App Review HitManPro vs a Zero-Day Botnet

[cruelsister]

Haven't had time to do videos lately as I'm busy professionally (Just when I thought I was out, they pull me back in! Know what I mean, Comrade E?), but please accept this quickie...

 

[XhenEd]

Great video, cruelsister!

I guess HitmanPro.Alert would detect the botnet because of the mitigation against process hollowing, but not the scanner.

 

[Peter2150]

Great video, cruelsister!

I guess HitmanPro.Alert would detect the botnet because of the mitigation against process hollowing, but not the scanner.

It probably would have, except she tested it against Hitman Pro. Test was this side of being pointless. Test it again against the latest beta of hitman pro alert and see what happens.

 

[ForgottenSeer 55474]

Super video,thanks for sharing

 

[cutting_edgetech]

It would have been much more interesting if it would have been tested with HMPA instead of HMP.

 

[_CyberGhosT_]

It probably would have, except she tested it against Hitman Pro. Test was this side of being pointless. Test it again against the latest beta of hitman pro alert and see what happens.

Can we see this ? I agree

 

[Windows_Security]

Mwahh somewhere in between the point of view of Peter2150 and Cruel Sister.

HitmanPro was launched as an heuristics/forensics scanner using cloud blacklist data base. Svchost connects out all the time. So HitmanPro is simply not designed to catch a botnet using the credentials of a legit application, when this application (svchost) behaves like a botnet itself.So I am with Peter2150 on this video: it shows me that water is wet.

When you look at the Sophos website for HitmanPro it is the has emerged from heuristics/forensics to "advanced behavioral technology with deep scanning to find and eliminate zero-day, next-gen malware that has avoided detection." Using this marketing claim HitmanPro should detect the detection avoiding trick using the credentials of a legitimate process. So I am with Cruel Sister on this video: it shows me that the Sophos take over of Surfright injected a lot of hot air into HitmanPro's capabilites.

So for me a draw: what is your take on this?

 

[SHvFl]

A test it's a test and HMP failed. Now if their premium program which is HMPA would have stopped it that is another story. Personally i consider HMP almost useless and HMPA a premium program but buggy at times.

 

[Windows_Security]

A test is a test, but the intended use should be in the scope of the test.

A quarter mile drag test between 450 HP Chevrolet Camaro SS and 450 HP John Deer Scraper Tractor will have a certain outcome, contrary a two ton pull test between the same two contenders will have completely different outcome.

 

[Peter2150]

I ignore marketing hype. Hitman Pro can be accessed from alert and to me it is nothing more then a Secondary scanner. The latest beta of HMPA also now detects malware on the fly, and it is pretty good against it. That is what should be tested, beta verson 712.

Note it now has protection against credential theft, but that should be off if you use imaging programs live. It will cause them to fail.

 

[Windows Defender Shill]

QED, the language of mathematics and by extension purity.

Never change CS, never change.

 

[simmerskool]

It probably would have, except she tested it against Hitman Pro. Test was this side of being pointless. Test it again against the latest beta of hitman pro alert and see what happens.

I have used hmp.a but always seem to develop a hiccup, and uninstall it. So CS showed that hmp does not detect hallowed process, you suggest hmp.a would block in real time, ok, I believe you, but what other security apps are excellent at blocking or detecting hallowed processes?

 

[simmerskool]

A test it's a test and HMP failed. Now if their premium program which is HMPA would have stopped it that is another story. Personally i consider HMP almost useless and HMPA a premium program but buggy at times.

hmp.a buggy for me too. what security app blocks or detects this type of threat?

 

[cruelsister]

Hi Guys! A number of things should be explained:

1). Zemana AM is excellent at detecting hollowed processes, even when used as a second opinion scanner (also really good against Worms, whereas both MB and HMP are most certainly not).
2). I did not state it (not that it was needed), but in the video WF was active. But as WF has no intrinsic Outbound protection the malware blew right past it. A simple solution would have been just to have some Outbound protection in place like WFC or Tinywall. A Botnet, Keylogger, or info stealer that is prevented from connecting out is really nothing more than a piece of junk waiting for the AV to catch up to it and delete it.

That being said, I used HMP and not HMP.A for a couple of reasons- the first reason is a common theme of mine- that running a 2nd opinion scanner, getting a clean result and thus assuming that the system is without infection may not be correct. The second reason is that the initial malware run was part of something larger that I coded in order to embarrass and disgrace some Governmental IT "Pros" that should know better at a Show and Tell last week (I am really mean). As it is not released in the Wild there is no way that I would allow it to be uploaded into any Cloud by anyone (my mama didn't make no stupid children). Also running it against traditional protection as it is an actual zero-day would be like beating a puppy.

 

[Windows_Security]

@cruelsister

Mhh, you reply feeds further speculation. Since I can't find a video of MB failing this botnet Sample (or ZAM blocking/finding this same sample), There must have been a reason to single out HMP for this test. So the Governmental IT "Pros" were probably advertising the benefits of HMP in relation to bot nets. A pity you don't mention "man and horse" as we say in Dutch.

 

[Azure]

@cruelsister

Mhh, you reply feeds further speculation. Since I can't find a video of MB failing this botnet Sample (or ZAM blocking/finding this same sample), There must have been a reason to single out HMP for this test. So the Governmental IT "Pros" were probably advertising the benefits of HMP in relation to bot nets. A pity you don't mention "man and horse" as we say in Dutch.

Well, CS mentioned both Malwarebytes and HMP aren't that good at detecting worms. You can see her worm video series for that. I don't recall Malwarebytes being tested against this botnet (not yet).

 

[cutting_edgetech]

The second reason is that the initial malware run was part of something larger that I coded in order to embarrass and disgrace some Governmental IT "Pros" that should know better at a Show and Tell last week (I am really mean).

Unless SOPHOS also supported this claim then it's like bashing a product based on the ignorance of someone that has nothing to do with the product. Did any of the people making these claims work for SOPHOS? People will watch your video, and think HMP failed the test, when in fact it was the wrong product to test.

You mentioned Zemana AM being good at detecting process hollowing when used as a second opinion scanner, but you point out that HMP is not. Well, HMPA is the equivalent option to Zemana AM, and not HMP. What are the test results when using HMPA against process hollowing? Just because HMPA detects process hollowing in a different way does not mean it should fail the test.

EDITED 8/22/17 @ 2:59:
I think the best solution is to test your sample against HMP, and HMPA. Then you can prove those wrong that made the claim that HMP will detect this type of threat, while also being fair to SOPHOS since HMPA is the product designed to protect against this threat.

 

[Peter2150]

HMPA does indeed detect Process Hollowing. I've seen it with HMPA

 

[Anker_by]

Excellent video, I'm pretty sure Zemana AM could be detect this.