documents and not something that just exists on the reviewers machine - signed by Symantec or Comodo probably won't be "virtualized" - if you want to call crashing at the start due to restriction level untrusted "virtualization" - because it's trusted by the cloud.

Of course we will also never see videos where Comodo is trying to sandbox The Witcher 3 or the Netflix windows store app; just some examples of programs absolutely nobody uses.
 
  • Like
Reactions: Neno and Der.Reisende
H

hjlbx

FleischmannTV said:
I am somewhat growing wary of how we always see malware that is specifically coded against the product under review, though never something that is coded against Comodo. Doesn't even have to be custom tailored, though. Dridex - an actual threat delivered through weaponized documents and not something that just exists on the reviewers machine - signed by Symantec or Comodo probably won't be "virtualized" - if you want to call crashing at the start due to restriction level untrusted "virtualization" - because it's trusted by the cloud.

Of course we will also never see videos where Comodo is trying to sandbox The Witcher 3 or the Netflix windows store app; just some examples of programs absolutely nobody uses.
Click to expand...

@cruelsister is just showing that ransomware protections are not 100% against all encryption methodologies\routines.

Target any security soft, and eventually, vulnerabilities will be discovered. That's just a fact of IT\security soft life.

Of course Comodo isn't 100 % bullet-proof; @cruelsister never stated such a thing.

Signed malware using a valid Trusted vendor certificate is most definitely a critical security issue. However, there are multiple ways in Comodo to prevent a digitally signed malware from compromising system. The downside is that these methods require advanced configuration\use of Comodo. So not so user friendly for beginner, but the point is that Comodo gives the advanced user the ability to prevent\quash such a thing.

It is rare, but I have tested malware that smashes Comodo.

Safe files unknown to Comodo is an annoyance... yes, it is when they are auto-sandboxed. However, they can be submitted to Comodo for white-listing. This is no different than submitting false positives to other security soft vendors.

Comodo is not a solution for any and all IT threats, but it is a very good, comprehensive base-line protection. This is the best that any user can expect from a single security soft with the current state of software technology...

Same applies to SurfRight's HitmanPro.Alert; it is very good base-line protection.
 
  • Like
Reactions: XhenEd, Der.Reisende and cruelsister
cruelsister

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,151
The POC malware that I used wasn't at all directed against HMPA specifically, but against the method most commonly used to protect personal documents, photos, etc. I'll be releasing a CryptoPrevent trial this weekend to see if this is indeed the case (although I'm considering a video of my cat hacking up a hairball instead; it would after all be more popular) .

And hjlbx is correct regarding signed malware. This is a very real issue and is a great deal more complicated than it may seem. Unless a mistake is made high quality malware of this can go undetected for years- GlassRAT was only recently detected because some joker uploaded it to VT! Not that I want to darken anyone’s day, but this badboy was proof against all traditional AV’s and even real-time forensics let it pass. The current push in Security is malware modeling (artificial intelligence and machine learning) and this would prevent malicious activity (kinda-sorta, we think).

Fortunately most of the high quality malware has been targeted and shouldn’t intrude on the home user- unless something like GovRAT happens to have been infecting the Bank that you use.
 
Last edited:
  • Like
Reactions: XhenEd, FleischmannTV and Der.Reisende
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Nice vid @cruelsister, thank you for your work :)

Erik Loman said:
Thank you for pointing out that HitmanPro.Alert protects against prevalent crypto ransomware like CryptoWall, CTB-Locker, TorrentLocker, TeslaCrypt, etc. without signatures!

Of course there are more ways to modify files (as you showed by your custom attack) but my guess is that you can use an undelete tool to revert the encrypted files.

HitmanPro.Alert focusses on crypto attacks that cannot be reverted with undelete software, like the cryptoware mentioned above.

In addition, Alert can also protect file shares. This means that when an crypto attack comes from a remote client, it will block encryption of the files on the file share.

That said, please share the custom crypto solution (erik@surfright.com) so that we can investigate and improve protection for our customers (Y)
Click to expand...

What about Gen.4 of Cryptowall? Will I be protected by HMPA, too? I don't have any sample to try it out, also, my testing PC is not virtualized yet.
 
  • Like
Reactions: cruelsister
cruelsister

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,151
Cryptowall 4 (like CW3) just dies in a system protected by HMPA. I didn't see the point of using it as there was nothing at all to see.

Although the lay press would like you to believe otherwise, Cryptowall and its variants really aren't that nasty.
 
  • Like
Reactions: FleischmannTV and Der.Reisende
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
cruelsister said:
Cryptowall 4 (like CW3) just dies in a system protected by HMPA. I didn't see the point of using it as there was nothing at all to see.

Although the lay press would like you to believe otherwise, Cryptowall and its variants really aren't that nasty.
Click to expand...
Thank you for the superfast reply and enlightening me :)
 

Similar threads

CyberTech
    • Like
Security News Linux version of Qilin ransomware focuses on VMware ESXi
Replies
0
Views
1,065
Security News
CyberTech
CyberTech
Gandalf_The_Grey
    • +Reputation
    • Like
    • Thanks
LockBit ransomware encryptors found targeting Mac devices
Replies
1
Views
1,023
News Archive
MuzzMelbourne
MuzzMelbourne
NB InfoTech
    • Like
    • Thanks
App Review Ultimate AVG Antivirus Review: Unleashing the Power Against Ransomware
Replies
2
Views
850
Video Reviews - Security and Privacy
nickstar1
nickstar1

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top