HitmanPro.Alert BETA

Ronny, can you respond to this post? I think somewhere in this thread you might have answered my first question, but I'm trying to visualize it. How do infostealers even work in the first place, do they steal data from disk only, or also from memory?

https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-89#post-3173762

 

Do you have other 3rd party security software installed?

 

Most of them are very noisy, the scan for config files that contain plain or reversible passwords etc, mostly if they even have collected the data and they hit the cookie-guard the process is killed before the data is zipped up and exfiltrated.
Cookie-Guard depends on illegal access of the credential store for supported browsers else they can't decrypt the stolen contents.

 

I rebooted into this about a couple of weeks ago and have not experienced any issues.

 

thanks for the feedback.
We're cooking up the latest fixes and perhaps a new RC today...

 

HitmanPro.Alert 3.8.25 Build 975 (RC4)

Changelog (compared to 971)

• Fixed C2 interceptor crashes/blocking of application loading

Beware this build is signed with a new code-signing certificate by Sophos LTD, this might take some 3rd party vendors to have "trust" issues as it's a rather fresh certificate.

Download
https://dl.surfright.nl/hmpalert3b975.exe

Please let us know how this version runs on your machine
We'll enable auto-update for anyone running >947

We're planning to promote this build to Stable if results are good in the coming week(s).

 

No problems upgrading build 975 RC4. Disabled XtuService.exe via Services.

 

After notification HitmanPro.Alert that after reboot that will be installed did that and no problems.


https://www.imgdumper.nl/uploads9/657440f493438/657440f491c84-Naamloos.png

HitmanPro.Alert
Versie 3.8.25 build 975

Windows 11 Pro Versie 23H2
Emsisoft

 

Wow, I'm not sure if I had good or bad timing with my post. Either way, I received the update notification yesterday for RC4 and rebooted into it at that time. No issues till now. I will reply again if any issues appear.

 

Why?

Didn't this get fixed with this build?

 

Don't think so, we can't reproduce this right now, if you have issues please use suppress alert for now.
Perhaps something similar will pop-up later which might lead to a fix.

 

OK.

Looks like you need an HP test machine.

 

Hi Ronny,

I can see that with ver. 975 I can launch "Luminar Neo" with no issues with C2 protection on - thanks for solving this.
However the other issue I had: very partial UWP exclusion list (add exclusion, UWP applications) is still present - I can only see 5 apps out of 10s of apps), not a big issue, as I can open the app and add it from "running applications", but FYI...

Thanks

 

Sorry for delay, yes malwarebytes. mcafee was installed but were removed with Revo

 

Can you share the names of those applications and did you install them in the default location or have you tweaked anything on the Store location?

 

This is what I see, and everything is default, didn't change store location and also installed apps through Winget (default sources: store + winget)
But as I said, minor issue, as the alternative option (running apps) is also easy to use.

 

Image didn't show, so here is a text capture:

Your applications (5)

UWP-APPS
ms-resourceackageStoreName
photos.dlc.mediaengine.exe

Print Dialog 10
printdialog.exe

Settings IO
systemsettings.exe

WINDOWS.IMMERSIVECONTR...
SystemSettings.exe

WINDOWS.PRINTDIALOG 6.2.2...
PrintDialog.exe

 

that's totally weird low, which version of Windows are you on? please use "winver" build number

 

Latest Win11 - Version 23H2 (0S Build 22631.2861)

 

OK, but does HMPA only protects access to the credential store or what? Doesn't it protect browser memory and the browser profile folder? Like I said, I'm trying to visualize it.

https://attack.mitre.org/techniques/T1555/003/

 

975 build has now been promoted from RC -> Stable and we'll slowly enable auto-update for a small number of users at a time.

https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-677#post-3176552

 

This looks to be a Windows 11 "feature" we'll look in to it, thanks!

 

CookieGuard does the credential store, other mitigations memory related, encrypted browser files are not monitored.

 

OK, this is a bit confusing to me to be honest. But I assume HMPA should protect against all or most info-stealers who need access to cookies and passwords in the browser profile. And I also assume that all Chromium based browsers (Chrome, Vivaldi, Edge, Brave, Opera) make use of the credential store?

 

HitmanPro.Alert 3.8.26 Build 979 RC1

Changelog (compared to 977)

• Fixed Intruder/Safe Browsing compatibly issue introduced by a recent Bitdefender update.
  
• Improved HeapHeapProtect, improved handing in code and added more whitelisting options to alerts.
• Improved SendKeysGuard, switched the main thumbprint to handle whitelisting more easy.
  
• Improved HWBGuard (Silent).
• Improved HollowProcess/HWBGuard, to prevent exception pointer abuse.

Download
https://dl.surfright.nl/hmpalert3b979.exe

Please let us know how this version runs on your machine
For those that run in to the XTUService issue, can you please remove the "Suppress Alert" on your setup and keep an eye out if anything has improved in that area?