I asked this question sometime ago. The reply was "Early Warning Score (EWS) is one of the advantages of HMP."
HitmanPro does not require antivirus engines or virus signatures to catch threats. Our product is technically very different compared to other solutions in the antivirus and antimalware industry.
At the core HitmanPro is based on a forensic behavioral scan and does not work with virus signatures. Actually, this means that HitmanPro does not look for verified malware at all. That may be a shocker but it makes perfect sense. We designed HitmanPro as a second opinion solution, to kill threats that your antivirus missed. In order to be able to do that it has to be fundamentally different, and as a result HitmanPro can also catch malware that no one knows about yet and where antivirus solutions have no signature for (the zero-day or early-life threats). Since most antivirus solutions rely on signatures (incl. most heuristic signatures), they are always lagging behind attackers. Antivirus solutions do not target what they haven’t seen before – they are in a cat-and-mouse game and this is a fundamental difference compared to HitmanPro.
With its forensics based core, HitmanPro basically works like a crime scene investigator or incident responder. It analyzes the programs on your computer and looks for unethical behaviors – including the behaviors that happened back in time, in the past when HitmanPro was not even on the computer. It tries to get answers to many questions, like (not a complete list):
When you ponder this list, you can understand that you should not run HitmanPro in safe mode, as it affects the ‘mining’ of behaviors; in safe mode, malware may not be active which affects the results. You could say that the more tricks malware has or tries to hide, the sooner it will be picked up. And HitmanPro can show you this data. Just double click on a detected item and you will get a list of some of the evidence it found, including registry and process objects, forensic cluster and a threat severity score. A knowledgeable person can also use this information to determine if a program belongs on the computer or not. Some examples:
- Is it a known legitimate and trusted program?
- When did it enter your system (date, time)?
- How did it enter your system?
- Did the program came from the internet? What address?
- Did the program came automatically on the computer at the same time the user was browsing the web (e.g. drive-by exploit attack)
- Can the user uninstall the program using the regular steps?
- Does it try to survive on your system?
- How does it run automatically when you start the computer? (there are many ways and tricks to look for)
- Is the program encrypted, perhaps to evade security researchers?
- Does it show version information and origin data?
- Is it signed with a crafted certificate to thwart antivirus solutions?
- What is it currently doing (is it active)?
- Does its process reveal where or if it’s on the disk?
- Is it communicating or listening for inbound connections?
- Can the user interact with the program (does it e.g. have a window with controls)?
- Is the program visible for the user, Windows processes and antivirus software?
- What other things happened at the same time when the program came on the computer?
- What is its relation to other programs and their behaviors?
- https://hitmanpro.wordpress.com/2013/02/21/nbc-com-hacked-serving-up-citadel-malware/
- https://hitmanpro.wordpress.com/2014/01/05/malware-served-via-yahoo-affected-millions/
HitmanPro also has several unique cloud components:
Crusader
- Our CAMHB technology (Cloud-Assisted Miniport Hook Bypass) provides new communication addresses for HitmanPro, so it can communicate directly with the lowest hard disk driver on your computer. This comes in handy when a rootkit is manipulating the Windows device stack to prevent the user and antivirus software from accessing the sectors where the malware lives. HitmanPro can compare the data on the raw sectors with information it gets back from the Windows API’s. HitmanPro has its own Direct Disk Access module, which also contains e.g. a NTFS disk parser, so it does not have to rely on functions offered by the system (which are often manipulated).
- Our Prestine cloud service returns safe clean versions of infected system files, when HitmanPro was unable to find a safe clean version locally. Because instead of trying to remove an infection, HitmanPro replaces it with a non-infected version downloaded from our server. Because attackers have unlimited ways to infect files, it is impossible to create a disinfection solution for each virus type. So HitmanPro does not need to know how a virus works in order to recover you from it.
- Our Gossip cloud service helps HitmanPro to target e.g. fake antivirus software. These types of malware (Fake AV) behave like legitimate software. These infections are often discussed on security forums way before antivirus solutions have a signature for them. Our Gossip technology leverages search engines to ‘hear’ what people are talking about in security forums.
- Our Excalibur remnant cloud service offers users with clean-up detections for cases where e.g. your antivirus software (only) removed the malicious program at an earlier point in time. Since the forensic scan relies on this malicious program to come up with evidence and a thorough removal recipe, the remnant scan offers a way to remove the remaining objects that the antivirus solution was not aware of. This technology is also particularly effective against potentially unwanted programs (PUPs) as well.
- Our Strider third opinion cloud service offers signature-based knowledge of threats that HitmanPro found on your computer and found before on other people’s computers. This can be helpful so users can know what kind of threat their computers were infected with. This also helps in case HitmanPro could not find enough evidence to flag a file as malware. This is apparently the service some people judge our solution for – the detection by Kaspersky and Bitdefender, which are our trusted signature partners.
After HitmanPro created the list of objects to attack, it engages its Crusader removal engine. This is another technology of ours that works with the evidence gathered during the forensic behavioral scan and, when needed, will also involve our CAMHB and Prestine technologies. Because depending on this information it takes different steps to ensure proper removal of the threats. It also deploys locks on the malicious objects so the active malware cannot re-infect the system during the removal process.
More is not better
I’d like to point out that introducing more engines does not simply improve malware detection or removal. It also increases the likelihood of false positives on legitimate programs. Since we do not use any Kaspersky and Bitdefender code in our client software, we do not benefit or inherit issues either.
Judging HitmanPro on the amount of engines sounds great, but Kaspersky and Bitdefender are not the ‘engines’ you should be talking about. E.g. if a sector or file is actively camouflaged by malware, it does not matter how many engines you have. You need the technology to be able to read the data in the first place. And removing malware is a totally different game. Doing it wrong can wreck a computer, making problems worse than the malware infection. Threat removal also has little to do with how many ‘engines’ a product has. These are some nice examples:
