Update HitmanPro.Alert Updates

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
Changelog (compared to build 893):
  • Fixed a rare crash in BackgroundTaskHost.exe caused by our new CookieGuard mitigation (part of Credential Theft Protection)
  • Added support for more Chromium based web browsers to CookieGuard, including Brave, Opera, Vivaldi, Comodo Dragon, Edge Canary, Beta and Dev channel.
  • Improved compatibility with games that perform tricks that trigger our main thread hijacking protection (part of Hollow Process Mitigation).
Download:
https://dl.surfright.nl/hmpalert3b897.exe

Please let us know how this version runs on your machine. Thanks
:thumb:
(y)
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
a note on 897, should your browser throw a CookieGuard alert at startup it's probably on the wrong protection profile.
  • Check Exploit Mitigations to see if it's under something else then Browsers, and if so click and 'Remove mitigations'
  • Disable Credential Theft Protection
  • Start browser
  • Click Exploit Mitigations -> Running applications -> click browser and add to Template "Browsers"
  • Enable Credential Theft Protection
  • Done
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.12 Build 899 Release Candidate
Changelog (compared to build 897)
  • Fixed another crash that could occur in BackgroundTaskHost caused by CookieGuard
  • Improved compatibility of Hollow Process mitigation with Rockstar games
Download
https://dl.surfright.nl/hmpalert3b899.exe

Let us know if how this version runs on your machine. Thanks (y)
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.12 Build 899 Released
Changelog (compared to build 891):
  • Added New Cobalt Strike single-stage mitigation. When Cobalt Strike Beacon temporary de-cloakes in memory to retrieve new commands from the adversary, HitmanPro.Alert will hold and inspect the decrypted memory area for the presence of Beacon.
    Note: In a normal multi-stage scenario, Cobalt Strike Beacon is already proactively blocked by our patented HeapHeapProtect mitigation. This new Cobalt Strike mitigation now also thwarts the single-stage scenario. And upon detection of Beacon it also extracts and reports the full Cobalt Strike C2 profile configuration from memory.
  • Added DNS stager detection, when – for example – Cobalt Strike Beacon communicates over DNS with command-and-control (C2).
  • Added SysCall mitigation to every process so it now also blocks the Heaven’s Gate defense evasion technique in malware. The Heaven's Gate technique allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment.
  • Added CookieGuard mitigation. It protects (MFA) session cookies and passwords stored in popular Chromium based web browsers, like Google Chrome and Microsoft Edge on Chromium.
  • Added an extra message box when an update is pending, and the user clicks on the associated flyout. The message informs the user that the machine must be restarted before the update is actually applied.
  • Fixed stack pivot exploit mitigation so it no longer triggers incorrectly on Internet Explorer loading a digital rights management (DRM) related library for streaming DRM protected content.
  • Fixed APC Violation mitigation so it now correctly identifies process injection from VMware.
  • Fixed Code Cave mitigation so it now plays nice with DRM code from gaming company Electronic Arts (EA).
  • Fixed Kernel32Trap mitigation so it no longer causes issues with certain code compiled with Visual Studio.
  • Improved CryptoGuard 5 anti-ransomware engine. For example, the note spray evaluator is more tolerant when installers drop the same text file across many folders.
  • Improved threat termination. It's now even more robust, especially when the threat runs with high privileges outside of user session(s).
  • Improved compatibility with certain games that perform tricks that trigger our main thread hijacking protection (part of Hollow Process Mitigation).
Over the next days. all users of HitmanPro.Alert should get this new build through automatic update! Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP. This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.

If you want to update now, manually, use this link: https://dl.surfright.nl/hmpalert3b899.exe
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
Hi all,

Should you find your browser terminated by Alert -> Technical details -> CookieGuard please follow the steps below to solve this (browser is on the wrong protection profile).

1) Open HitmanPro.Alert
2) Set interface to advanced via gear icon top right
3) Check Exploit Mitigations to see if the browser is under an other protection profile then Browsers, and if so click on it and then select 'Remove mitigations'
4) Now navigate to the orange button -> Credential Theft Protection and set to disable
5) Start affected browser
6) Click Exploit Mitigations -> Running applications -> click browser and add to Template "Browsers" next close this window with (x)
7) Go back to the orange button -> Credential Theft Protection and set to enable
:cool:
Done
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.13 Build 901 Released:
Changelog (compared to build 899):
  • Fixed more compatibility issues between process hollowing and certain games.
  • Fixed an issue with three CryptoGuard 5 Thumbprints that were not working in the previous build.
  • Fixed a potential security issue where specifically crafted malware on the machine could craft and manipulate a file structure to elevate privileges.
  • Improved compatibility of CookieGuard with browsers that are attached to the Office mitigation profile.
  • Temporarily disabled the fix that detects Cobalt Strike delivery over SMB. The fix appears to be incompatible with many game launchers that actually perform main thread hijacking.
  • Temporarily disabled system-wide Syscall mitigation as certain third-party security products, like Cylance, actually attempt to bypass API calls by directly jumping to kernel functions via a syscall.
  • Temporarily set CookieGuard's Remote Debugger Port detection to silent as it causes issues with some web developer machines.
We'll first upgrade 899 users, as they where affected by the above issues, if that is looking good we'll enable the automatic update for all users of HitmanPro.Alert.

Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP.
This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.
If you want to update now, manually, use this link: https://dl.surfright.nl/hmpalert3b901.exe
 

CyberDevil

Level 2
Apr 4, 2021
95
533
Perhaps someone can report a compatibility issue with HitmanPro. Alert and Trend Micro to Sophos support? When they are installed at the same time, key encryption does not work in a secure browser. I checked this twice in fresh VMs with Windows 10 20h2 and 21H1
Hitman and Trend.JPG


P.S. Okay, I won't be lazy :) I tried to write to them by email and made an account on wilderssecurity, but there i need the permission of the moderator for the post. =(
 
Last edited:

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.13 Build 903 Release Candidate

Changelog (compared to build 901)

  • Fixed the Software Radar that could cause it to not notice a just installed web browser, or adding it to the wrong mitigation template. This issue caused our new CookieGuard protection to generate false alarms.
  • Fixed an issue in the CryptoGuard anti-ransomware engine that could cause a BSOD on Windows 10 Insider Build 21390.
  • Improved support for Windows on ARM. We noticed that since build 895 we always shipped the ARM64 driver of that release. This has been corrected.
  • Improved Stack Pivot exploit mitigation to support adjacent stack range in certain situations.
  • Improved detection of Chromium-based web browser for CookieGuard.
  • Added checkbox to our new system-wide syscall mitigation. You can find in in the Advanced interface, under Risk reductions > Process Protection > Unexpected system calls (Stop evasion of security hooks).
  • Added Thumbprint generation for remote-debugging-port CookieGuard detection.
Download
https://dl.surfright.nl/hmpalert3b903.exe

Please let us know how this version runs on your machine. Thanks!!!
:thumb:
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.13 Build 903 is now released:
Over the next days. all users of HitmanPro.Alert should get this new build through automatic update! Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP (Latest release supported is 891). This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.

If you want to manually update now, use this link: https://dl.surfright.nl/hmpalert3b903.exe
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.14 Build 907 Release Candidate:
Changelog (compared to build 903):
  • Fixed a crash that could occur in Microsoft Office 365
  • Temporarily removed the system-level Syscall mitigation due to compatibility issues with some third-party security software. This new mitigation will return in an upcoming release.
Download
https://dl.surfright.nl/hmpalert3b907.exe

Please let us know how this version runs on your machine
:thumb:
(y)

Bonus: In case you want to see how our unique technologies worked against the REvil ransomware attack via Kaseya's VSA, I made a 7 minute video explaining our Heap Heap Protect (Dynamic Shellcode) and CryptoGuard. HitmanPro.Alert is at the core of Sophos Intercept X. You can watch it here:

 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.15 Build 911 Release Candidate
Changelog (compared tot build 907)
  • Added LockdownLoadImage mitigation to applications under the Office protection category; mitigates e.g. CVE-2021-40444
  • Added extended information in alert when CookieGuard detects cookie grab by untrusted code in a web browser, e.g., hashes of remote owner process and owner module
  • Fixed compatibility of Enforce DEP with Norton Security
  • Fixed small memory leak that occurred when switching CryptoGuard modes
  • Improved HollowProcess (Main Thread Hijack; MTH) mitigation to detect Cobalt Strike Beacon installing over SMB
  • Improved CookieGuard, fixed some small issues
Download
https://dl.surfright.nl/hmpalert3b911.exe

Please let us know how this version runs on your machine
:thumb:
(y)
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.17 Build 915
Changelog (compared tot build 907):
Added LockdownLoadImage mitigation to applications under the Office protection category; mitigates e.g. CVE-2021-40444
Added Extended information in alert when CookieGuard detects cookie grab by untrusted code in a web browser, e.g., hashes of remote owner process and owner module
Fixed Compatibility of Enforce DEP with Norton Security
Fixed Small memory leak that occurred when switching CryptoGuard modes
Fixed Compatibility with Windows CET (Shadow Stack)
Fixed Benefits Info button now lands on the correct page
Improved HollowProcess (Main Thread Hijack; MTH) mitigation to detect Cobalt Strike Beacon installing over SMB
Improved CookieGuard, fixed some small issues
Improved Compatibility with Visual Studio triggering alerts

Changed Re-enabled global Syscall mitigation. You can find in in the Advanced interface, under Risk reductions > Process Protection > Unexpected system calls (Stop evasion of security hooks).

Download
https://dl.surfright.nl/hmpalert3b915.exe

We'll be auto-updating 911 users, and a subset of stable users also today.
Please let us know how this version runs on your machine
:thumb:
(y)
 

Kees1958

Level 4
Verified
Sep 5, 2021
177
967
Mark Loman is still working as Director of Engineering for Next-gen (signature-less security) at Sophos. Erik Loman stopped in 2020 as CTO HitmanPro responsible for integrating HMP into Sophos Intercept X.

I always thought that HMPAlert acted as the beta-test playing field on security forums, but HMP still exists as a separate product (which is remarkeable six years after the take over by Sophos) and according to Sophos quality engineer at Wilders it still has a fair share of users.

RonnyT said:
We'll be auto-updating 911 users, and a subset of stable users also today.
Please let us know how this version runs on your machine

I guess the 911 auto update users are probably beta testers
 
Last edited:

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.18 Build 921
Changelog (compared tot build 915):
Added cmdl32.exe as LOLBin on Lockdown
Fixed Small bug in Syscall mitigation
Fixed BSOD
Improved Cookieguard
Improved Game detection
Improved LockdownLoadImage whitlisting

Download
https://dl.surfright.nl/hmpalert3b921.exe

We'll be auto-updating 915 users, and a subset of stable users also today.
Please let us know how this version runs on your machine (y)
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,242
41,359
HitmanPro.Alert 3.8.19 Build 923
Changelog (compared tot build 921):
Improved Game detection
Improved LockdownLoadImage whitlisting

Download
https://dl.surfright.nl/hmpalert3b923.exe

We'll also be auto-updating 921 and 907 users.
Please let us know how this version runs on your machine (y)
 
Top