Advice Request HMPA and "assisted by hardware"

[shmu26]

what does it mean that exploit protection is assisted by hardware?
If I don't have intel cpu virtualization enabled in BIOS, does that affect it?

 

[Winter Soldier]

Found something here, not sure if it is fully inherent.

New Technique Checks Mitigation Bypasses Earlier

 

[shmu26]

Found something here, not sure if it is fully inherent.

New Technique Checks Mitigation Bypasses Earlier

thanks, good read!

 

[shmu26]

I sent HMPA an email titled: hardware assisted exploit protection

I asked them:
Is it recommended to enable intel virtualization support, in the BIOS settings, or that doesn't matter?

They answered:
Lisa - HitmanPro Support (Support)

Mar 8, 10:02 CET

Good day,

Thank you for contacting us.

That doesn't matter.
They are not related at this point.

Please let me know when you have any further questions.

Best regards,

Lisa
HitmanPro Support

 

[XhenEd]

Hardware-based protection is only for Control-Flow Integrity and IAT Filtering mitigations. It's supposed to be superior than software-based mitigations. It's claimed that some Intel chips (especially the Core series (i3, i5, i7)) have additional monitoring capability, that is, it can detect exploitation even when the exploit uses evasion techniques. And this capability is used by HitmanPro.Alert.

 

[HarborFront]

Hardware-based protection is only for Control-Flow Integrity and IAT Filtering mitigations. It's supposed to be superior than software-based mitigations. It's claimed that some Intel chips (especially the Core series (i3, i5, i7)) have additional monitoring capability, that is, it can detect exploitation even when the exploit uses evasion techniques. And this capability is used by HitmanPro.Alert.

Do you know which Sky Lake/Kaby Lake Core i3/i5/i7 CPUs are supported by HMPA? Is there any list available on HMPA's website?

One thing I know.....HMPA slows my system down slightly.

 

[shmu26]

Kaspersky's Safe Money relies partially on CPU virtualization

 

[XhenEd]

Do you know which Sky Lake/Kaby Lake Core i3/i5/i7 CPUs are supported by HMPA? Is there any list available on HMPA's website?

One thing I know.....HMPA slows my system down slightly.

I think all of them are supported. I need to check first.

Edit: Yep, I think they're all supported. But I can't be totally sure. I just rely on the changelog that's posted. For example: HitmanPro.ALERT Support and Discussion Thread

Edit2: This is from Surfright-Sophos' documentation about Intercept X, HMP.A's counterpart in the business world. The exploit mitigations employed are the same.

"Branch-based ROP Mitigations (Hardware
Augmented)
ROP attacks can be achieved by leveraging an unused hardware feature in mainstream Intel® processors (from 2008 and newer) to track code execution and augment the analysis and detection of advanced exploit attacks at run time. Employing read-only hardware-traced (branch) records has a significant security benefit over software stack-based approaches. The branch information that can be retrieved from these records not only identifies the target of the branch, but also the source. So it actually shows where the change in control-flow originated from. This specific information cannot be obtained with the same level of confidence using a stack-based solution.

Branch information in the hardware-traced records cannot be manipulated; there’s no way for it to be overwritten with controlled data by an attacker. Stack-based solutions (like Microsoft EMET and Palo Alto Networks Traps) rely on stack data, which is – especially in case of a ROP attack – under control of the attacker, who in turn can mislead the defender. In contrast, the hardware-traced data examined by Sophos Intercept X is more reliable and tamper resistant.

Sophos Intercept X will automatically employ Intel MSR hardware registers when it detects an Intel® Core™ i3, i5, or i7 processor (CPU). If the endpoint does not have a supported processor, Sophos Intercept X will automatically fall-back on software-only stack-based control-flow integrity checks."

 

[Wave]

Kaspersky's Safe Money relies partially on CPU virtualization

Kaspersky use the hyper-visor which is why virtualization needs to be enabled via the BIOS.

 

[Wave]

I sent HMPA an email titled: hardware assisted exploit protection

I asked them:
Is it recommended to enable intel virtualization support, in the BIOS settings, or that doesn't matter?

They answered:
Lisa - HitmanPro Support (Support)

Mar 8, 10:02 CET

Good day,

Thank you for contacting us.

That doesn't matter.
They are not related at this point.

Please let me know when you have any further questions.

Best regards,

Lisa
HitmanPro Support

Virtualization won't need to be enabled to use HitmanPro.Alert because Surfright do not make use of real virtualization like other vendors do such as Kaspersky and Comodo. Then again, they are not competitors of AVs anyway, and if they used virtualization then things would be very different in the product, I think it's good how it is now.

 

[Sunshine-boy]

have additional monitoring capability,

They are:
1-Intel Software Guard Extensions
2-Intel Memory Protection Extensions
3-Intel OS Guard
4-intel Trusted Execution Technology
5-Execute Disable Bit
6-Intel Boot Guard