Advice Request HMPA and "assisted by hardware"

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I sent HMPA an email titled: hardware assisted exploit protection

I asked them:
Is it recommended to enable intel virtualization support, in the BIOS settings, or that doesn't matter?

They answered:
Lisa - HitmanPro Support (Support)

Mar 8, 10:02 CET

Good day,

Thank you for contacting us.

That doesn't matter.
They are not related at this point.

Please let me know when you have any further questions.

Best regards,

Lisa
HitmanPro Support
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Hardware-based protection is only for Control-Flow Integrity and IAT Filtering mitigations. It's supposed to be superior than software-based mitigations. It's claimed that some Intel chips (especially the Core series (i3, i5, i7)) have additional monitoring capability, that is, it can detect exploitation even when the exploit uses evasion techniques. And this capability is used by HitmanPro.Alert. :)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Hardware-based protection is only for Control-Flow Integrity and IAT Filtering mitigations. It's supposed to be superior than software-based mitigations. It's claimed that some Intel chips (especially the Core series (i3, i5, i7)) have additional monitoring capability, that is, it can detect exploitation even when the exploit uses evasion techniques. And this capability is used by HitmanPro.Alert. :)
Do you know which Sky Lake/Kaby Lake Core i3/i5/i7 CPUs are supported by HMPA? Is there any list available on HMPA's website?

One thing I know.....HMPA slows my system down slightly.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Do you know which Sky Lake/Kaby Lake Core i3/i5/i7 CPUs are supported by HMPA? Is there any list available on HMPA's website?

One thing I know.....HMPA slows my system down slightly.
I think all of them are supported. I need to check first.

Edit: Yep, I think they're all supported. But I can't be totally sure. I just rely on the changelog that's posted. For example: HitmanPro.ALERT Support and Discussion Thread

Edit2: This is from Surfright-Sophos' documentation about Intercept X, HMP.A's counterpart in the business world. The exploit mitigations employed are the same.
"Branch-based ROP Mitigations (Hardware
Augmented)

ROP attacks can be achieved by leveraging an unused hardware feature in mainstream Intel® processors (from 2008 and newer) to track code execution and augment the analysis and detection of advanced exploit attacks at run time. Employing read-only hardware-traced (branch) records has a significant security benefit over software stack-based approaches. The branch information that can be retrieved from these records not only identifies the target of the branch, but also the source. So it actually shows where the change in control-flow originated from. This specific information cannot be obtained with the same level of confidence using a stack-based solution.

Branch information in the hardware-traced records cannot be manipulated; there’s no way for it to be overwritten with controlled data by an attacker. Stack-based solutions (like Microsoft EMET and Palo Alto Networks Traps) rely on stack data, which is – especially in case of a ROP attack – under control of the attacker, who in turn can mislead the defender. In contrast, the hardware-traced data examined by Sophos Intercept X is more reliable and tamper resistant.

Sophos Intercept X will automatically employ Intel MSR hardware registers when it detects an Intel® Core™ i3, i5, or i7 processor (CPU). If the endpoint does not have a supported processor, Sophos Intercept X will automatically fall-back on software-only stack-based control-flow integrity checks."
 
Last edited:
W

Wave

I sent HMPA an email titled: hardware assisted exploit protection

I asked them:
Is it recommended to enable intel virtualization support, in the BIOS settings, or that doesn't matter?

They answered:
Lisa - HitmanPro Support (Support)

Mar 8, 10:02 CET

Good day,

Thank you for contacting us.

That doesn't matter.
They are not related at this point.

Please let me know when you have any further questions.

Best regards,

Lisa
HitmanPro Support
Virtualization won't need to be enabled to use HitmanPro.Alert because Surfright do not make use of real virtualization like other vendors do such as Kaspersky and Comodo. Then again, they are not competitors of AVs anyway, and if they used virtualization then things would be very different in the product, I think it's good how it is now.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top