HitmanPro.Alert Updates

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Changelog (compared to build 893):
  • Fixed a rare crash in BackgroundTaskHost.exe caused by our new CookieGuard mitigation (part of Credential Theft Protection)
  • Added support for more Chromium based web browsers to CookieGuard, including Brave, Opera, Vivaldi, Comodo Dragon, Edge Canary, Beta and Dev channel.
  • Improved compatibility with games that perform tricks that trigger our main thread hijacking protection (part of Hollow Process Mitigation).
Download:
https://dl.surfright.nl/hmpalert3b897.exe

Please let us know how this version runs on your machine. Thanks
:thumb:
(y)
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
a note on 897, should your browser throw a CookieGuard alert at startup it's probably on the wrong protection profile.
  • Check Exploit Mitigations to see if it's under something else then Browsers, and if so click and 'Remove mitigations'
  • Disable Credential Theft Protection
  • Start browser
  • Click Exploit Mitigations -> Running applications -> click browser and add to Template "Browsers"
  • Enable Credential Theft Protection
  • Done
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.12 Build 899 Release Candidate
Changelog (compared to build 897)
  • Fixed another crash that could occur in BackgroundTaskHost caused by CookieGuard
  • Improved compatibility of Hollow Process mitigation with Rockstar games
Download
https://dl.surfright.nl/hmpalert3b899.exe

Let us know if how this version runs on your machine. Thanks (y)
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.12 Build 899 Released
Changelog (compared to build 891):
  • Added New Cobalt Strike single-stage mitigation. When Cobalt Strike Beacon temporary de-cloakes in memory to retrieve new commands from the adversary, HitmanPro.Alert will hold and inspect the decrypted memory area for the presence of Beacon.
    Note: In a normal multi-stage scenario, Cobalt Strike Beacon is already proactively blocked by our patented HeapHeapProtect mitigation. This new Cobalt Strike mitigation now also thwarts the single-stage scenario. And upon detection of Beacon it also extracts and reports the full Cobalt Strike C2 profile configuration from memory.
  • Added DNS stager detection, when – for example – Cobalt Strike Beacon communicates over DNS with command-and-control (C2).
  • Added SysCall mitigation to every process so it now also blocks the Heaven’s Gate defense evasion technique in malware. The Heaven's Gate technique allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment.
  • Added CookieGuard mitigation. It protects (MFA) session cookies and passwords stored in popular Chromium based web browsers, like Google Chrome and Microsoft Edge on Chromium.
  • Added an extra message box when an update is pending, and the user clicks on the associated flyout. The message informs the user that the machine must be restarted before the update is actually applied.
  • Fixed stack pivot exploit mitigation so it no longer triggers incorrectly on Internet Explorer loading a digital rights management (DRM) related library for streaming DRM protected content.
  • Fixed APC Violation mitigation so it now correctly identifies process injection from VMware.
  • Fixed Code Cave mitigation so it now plays nice with DRM code from gaming company Electronic Arts (EA).
  • Fixed Kernel32Trap mitigation so it no longer causes issues with certain code compiled with Visual Studio.
  • Improved CryptoGuard 5 anti-ransomware engine. For example, the note spray evaluator is more tolerant when installers drop the same text file across many folders.
  • Improved threat termination. It's now even more robust, especially when the threat runs with high privileges outside of user session(s).
  • Improved compatibility with certain games that perform tricks that trigger our main thread hijacking protection (part of Hollow Process Mitigation).
Over the next days. all users of HitmanPro.Alert should get this new build through automatic update! Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP. This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.

If you want to update now, manually, use this link: https://dl.surfright.nl/hmpalert3b899.exe
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Hi all,

Should you find your browser terminated by Alert -> Technical details -> CookieGuard please follow the steps below to solve this (browser is on the wrong protection profile).

1) Open HitmanPro.Alert
2) Set interface to advanced via gear icon top right
3) Check Exploit Mitigations to see if the browser is under an other protection profile then Browsers, and if so click on it and then select 'Remove mitigations'
4) Now navigate to the orange button -> Credential Theft Protection and set to disable
5) Start affected browser
6) Click Exploit Mitigations -> Running applications -> click browser and add to Template "Browsers" next close this window with (x)
7) Go back to the orange button -> Credential Theft Protection and set to enable
:cool:
Done
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.13 Build 901 Released:
Changelog (compared to build 899):
  • Fixed more compatibility issues between process hollowing and certain games.
  • Fixed an issue with three CryptoGuard 5 Thumbprints that were not working in the previous build.
  • Fixed a potential security issue where specifically crafted malware on the machine could craft and manipulate a file structure to elevate privileges.
  • Improved compatibility of CookieGuard with browsers that are attached to the Office mitigation profile.
  • Temporarily disabled the fix that detects Cobalt Strike delivery over SMB. The fix appears to be incompatible with many game launchers that actually perform main thread hijacking.
  • Temporarily disabled system-wide Syscall mitigation as certain third-party security products, like Cylance, actually attempt to bypass API calls by directly jumping to kernel functions via a syscall.
  • Temporarily set CookieGuard's Remote Debugger Port detection to silent as it causes issues with some web developer machines.
We'll first upgrade 899 users, as they where affected by the above issues, if that is looking good we'll enable the automatic update for all users of HitmanPro.Alert.

Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP.
This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.
If you want to update now, manually, use this link: https://dl.surfright.nl/hmpalert3b901.exe
 

CyberDevil

Level 6
Verified
Well-known
Apr 4, 2021
252
Perhaps someone can report a compatibility issue with HitmanPro. Alert and Trend Micro to Sophos support? When they are installed at the same time, key encryption does not work in a secure browser. I checked this twice in fresh VMs with Windows 10 20h2 and 21H1
Hitman and Trend.JPG


P.S. Okay, I won't be lazy :) I tried to write to them by email and made an account on wilderssecurity, but there i need the permission of the moderator for the post. =(
 
Last edited:

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.13 Build 903 Release Candidate

Changelog (compared to build 901)

  • Fixed the Software Radar that could cause it to not notice a just installed web browser, or adding it to the wrong mitigation template. This issue caused our new CookieGuard protection to generate false alarms.
  • Fixed an issue in the CryptoGuard anti-ransomware engine that could cause a BSOD on Windows 10 Insider Build 21390.
  • Improved support for Windows on ARM. We noticed that since build 895 we always shipped the ARM64 driver of that release. This has been corrected.
  • Improved Stack Pivot exploit mitigation to support adjacent stack range in certain situations.
  • Improved detection of Chromium-based web browser for CookieGuard.
  • Added checkbox to our new system-wide syscall mitigation. You can find in in the Advanced interface, under Risk reductions > Process Protection > Unexpected system calls (Stop evasion of security hooks).
  • Added Thumbprint generation for remote-debugging-port CookieGuard detection.
Download
https://dl.surfright.nl/hmpalert3b903.exe

Please let us know how this version runs on your machine. Thanks!!!
:thumb:
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.13 Build 903 is now released:
Over the next days. all users of HitmanPro.Alert should get this new build through automatic update! Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP (Latest release supported is 891). This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.

If you want to manually update now, use this link: https://dl.surfright.nl/hmpalert3b903.exe
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.14 Build 907 Release Candidate:
Changelog (compared to build 903):
  • Fixed a crash that could occur in Microsoft Office 365
  • Temporarily removed the system-level Syscall mitigation due to compatibility issues with some third-party security software. This new mitigation will return in an upcoming release.
Download
https://dl.surfright.nl/hmpalert3b907.exe

Please let us know how this version runs on your machine
:thumb:
(y)

Bonus: In case you want to see how our unique technologies worked against the REvil ransomware attack via Kaseya's VSA, I made a 7 minute video explaining our Heap Heap Protect (Dynamic Shellcode) and CryptoGuard. HitmanPro.Alert is at the core of Sophos Intercept X. You can watch it here:


 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.15 Build 911 Release Candidate
Changelog (compared tot build 907)
  • Added LockdownLoadImage mitigation to applications under the Office protection category; mitigates e.g. CVE-2021-40444
  • Added extended information in alert when CookieGuard detects cookie grab by untrusted code in a web browser, e.g., hashes of remote owner process and owner module
  • Fixed compatibility of Enforce DEP with Norton Security
  • Fixed small memory leak that occurred when switching CryptoGuard modes
  • Improved HollowProcess (Main Thread Hijack; MTH) mitigation to detect Cobalt Strike Beacon installing over SMB
  • Improved CookieGuard, fixed some small issues
Download
https://dl.surfright.nl/hmpalert3b911.exe

Please let us know how this version runs on your machine
:thumb:
(y)
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.17 Build 915
Changelog (compared tot build 907):
Added LockdownLoadImage mitigation to applications under the Office protection category; mitigates e.g. CVE-2021-40444
Added Extended information in alert when CookieGuard detects cookie grab by untrusted code in a web browser, e.g., hashes of remote owner process and owner module
Fixed Compatibility of Enforce DEP with Norton Security
Fixed Small memory leak that occurred when switching CryptoGuard modes
Fixed Compatibility with Windows CET (Shadow Stack)
Fixed Benefits Info button now lands on the correct page
Improved HollowProcess (Main Thread Hijack; MTH) mitigation to detect Cobalt Strike Beacon installing over SMB
Improved CookieGuard, fixed some small issues
Improved Compatibility with Visual Studio triggering alerts

Changed Re-enabled global Syscall mitigation. You can find in in the Advanced interface, under Risk reductions > Process Protection > Unexpected system calls (Stop evasion of security hooks).

Download
https://dl.surfright.nl/hmpalert3b915.exe

We'll be auto-updating 911 users, and a subset of stable users also today.
Please let us know how this version runs on your machine
:thumb:
(y)
 
F

ForgottenSeer 92963

Mark Loman is still working as Director of Engineering for Next-gen (signature-less security) at Sophos. Erik Loman stopped in 2020 as CTO HitmanPro responsible for integrating HMP into Sophos Intercept X.

I always thought that HMPAlert acted as the beta-test playing field on security forums, but HMP still exists as a separate product (which is remarkeable six years after the take over by Sophos) and according to Sophos quality engineer at Wilders it still has a fair share of users.

RonnyT said:
We'll be auto-updating 911 users, and a subset of stable users also today.
Please let us know how this version runs on your machine

I guess the 911 auto update users are probably beta testers
 
Last edited by a moderator:

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.18 Build 921
Changelog (compared tot build 915):
Added cmdl32.exe as LOLBin on Lockdown
Fixed Small bug in Syscall mitigation
Fixed BSOD
Improved Cookieguard
Improved Game detection
Improved LockdownLoadImage whitlisting

Download
https://dl.surfright.nl/hmpalert3b921.exe

We'll be auto-updating 915 users, and a subset of stable users also today.
Please let us know how this version runs on your machine (y)
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.19 Build 923
Changelog (compared tot build 921):
Improved Game detection
Improved LockdownLoadImage whitlisting

Download
https://dl.surfright.nl/hmpalert3b923.exe

We'll also be auto-updating 921 and 907 users.
Please let us know how this version runs on your machine (y)
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.20 Build 935 Release Candidate
Changelog (compared to build 923)
  • Added SendKeyGuard mitigation (part of Lockdown) to block macro-borne keystroke injection.
  • Added system-wide protection against defense evasion technique via direct system calls, or SysCall, on 64-bit applications
  • Added protection against cloning of LSASS process to Credential Theft Protection
  • Added new mitigation that block code injection via remote thread creation; RemoteThreadGuard. Currently in testing.
  • Added support for ReFS file system to CryptoGuard
  • Added NOTEPAD.EXE to Office template
  • Added GPT partition support to WipeGuard
  • Added NVMe support to WipeGuard
  • Added MITRE ATT&CK references to the CookieGuard, SysCall and RemoteThreadGuard mitigations
  • Added alerting to our protection of sticky key abuse (and other accessibility features)
  • Added EA Digital Illusions CE AB to game detection
  • Improved protection against direct system calls, or SysCall, on 32-bit applications
  • Improved handling of certificates on code-signed applications
  • Improved CookieGuard alert with information about the application certificate, if any, in the alert
  • Improved WipeGuard to protection the Volume Boot Record of all mounted partitions. Previously, only the boot partition was protected.
  • Improved WipeGuard to terminate the offending process. Previously, the offending action was only blocked.
  • Improved HollowProcess to protect against PEB manipulation in a remote process where PEB is writable
  • Improved Lockdown mitigation to isolate modules (DLLs) dropped in attacks via Office documents.
  • Improved the per app mitigation settings in the user interface. It now has room for extra checkboxes.
  • Change reboot fly-out reminder interval from 1h to 8h
  • Changed Dynamic Heap Spray detection; it is now disabled on 64-bit applications
  • Changed text for Benefits button to Help center
  • Changed Sophos Privacy Notice and Terms of Service
  • Fixed displaying icons of UWP applications
  • Fixed several user interface inconsistencies
  • Fixed false alarm by APCViolation on Avast 'aswhook' DLL
  • Fixed false alarm by CookieGuard if application starts from a RAM-drive
  • Fixed false alarm by HollowProcess on Visual Studio
  • Fixed issue with Lockdown inheritance when parent process is OpenWith.exe
  • Fixed issue when a user tries to install HitmanPro.Alert on machine where Sophos Home Premium is already installed
  • Fixed tray icon burning CPU cycles after install
  • Fixed unexpected removal of Forza Horizon 5 under UWP exclusions
  • Several other changes under the hood
Download
https://dl.surfright.nl/hmpalert3b935.exe

Please let us know how this build runs on your machine (y)
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.20 Build 937 Release Candidate 2
Changelog (compared to build 935)
  • Fixed crash in Spyware blaster caused by RemoteThreadGuard
  • Fixed crash in VirtualBox caused by Syscall64
  • Some small changes under the hood
Download
https://dl.surfright.nl/hmpalert3b937.exe

Please let us know how this build runs on your machine
:thumb:
(y)
*Beware some sites are leeching this build and posting it on their downloads pages as Stable release, so no 923 is still the Stable.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.20 Build 939 Release Candidate 3
Changelog (compared to build 937)
  • Fixed crash in VirtualBox caused by Syscall on Win11
  • Improved Syscall on certain applications e.g. WhatsApp / Mullvad VPN / Torbrowser
  • Improved RemoteThreadGuard
Download
https://dl.surfright.nl/hmpalert3b939.exe
*Auto-update enabled for 935 and higher.

Please let us know how this build runs on your machine
:thumb:
(y)
*Beware some sites are leeching this build and posting it on their downloads pages as Stable release, so no 923 is still the Stable.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
HitmanPro.Alert 3.8.21 Build 941 Release Candidate
Changelog (compared to 939)
  • Updated third-party libraries SQLite, ZLib, diStorm, json11, Lzma and Botan
  • Improved HeapHeapProtect to overrule a Thumbprint when a backdoor stager is detected
  • Improved CookieGuard so it now adds certificate validation information into the alert details
  • Improved SysCall mitigation with additional Thumbprints
  • Improved SysCall mitigation so it can a handle misaligned stack
  • Improved SysCall alert which now includes the full path of the object from which the syscall originated
  • Fixed a compatibility issue between our anti-ransomware CryptoGuard 5 and Artisan scrapping book software from Forever Storage
  • Fixed a BSOD occurring in WipeGuard when terminating an offending process
  • Fixed a false positive on BitLocker in our WipeGuard boot sector protection
Download
https://dl.surfright.nl/hmpalert3b941.exe

Please let us know how this version runs on your machine, thanks!
:thumb:
(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top