HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,484
    Location:
    The Netherlands
    It's probably complaining about the "hmpalert.dll" file that gets loaded into almost every running process. In theory, HMPA shouldn't interfere with apps if they are not protected by exploit mitigations. Do you get to see this file injected into any Norton process?
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,570
    Location:
    Among the gum trees
    Stop looking at Security History - problem solved! :p
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Random browsing tonight Norton stopped this (exploit?), HMPA didn't seem to stop it. I wonder if the two products are fighting? I was on a pretty known website, and a sidebar tried to open and this happened.
     

    Attached Files:

  4. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Norton stopped it on network level (IPS), so HMPA couldnt block it in first place because the exploit didnt even start.
     
  5. guest

    guest Guest

    No exploits have to be loaded if your configuration is up-to-date. AV's might be able to detect the general landing page of EKs that are used to load certain exploits based on the configuration of a pc.
     
  6. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Yes, fully agree with that. My point is that Hitman Pro Alert didnt warn about that particular exploit because it was stopped on network level, so in these cases we cant see the kind of protection HMPA gives to the user.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That is to be expected. WHen I tested HMPA (in a VM) I had to turn off EIS, to give it a chance to work. HMPA may not necessarily be the place it is stopped. But if the others miss, it's there to cover you.
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Makes sense. I stop countless exploits/threats on my gateway, never giving anything a chance to fire off. This was the rare case where something tried to inject into my browsing session and was stopped by Norton IPS. Norton has a fairly robust IPS, one of the reasons I like it. Since the threat was dealt with, it looks like it never got handed off to HMPA.
     
  9. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    467
    As it turns out, updating from previous RC deleted my tester's key (or at least I believe this happened) - as today when playing with the settings I noticed HPA was not activated. Reinserting it activated it again.
     
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,575
    Location:
    .
  11. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,575
    Location:
    .
  13. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    That is correct.
    Scroll down a few pages to the 'superfish' topic (post from Eric Loman, the developer)
     
    Last edited: Feb 26, 2015
  14. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,575
    Location:
    .
    Okay, I found #6389 ~ Thanks
     
  15. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,983
    Location:
    Outer space
    Actually, the question was about HMP.Alert, not HMP. HMP removes Superfish, but it would be interesting to see if Alert could detect and warn or block these kinds of SSL hijacking techniques.
     
  17. guest

    guest Guest

    Something like Certificate Pinning in EMET 5 ?
     
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,983
    Location:
    Outer space
  19. 142395

    142395 Guest

    I think Zemana will detect as long as it tries unusual hook, installing cert, or html injection.
    As to detect or block, I don't much care about. Tho surely basically block is better, it can cause more problem and if I got alart I won't go on until I'm convinced that it's FP.
    Yes, you're right and I brougt Zemana just as an example, sorry if it caused A vs B thing. I just want to know how exactly HMPA's browser protection work, as I can't find much resource contrary to exploit mitigation. You said in past posts it do passive scan, but what passive means?

    Also I guess HMPA detect code injection and some API hook often used by banking malware?
    You don't need to worry about it. It is due to Norton's self protection, and it should warn against other program as well even including some OS's process. Basically they won't cause actual problem.
    HMPA worked fine with my NIS2014.
     
  20. 142395

    142395 Guest

    Still using HMPA makes a little sense regarding exploit (but remember, HMPA is not just anti-exploit). I admit Norton's IPS is one of the best, and combining strong UTM eliminates most of exploit including known 0day even before they arrive your PC, but when it comes to unknown 0day, most likely they can't stop it, tho there can be a little chance that their heuristics stops it (Kaspersky once blocked unknonw flash exploit by heuristic sig),and tho Norton's UxP claims it can stop even unkonw 0day exploit.
    Also if the attack is highy obfuscated, i.e. leveraging Advanced Evasion Technique all IPS may (or may not) miss it. But bypassing HMAP requires completely different technique so it puts another obstacle for successful exploit.
    I don't think they do cert pinning. Probably they check installed rootCA against DB and if unusual one was detected block it.
     
  21. guest

    guest Guest

    Advanced Evasion Techniques aren't really necessary in all cases, even custom made code will likely be able to bypass quite a number of AV engines. If you look at 0days that have been used ITW, then very few of them used any obfuscation. And heuristics don't always catch everything either. But if you look at suspicious behaviour like dropping executables from RWX memory on the heap, then things get more interesting. Furthermore, the most challenging part of bypassing HMPA/MBAE seems to be the Application Lockdown feature. EMET, HMPA and MBAE all have roughly the same limitations with regard to Stack Pivot, Caller Check and Heap Spray pre-allocation. Although there are small differences with regard to bypassing the three of them.
    1) The Caller Check mitigation in EMET is weaker than in HMPA/MBAE.
    2) EAF+ is a real killer, It will severely impact the use of an info leak (RW access to memory) and an info leak is sort of crucial when dealing with ASLR. I am not aware of any publicly documented way of bypassing EAF+ besides hard coding offsets. If you can reduce the effect of info leaks that allow RW access to memory, then you've hit the jackpot (hint, hint)
     
  22. 142395

    142395 Guest

    Ofc having memory protection is better, but combining perimeter defense as layered security don't harm anything as either is not perfect. NIPS can even block kernel exploit as long as signature matches (at least AV vendor have signature for them), and it shorten vulnerable period until official patch.

    Anyway, as always much appreciate your detailed explanation.:)

    Sure, it seems info leak as a measure to bypass ASLR is becomming popular recently (I think until recently leveraging non-ASLRed components was more common, right?) tho it usually requires another vuln such as buffer over-read, and I hope finally HMPA & EMET introduces EAF+. As to performance, if it was just an option and disabled for most apps I don't expect too much problem.
    I don't know much about EAF bypass technique, but he claimes EAF+ does not protect against EAF bypass.
     
  23. guest

    guest Guest

    In the early days there were enough non-ASLR modules. For example:
    WinXP:
    No ASLR available

    Win 7:
    Java JRE 6 - EOL
    MS Office 2007/2010 HXDS.DLL (http://www.greyhathacker.net/?p=585) - patched more than a year agoby MS

    But nowadays you can't really rely on them anymore (Force ASLR).
    Flash player is currently the most used way to bypass ASLR in exploit kits and you don't always need two vulnerabilities. If you can write 1 byte to an arbitrary location in memory, then you have a high chance of being able to bypass aslr.

    The technique that is primarily used to bypass ASLR has been documented by FireEye: https://www.fireeye.com/blog/threat...s-apocalypse-in-lately-zero-day-exploits.html. (CVE-2013-0634 and CVE-2013-3163 are the relevant parts)
    (NB: other techniques are also available and have also been presented at several conferences)

    About the EMET 5.0 review written by dabbad00:
    He used EMET 5.0 TP and I noticed that EAF+ in the Technical Preview offers less protection then EAF+ in the final versions of EMET 5.0/5.1. Although I haven't tested every part of the EAF and EAF+ mitigations (not worth spending time on)
     
  24. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    Hi Erik,

    When opening wPrime (2.09) I get the following warning:

    http://i49.photobucket.com/albums/f296/maniac2003/HMPA%20-%20alert.jpg

    How do I prevent such warnings or is this a false positive?
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.