HitmanPro.Alert still being developed with new novel mitigations and a beta release soon

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,108
Good news over at Wilders:
No worries guys, we're still alive and kicking. We've been working on several projects and are planning to release a new BETA version of HitmanPro.Alert soon. It will contain several new protections as well as an updated CryptoGuard 5 engine. Stay tuned!
I have some information to share, about a protection that we've been working on over the last two years (and Wilder Security members have been enjoying it for that long too). It's about our Heap Heap Protect mitigation - called Dynamic Shellcode Protection in Sophos's flagship endpoint product Intercept X.
If you haven't read it yet and have 10 minutes, be sure to read my blog about it: Covert code faces a Heap of trouble in memory – Sophos News
Below a relatively short primer about why it's actually pretty bold.

Heap Heap Protect is unique in the world. It basically puts a hard limit on any application to what memory they can allocate. It impacts every process on the box, even Windows’ own processes.

How this works? Applications can ‘loan’ an extra memory region from the system for the purpose to run added code. But when the added code requests an additional ‘loan’ for the purpose to introduce and run even more code, we say NO.

The ‘freedom’ to use memory whenever an application sees fit has been a fundamental function of a computer since the invention of dynamic random-access memory in 1968. And thanks to segregation of data and code (enforced by the CPU hardware) we can now literally say NO MORE!

We initially crafted Heap Heap Protect to counter unknown supply-chain attacks like CCleaner APT. So, although it's completely signature-less, you may notice it is especially effective against remote access agents like Cobalt Strike and Meterpreter, as these are typically loaded into memory by a ‘loader’ or ‘stager’. Particularly in human-operated ransomware attacks, these agents are a mainstay.
To our surprise, when we tested the mitigation in the wild, it notably caught a lot of multi-packed malware too – including adware. This is because, before packed malware really works, the unpacker needs to allocate a region that can run the unpacked code. And multi-packed (layer over layer) malware will ‘loan’ such a region upon region – it unpacks like a matryoshka doll.

Perhaps the most interesting part of our protection is that our discovery is highly compatible with legitimate applications. Simply because regular applications are not loaded in a staged manner and they are not packed either.

If you want to know more, check out my blog. If you have, we'd like to hear your thoughts on this. Thanks!
Sophos blog post:
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,829
Hope they integrate the new version in Sophos Home soon. Somehow SUMo detects an outdated HitmanPro.Alert version in my updated version of Sophos Home Premium at the moment. Does anybody else face the problem or knows what the cause is?
Unbenannt.PNG
 

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,108
Hope they integrate the new version in Sophos Home soon. Somehow SUMo detects an outdated HitmanPro.Alert version in my updated version of Sophos Home Premium at the moment. Does anybody else face the problem or knows what the cause is?View attachment 255520
I saw that posted somewhere here on MT or on Wilders.
If I remember correctly HitmanPro.Alert is the testing ground for Sophos Home Premium.
So, it's always on purpose a version behind to be more stable.
 

Zartarra

Level 6
Verified
Well-known
May 9, 2019
265
I am currently testing HitmanPro.Alert. It seems to be a nice product. I tested the key encryption in several programs and that seems to work great. The exploit protection is easy to configure. I used a small batch of ransomwares and it blocked nearly all the samples. The AV-signatures on the other hand are not that strong.

One downsize is the price. It find it very expensive. For 3 machines for 1 year I have to pay €50. You can use a coupon code that gives you 20% discount but still expensive. For that price you can buy a complete AV-solution. Even SHP is only €50 for 10 machines.
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,829
I am currently testing HitmanPro.Alert. It seems to be a nice product. I tested the key encryption in several programs and that seems to work great. The exploit protection is easy to configure. I used a small batch of ransomwares and it blocked nearly all the samples. The AV-signatures on the other hand are not that strong.

One downsize is the price. It find it very expensive. For 3 machines for 1 year I have to pay €50. You can use a coupon code that gives you 20% discount but still expensive. For that price you can buy a complete AV-solution. Even SHP is only €50 for 10 machines.
Not sure if Sophos Home provides the same protection as HitmanPro.Alert in terms of ransomware protection for example. I tested SHP on my VM with a ransomware sample shared by @struppigel on abuse.ch and it was missed by the anti-ransomware component. I sent the file to Sophos labs and got the response that Intercept X which also uses CryptoGuard just like HitmanPro.Alert would prevent the encryption. Sophos Home however didn't block the file so I came to the conclusion that SHP doesn't have CryptoGuard or uses an outdated version. HMPA always gets the new updates first as far as I know so maybe thats why it's quite expensive in relation to SHP. Maybe someone can check if HMPA would block the sample?

Sample: MalwareBazaar | Browse malware samples
 

Zartarra

Level 6
Verified
Well-known
May 9, 2019
265
Not sure if Sophos Home provides the same protection as HitmanPro.Alert in terms of ransomware protection for example. I tested SHP on my VM with a ransomware sample shared by @struppigel on abuse.ch and it was missed by the anti-ransomware component. I sent the file to Sophos labs and got the response that Intercept X which also uses CryptoGuard just like HitmanPro.Alert would prevent the encryption. Sophos Home however didn't block the file so I came to the conclusion that SHP doesn't have CryptoGuard or uses an outdated version. HMPA always gets the new updates first as far as I know so maybe thats why it's quite expensive in relation to SHP. Maybe someone can check if HMPA would block the sample?

Sample: MalwareBazaar | Browse malware samples
I tested the sample. HMPA didn't blocked the sample :cry:.

TestHMPA_001.png

TestHMPA_002.png

I tested some other samples. I got a similar block screen as in SHP.

Still the keyprotection works in all the programs I tested and the exploit protection is easy to set-up (y).
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,829
I tested the sample. HMPA didn't blocked the sample :cry:.

View attachment 264444
View attachment 264445
I tested some other samples. I got a similar block screen as in SHP.

Still the keyprotection works in all the programs I tested and the exploit protection is easy to set-up (y).
Thanks for testing! I wonder what component would have blocked the ransomware in Intercept X tho. :unsure:
Also, I agee. Main strength of Sophos and HitmanPro.Alert are their anti-exploit capabilities.


Update regarding the patchnotes:
Hello XXXX,

Thank you for contacting Sophos Home Support. My name is Conor. I can certainly advise you further on the availability of the release notes for version 4.0.1.

I regret to inform you that I do not have a file or link that I can share for the release notes at this time, although I can confirm that they should be available early next week, and we are planning for it to be posted on Monday. We will be announcing when the article is released on Twitter through @SophosHome as well if you wish to keep an eye out for this information.

If you have any other questions or concerns, please let me know. I hope you have a good day from here.
Regards,
Conor - Sophos Home Support
 
Last edited: