HitmanPro.Alert

[silversurfer]

HitmanPro.Alert — a Sophos product

HitmanPro.Alert cleans your computer of all traces and remnants of any malware—even those left behind by your previous security software. It then continuously keeps you protected, stopping any new threats from infecting your computer. The advanced real-time and behavioral technologies stop ransomware, block hacking attempts, prevent program exploits, and more. The next generation of malware has met its match.

New and increasingly sophisticated threats are being created every day. HitmanPro.Alert stops these brand-new, never–before-seen threats by proactively seeking out and analyzing suspicious behaviors and activities. It goes beyond old-school antivirus to deliver advanced, real-time protection against the latest hacking, ransomware, program exploits, webcam spying, and online banking risks.

Homepage: https://www.hitmanpro.com/en-us/alert.aspx

Download: https://www.hitmanpro.com/en-us/downloads.aspx

[jasonX]

HitmanPro.Alert version 3.7.9.771

Changelog (compared to build 759)

Added

• Dynamic Shellcode Mitigation aka Heap Heap Protect, which helps prevent threat actors from loading unsafe code into memory). This mitigation is still in silent detection mode.
  
• Improved Shellcode mitigation (system-wide) to detect backdoor stage/payload on the heap
  
• Improved Code Cave mitigation (system-wide) to detect rare Shellter Pro binaries configured with uncommon evasion technique
  
• Reduction of false-positives for DEP alerts in case of crashing applications
  
• New LoLBin to Application Lockdown
  
• OpenWith.exe to the Office Template to help mitigate the CVE-2018-8495 exploit attack
  

Improved

• CryptoGuard to block specific variants of the Dharma ransomware, that include a specific needless action to thwart behavior monitoring
  
• Dynamic Heap Spray Mitigation to allow certain memory block patterns
  
• Dynamic Heap Spray compatibility issue's with .NET applications
  
• Code Cave mitigation (system-wide) to detect rare Shellter Pro binaries configured with uncommon evasions technique
  
• CryptoGuard compatibility on Windows 10 19H1 (i.e. current Windows Insider preview builds)
  
• 64-bit call stack parsing (improves stability)
  
• Code Cave Mitigation, now showing SHA-256 of the process in the Alert Info
  

Fixed

• Compatibility issue with ESET Smart Security in combination with Google Chrome
  
• WipeGuard can now handle disks with other sector sizes than 512
  
• Rare BSOD in WipeGuard when it was running out of stack
  
• Process Protection user interface menu now correctly disables the features when no valid license is present
  
• Automatic update when running HitmanPro.Alert in Anti-Ransomware (CryptoGuard) only
  
• Issue when Anti-Malware is enabled/disabled; the service stopped responding/system became unstable
  
• Minor update problem in CryptoGuard UI when an attack had occured
  
• Issue with pipe communication between service and client when volume name is changed
  
• Hollow Process Mitigation false positive with VMware ThinApps
  
• Issue that caused Visual Studio's vswhere.exe not to start correctly
  
• IAT/IAF hardcoded whitelisting not working properly
  
• Stability issue when report files get corrupted
  

Removed

• Menu option to enable/disable SMB CryptoGuard protection (crypto-ransomware attack from remote machine); it is always enabled on supported systems, i.e. 64-bit Windows
  

HitmanPro.Alert Support and Discussion Thread HERE

[silversurfer]

HitmanPro.Alert 3.7.9 Build 773

Build 773 (2019-01-16)

• Changed name for "Dynamic Shellcode Mitigation" to "Heap Heap Protect"
  
• Improved Heap Heap Protect
  
• Improved CodeCave
  
• Fixed Trend Micro Intruder/Safe Browsing incompatibility
  

Source: https://www.hitmanpro.com/en-us/whatsnewalert.aspx

Download: https://dl.surfright.nl/hmpalert3.exe

[silversurfer]

HitmanPro.Alert 3.7.9 Build 775

Build 775 (2019-02-01)

• Improved Code injection, which will result in faster boot times on Windows 10. It also fixes a rare issue a few Windows 10 users had where the system did not finish boot correctly
  
• Improved Heap Heap Protect mitigation as it should now play more nicely with certain .NET applications
  
• Improved Hardware Assisted Control-Flow Integrity, our Last Branch Record CPU assisted ROP mitigation, to fix false positives we're seeing on some newer CPUs
  
• Improved Alert info regarding our real-time Anti-Malware and Code Cave mitigation
  
• Fixed Rare bug in CryptoGuard which sometimes forgot to make a backup of a file - which you could lose in the event of a ransomware attack
  

Soucre: https://www.hitmanpro.com/en-us/whatsnewalert.aspx

Download: https://dl.surfright.nl/hmpalert3.exe

[harlan4096]

HitmanPro.Alert 3.8.12 Build 899 Released

Changelog (compared to build 891):

• Added New Cobalt Strike single-stage mitigation. When Cobalt Strike Beacon temporary de-cloakes in memory to retrieve new commands from the adversary, HitmanPro.Alert will hold and inspect the decrypted memory area for the presence of Beacon.
  Note: In a normal multi-stage scenario, Cobalt Strike Beacon is already proactively blocked by our patented HeapHeapProtect mitigation. This new Cobalt Strike mitigation now also thwarts the single-stage scenario. And upon detection of Beacon it also extracts and reports the full Cobalt Strike C2 profile configuration from memory.
  
• Added DNS stager detection, when – for example – Cobalt Strike Beacon communicates over DNS with command-and-control (C2).
  
• Added SysCall mitigation to every process so it now also blocks the Heaven’s Gate defense evasion technique in malware. The Heaven's Gate technique allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment.
  
• Added CookieGuard mitigation. It protects (MFA) session cookies and passwords stored in popular Chromium based web browsers, like Google Chrome and Microsoft Edge on Chromium.
  
• Added an extra message box when an update is pending, and the user clicks on the associated flyout. The message informs the user that the machine must be restarted before the update is actually applied.
  
• Fixed stack pivot exploit mitigation so it no longer triggers incorrectly on Internet Explorer loading a digital rights management (DRM) related library for streaming DRM protected content.
  
• Fixed APC Violation mitigation so it now correctly identifies process injection from VMware.
  
• Fixed Code Cave mitigation so it now plays nice with DRM code from gaming company Electronic Arts (EA).
  
• Fixed Kernel32Trap mitigation so it no longer causes issues with certain code compiled with Visual Studio.
  
• Improved CryptoGuard 5 anti-ransomware engine. For example, the note spray evaluator is more tolerant when installers drop the same text file across many folders.
  
• Improved threat termination. It's now even more robust, especially when the threat runs with high privileges outside of user session(s).
  
• Improved compatibility with certain games that perform tricks that trigger our main thread hijacking protection (part of Hollow Process Mitigation).
  

Over the next days. all users of HitmanPro.Alert should get this new build through automatic update! Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP. This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.

If you want to update now, manually, use this link: https://dl.surfright.nl/hmpalert3b899.exe

[harlan4096]

HitmanPro.Alert 3.8.13 Build 901 Released:

Changelog (compared to build 899):

• Fixed more compatibility issues between process hollowing and certain games.
  
• Fixed an issue with three CryptoGuard 5 Thumbprints that were not working in the previous build.
  
• Fixed a potential security issue where specifically crafted malware on the machine could craft and manipulate a file structure to elevate privileges.
  
• Improved compatibility of CookieGuard with browsers that are attached to the Office mitigation profile.
  
• Temporarily disabled the fix that detects Cobalt Strike delivery over SMB. The fix appears to be incompatible with many game launchers that actually perform main thread hijacking.
  
• Temporarily disabled system-wide Syscall mitigation as certain third-party security products, like Cylance, actually attempt to bypass API calls by directly jumping to kernel functions via a syscall.
  
• Temporarily set CookieGuard's Remote Debugger Port detection to silent as it causes issues with some web developer machines.
  

We'll first upgrade 899 users, as they where affected by the above issues, if that is looking good we'll enable the automatic update for all users of HitmanPro.Alert.

Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP.

This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.

If you want to update now, manually, use this link: https://dl.surfright.nl/hmpalert3b901.exe

[harlan4096]

HitmanPro.Alert 3.8.13 Build 903 is now released:

Changelog (compared to build 901)

• Fixed the Software Radar that could cause it to not notice a just installed web browser, or adding it to the wrong mitigation template. This issue caused our new CookieGuard protection to generate false alarms.
  
• Fixed an issue in the CryptoGuard anti-ransomware engine that could cause a BSOD on Windows 10 Insider Build 21390.
  
• Improved support for Windows on ARM. We noticed that since build 895 we always shipped the ARM64 driver of that release. This has been corrected.
  
• Improved Stack Pivot exploit mitigation to support adjacent stack range in certain situations.
  
• Improved detection of Chromium-based web browser for CookieGuard.
  
• Added Thumbprint generation for remote-debugging-port CookieGuard detection.
  
• Added checkbox to our new system-wide syscall mitigation. You can find in in the Advanced interface, under Risk reductions > Process Protection > Unexpected system calls (Stop evasion of security hooks).
  

Over the next days. all users of HitmanPro.Alert should get this new build through automatic update! Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP (Latest release supported is 891). This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.

If you want to manually update now, use this link: https://dl.surfright.nl/hmpalert3b903.exe

[harlan4096]

HitmanPro.Alert 3.8.19 Build 923

Changelog (compared tot build 921):

• Improved Game detection
  
• Improved LockdownLoadImage whitlisting
  

Download: https://dl.surfright.nl/hmpalert3b923.exe

We'll also be auto-updating 921 and 907 users.

[harlan4096]

HitmanPro.Alert 3.8.12 Build 943 Released

Changes (compared to build 923):

• Added system-wide protection against 'Hell's Gate' defense evasion via direct system calls, or SysCall, on 64-bit applications
  
• Added protection against cloning of LSASS process to Credential Theft Protection
  
• Added support for ReFS file system to CryptoGuard
  
• Added NOTEPAD.EXE to Office template
  
• Added GPT partition support to WipeGuard
  
• Added NVMe support to WipeGuard
  
• Added MITRE ATT&CK references to the CookieGuard, SysCall and RemoteThreadGuard mitigations
  
• Added alerting to our protection of sticky key abuse (and other accessibility features)
  
• Added EA Digital Illusions CE AB to game detection
  
• Improved protection against direct system calls, or SysCall, on 32-bit applications
  
• Improved handling of certificates on code-signed applications
  
• Improved CookieGuard alert with information about the application certificate, if any, in the alert
  
• Improved CookieGuard so it now adds certificate validation information into the alert details
  
• Improved WipeGuard to protection the Volume Boot Record of all mounted partitions. Previously, only the boot partition was protected.
  
• Improved WipeGuard to terminate the offending process. Previously, the offending action was only blocked.
  
• Improved HollowProcess to protect against PEB manipulation in a remote process where PEB is writable
  
• Improved Lockdown mitigation to isolate modules (DLLs) dropped in attacks via Office documents.
  
• Improved the per app mitigation settings in the user interface. It now has room for extra checkboxes.
  
• Change reboot fly-out reminder interval from 1h to 8h
  
• Changed Dynamic Heap Spray detection; it is now disabled on 64-bit applications
  
• Changed text for Benefits button to Help center
  
• Changed Sophos Privacy Notice and Terms of Service
  
• Fixed Keystroke Encryption and BadUSB Protection which caused a BSOD (APC_INDEX_MISMATCH) on Windows 11 with update KB5013943.
  
• Fixed issue that prevented restarting of some protected applications when using the 'restart' function from the ApplicationPanel (Running applications) when changing a setting.
  
• Fixed a compatibility issue between our anti-ransomware CryptoGuard 5 and Artisan scrapping book software from Forever Storage
  
• Fixed displaying icons of UWP applications
  
• Fixed several user interface inconsistencies
  
• Fixed false alarm by APCViolation on Avast 'aswhook' DLL
  
• Fixed false alarm by CookieGuard if application starts from a RAM-drive
  
• Fixed false alarm by HollowProcess on Visual Studio
  
• Fixed issue with Lockdown inheritance when parent process is OpenWith.exe
  
• Fixed issue when a user tries to install HitmanPro.Alert on machine where Sophos Home Premium is already installed
  
• Fixed tray icon burning CPU cycles after install
  
• Fixed unexpected removal of Forza Horizon 5 under UWP exclusions
  
• Updated third-party libraries
  
• Several other changes under the hood
  

Download: https://dl.surfright.nl/hmpalert3b943.exe

In the coming days we are automatically updating our users, starting with machines running build 941 tonight.

A big thank you to all participants who helped us test our beta builds! Awesome!

[harlan4096]

HitmanPro.Alert 3.8.21 Build 945 released

Changelog (compared to 943)

• Improved Syscall
  
• Improved WipeGuard
  
• Improved CryptoGuard5
  
• Improved HollowProcess
  
• Improved ROP detection on crashing processes
  
• Improved HeapHeapHooray also covers powershell_ise now
  
• Changed Lockdown Added MSDT.EXE as LOLBIN to proactively block Follina exploitation attempts
  
• Several other changes under the hood
  

Download
https://dl.surfright.nl/hmpalert3b945.exe
Auto-updater is enabled as of now.