App Review HitManPro vs a Zero-Day Botnet

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Peter2150

Level 7
Verified
Oct 24, 2015
280
Great video, cruelsister! :)

I guess HitmanPro.Alert would detect the botnet because of the mitigation against process hollowing, but not the scanner. :)


It probably would have, except she tested it against Hitman Pro. Test was this side of being pointless. Test it again against the latest beta of hitman pro alert and see what happens.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Mwahh somewhere in between the point of view of Peter2150 and Cruel Sister.

HitmanPro was launched as an heuristics/forensics scanner using cloud blacklist data base. Svchost connects out all the time. So HitmanPro is simply not designed to catch a botnet using the credentials of a legit application, when this application (svchost) behaves like a botnet itself.So I am with Peter2150 on this video: it shows me that water is wet.

When you look at the Sophos website for HitmanPro it is the has emerged from heuristics/forensics to "advanced behavioral technology with deep scanning to find and eliminate zero-day, next-gen malware that has avoided detection." Using this marketing claim HitmanPro should detect the detection avoiding trick using the credentials of a legitimate process. So I am with Cruel Sister on this video: it shows me that the Sophos take over of Surfright injected a lot of hot air into HitmanPro's capabilites.

So for me a draw: what is your take on this?
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
A test is a test, but the intended use should be in the scope of the test.

A quarter mile drag test between 450 HP Chevrolet Camaro SS and 450 HP John Deer Scraper Tractor will have a certain outcome, contrary a two ton pull test between the same two contenders will have completely different outcome.
 

Peter2150

Level 7
Verified
Oct 24, 2015
280
I ignore marketing hype. Hitman Pro can be accessed from alert and to me it is nothing more then a Secondary scanner. The latest beta of HMPA also now detects malware on the fly, and it is pretty good against it. That is what should be tested, beta verson 712.

Note it now has protection against credential theft, but that should be off if you use imaging programs live. It will cause them to fail.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
It probably would have, except she tested it against Hitman Pro. Test was this side of being pointless. Test it again against the latest beta of hitman pro alert and see what happens.

I have used hmp.a but always seem to develop a hiccup, and uninstall it. So CS showed that hmp does not detect hallowed process, you suggest hmp.a would block in real time, ok, I believe you, but what other security apps are excellent at blocking or detecting hallowed processes?
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Hi Guys! A number of things should be explained:

1). Zemana AM is excellent at detecting hollowed processes, even when used as a second opinion scanner (also really good against Worms, whereas both MB and HMP are most certainly not).
2). I did not state it (not that it was needed), but in the video WF was active. But as WF has no intrinsic Outbound protection the malware blew right past it. A simple solution would have been just to have some Outbound protection in place like WFC or Tinywall. A Botnet, Keylogger, or info stealer that is prevented from connecting out is really nothing more than a piece of junk waiting for the AV to catch up to it and delete it.

That being said, I used HMP and not HMP.A for a couple of reasons- the first reason is a common theme of mine- that running a 2nd opinion scanner, getting a clean result and thus assuming that the system is without infection may not be correct. The second reason is that the initial malware run was part of something larger that I coded in order to embarrass and disgrace some Governmental IT "Pros" that should know better at a Show and Tell last week (I am really mean). As it is not released in the Wild there is no way that I would allow it to be uploaded into any Cloud by anyone (my mama didn't make no stupid children). Also running it against traditional protection as it is an actual zero-day would be like beating a puppy.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@cruelsister

Mhh, you reply feeds further speculation. Since I can't find a video of MB failing this botnet Sample (or ZAM blocking/finding this same sample), There must have been a reason to single out HMP for this test. So the Governmental IT "Pros" were probably advertising the benefits of HMP in relation to bot nets. A pity you don't mention "man and horse" as we say in Dutch.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
@cruelsister

Mhh, you reply feeds further speculation. Since I can't find a video of MB failing this botnet Sample (or ZAM blocking/finding this same sample), There must have been a reason to single out HMP for this test. So the Governmental IT "Pros" were probably advertising the benefits of HMP in relation to bot nets. A pity you don't mention "man and horse" as we say in Dutch.
Well, CS mentioned both Malwarebytes and HMP aren't that good at detecting worms. You can see her worm video series for that. I don't recall Malwarebytes being tested against this botnet (not yet).
 
  • Like
Reactions: XhenEd

cutting_edgetech

Level 3
Verified
Feb 14, 2013
113
The second reason is that the initial malware run was part of something larger that I coded in order to embarrass and disgrace some Governmental IT "Pros" that should know better at a Show and Tell last week (I am really mean).
Unless SOPHOS also supported this claim then it's like bashing a product based on the ignorance of someone that has nothing to do with the product. Did any of the people making these claims work for SOPHOS? People will watch your video, and think HMP failed the test, when in fact it was the wrong product to test.

You mentioned Zemana AM being good at detecting process hollowing when used as a second opinion scanner, but you point out that HMP is not. Well, HMPA is the equivalent option to Zemana AM, and not HMP. What are the test results when using HMPA against process hollowing? Just because HMPA detects process hollowing in a different way does not mean it should fail the test.

EDITED 8/22/17 @ 2:59:
I think the best solution is to test your sample against HMP, and HMPA. Then you can prove those wrong that made the claim that HMP will detect this type of threat, while also being fair to SOPHOS since HMPA is the product designed to protect against this threat.
 
Last edited:
  • Like
Reactions: XhenEd

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top