H
Low RiskWindowshitmanpro.exeEXECUTABLEHitmanPro - Portable Anti-Malware Scanner [2026]
HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to detect threats. Legitimate security tool that could potentially be abused for reconnaissance.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Low | | Prevalence | Common | | Risk Score | 20/100 | HitmanPro is a legitimate second-opinion malware scanner that runs portably without installation.
Overview
What is hitmanpro.exe?
HitmanPro (formerly Surfright) is a portable anti-malware scanner acquired by Sophos. It uses cloud-based behavioral detection and multiple scan engines to identify threats.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | HitmanPro.exe, HitmanPro_x64.exe |
| Developer | Sophos Ltd |
| Digital Signature | Sophos Limited |
| Typical Size | 10-15 MB |
| Type | Portable scanner |
Technical Details
| Property | Description |
|---|---|
| Process Type | User Application |
| Network Activity | Cloud-based scanning |
| Installation | None required (portable) |
| Scan Engines | Multiple cloud engines |
HitmanPro is commonly used as a "second opinion" scanner alongside primary antivirus solutions.
Normal Behavior
Normal Behavior
Legitimate Usage Patterns
HitmanPro.exe (GUI scanner)
HitmanPro_x64.exe (64-bit version)
hmpalert.exe (Real-time protection)
hmpsched.exe (Scheduler)
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | explorer.exe |
| User Context | Administrator (for full scanning) |
| Network Connections | Sophos cloud infrastructure |
| CPU Usage | High during scans |
| Disk Activity | High during scans |
Command-Line Options
| Parameter | Purpose |
|---|---|
| /scan | Run scan |
| /quick | Quick scan mode |
| /quiet | Silent mode |
| /log | Generate log file |
Common Locations
C:\Users\<user>\Downloads\HitmanPro.exeC:\Users\<user>\Desktop\HitmanPro_x64.exeC:\Program Files\HitmanPro\HitmanPro.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Renamed binary | Medium | HitmanPro with different filename |
| Command-line only usage | Low | Scripted scanning without GUI |
| Multiple quick scans | Low | Reconnaissance activity |
| Results exfiltration | Medium | Scan results sent externally |
Limited Abuse Potential
HitmanPro has limited abuse potential because:
- It is a detection tool, not an attack tool
- Requires valid license for full functionality
- Heavy cloud dependency limits offline abuse
- Well-signed binary with reputation
Potential Reconnaissance Use
| Activity | Purpose |
|---|---|
| Enumerate security software | Identify installed defenses |
| Check for malware presence | Assess target cleanliness |
| Identify vulnerable software | Find exploitation opportunities |
Abuse Techniques
Abuse Techniques
Reconnaissance
Reconnaissance Scenario:
1. Attacker obtains HitmanPro (legitimate download)
2. Runs quick scan on compromised system
3. Reviews results to identify:
- Installed security software
- Existing malware (competition)
- System vulnerabilities
4. Uses information for attack planning
Information Gathering
| Information | Attacker Use |
|---|---|
| Installed AV | Craft evasive payloads |
| Running processes | Identify security tools |
| Browser plugins | Target browser attacks |
| Startup items | Find persistence opportunities |
Limited Evasion
Why HitmanPro is rarely abused:
- Detection-focused, not execution
- Requires cloud connectivity
- Generates telemetry to Sophos
- Signed by reputable vendor
- No execution capabilities
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="HitmanPro Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="contains">HitmanPro</Image>
</ProcessCreate>
<NetworkConnect onmatch="include">
<Image condition="contains">HitmanPro</Image>
</NetworkConnect>
</RuleGroup>
Sigma Rule
title: HitmanPro Execution Detection
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|contains: 'HitmanPro'
condition: selection
falsepositives:
- Legitimate security scanning
- IT security assessments
level: informational
KQL Query
DeviceProcessEvents
| where FileName contains "HitmanPro"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
AccountName, InitiatingProcessFileName
Remediation Steps
Remediation Steps
Policy Considerations
HitmanPro Policy:
- Generally a legitimate security tool
- May indicate security concern if user-initiated
- Review context of usage
- Check if IT-sanctioned
Investigation Approach
# Find HitmanPro executions
Get-ChildItem -Path C:\Users -Recurse -Filter "HitmanPro*.exe" -ErrorAction SilentlyContinue
# Check if scheduled
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*HitmanPro*" }
Context Assessment
| Context | Response |
|---|---|
| IT-initiated | Normal security operation |
| User-initiated | May indicate suspected infection |
| Unknown source | Investigate who deployed it |
| Scheduled task | Verify legitimate scheduling |
Investigation Checklist
Investigation Checklist
Usage Context
- Who initiated the HitmanPro scan?
- Is this part of standard security procedures?
- What prompted the scan?
- Are there indicators of compromise that led to this?
Results Analysis
- What did HitmanPro find?
- Were threats detected?
- What actions were taken on findings?
- Were results exported or shared?
Timeline Correlation
- What other activities occurred around this time?
- Is this correlated with suspicious behavior?
- Was system compromised before scan?
- What happened after scan completed?