Subscribe to our Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)
In a Hurry? |
 Go straight to the Quick Selection Guide |
Introduction |
Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail. Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”). Review Criteria |
Discussion |
DriveSentry also includes a community advisory for each alert showing details of how many people have either allowed or blocked an event previously. A similar function called Threatcast is now included with Comodo's CIS Internet Security suite. Whilst this format for sharing information is always welcome, community based advisories should be viewed with a degree of caution. If an alert is presented for a new safe program and nine out of the ten people who first saw it chose to “block” then you will see a 90% advice to do the same and may be tempted to follow suit. The good thing is that with DriveSentry you can always change or remove the rule created later if you discover that something blocked is really OK to run. There are considerable options for adding extra rules but this facility is only for experienced users. The logging facility is excellent and provides an invaluable source of data for determining any changes you may wish to make to an application's access rights. Some programs bestow levels of system “invadability” upon themselves at install which they either don't need, or in some cases, shouldn't have! Only you can decide if this amount of adjustment and control is really necessary for your own circumstances. As with all rule settings, if you do make changes it's best to do them individually and then check your system functions. One error can usually be tracked back and altered fairly easily but several might take some finding! DriveSentry's own literature describes it first as being a “firewall” (for drives) and then an “antivirus” so it's little wonder that many of us end up a bit confused as to exactly what this program does! It's not altogether the manufacturers fault as it's becoming more difficult to classify the threats too, hence maybe the confusion. I've given DriveSentry our top pick award because not only does it do what it says on the box but it does it in a way less likely to cause you problems than some of the alternatives. Whilst it will automatically block and quarantine known malware, the other automated features are fully controllable, keeping you in the DrivingSeat if that's the way you want it. The GUI is easy enough to navigate and the information presented is clear and concise. Resource consumption, in particular memory use, was an issue with previous versions but this has now been fixed in this release. There is also a paid version of DriveSentry which offers automatic updates and a portable version called “GoAnywhere” aimed at USB drives, but this too is paid. Updating the free version is a manual operation. The PDF available is not exactly what you might expect, containing just two pages similar to the web layout, but it does give some additional information. DriveSentry Security Suite Despite the reassurances in the FAQ above it remains to be seen which direction the "free" version of this software will eventually take.
The thing that concerns me most though is that the level of program automation has been increased with the addition of “in-the-clouds black and white lists to automatically handle threats, significantly reducing user interaction”. This means it will now do more things without asking you! You may prefer to keep your feet on the ground instead of “in-the-clouds”. Maybe I'm being a little unfair as this program continues to be hugely popular but with forum posts highlighting a range of issues, some relating to the (supposed) automated removal of Windows system files I can't help but think that increasing the automation still further was a bad choice. I've never questioned the value of behavioral based detectors in a balanced security line-up but what I do doubt is the wisdom of giving them an increased automatic ability for process termination. General feedback for the new version though appears to be very positive and from personal contact with PC Tools I can confirm they are working hard on fixes for any remaining issues. Certainly browsing performance with this version shows a significant improvement. Time will tell if the major problems some have experienced with ThreatFire have finally been smoked out. Despite my reservations ThreatFire continues to be a top contender amongst the free behavioral detectors, but I am wary of recommending it for average users. Especially since the removal of the signature based virus scanner, I believe DriveSentry to be a better option. Be aware that automatic updates are not provided with the free version if you elect to “opt out” of the ThreatFire Community. The paid version does offer this option plus other flexibility, permissions for commercial use and telephone support. *Windows 2000 users please note that you need V4.1 of Threatfire. See footnote 3 and other useful information including the download link on this page.
WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates. WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you. The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here: http://billpstudios.blogspot.com/ Softpedia review link (2007) http://www.softpedia.com/reviews/windows/WinPatrol-Review-62232.shtml
No less than ten real-time shields are provided for system protection and each one can be enabled separately. An install mode is included for use when adding new software and there's a separate cookie scanner. Other features include locked file removal, file analysis, browser restoration and even a system restore function. See the full details here. There are several scan options including customized and context menu scanning. The updates are compressed to minimize bandwidth usage, and there's even free support via email and the forum. The spyware scanner is 64-bit compatible for both XP and Vista but unfortunately the Real Time Shield is not. This is planned for the third quarter of 2009. Free for home and commercial use. How do they do it!? Resource use and system impact will vary according to your component strength and what you ask Spyware Terminator to do. It is always likely to be on the moderate side but unless you have a really old computer it's worth living with. Be advised that Spyware Terminator only loads a small installer program initially (632kb) and then connects to the Internet to download the other stuff you've ticked as options. There is a separate link for downloading an off-line installer if preferred.
|
Related Products and Links |
| |||||||||||||||||||||||
| |||||||||||||||||||||||
| |||||||||||||||||||||||
| |||||||||||||||||||||||
3.4 
Private Freeware (not free for commercial use) 
MS Windows 2000, XP, 2003 Server, Vista
Runs from the box without the need for additional configuration
Ambiguous results may need web research confirmation; doubts about compatibility with other software
http://www.threatfire.com/
download.cnet.com/ThreatFire-AntiVirus-Free-Edition/3000-2239_4-10726873.html
9 MB 
16.1.2009.1 
Unrestricted freeware 
MS Windows all inc. 64 bit
Delicious
Digg
StumbleUpon
Please rate this article
hi i was wondering what would be the best hips for a 64-bit os?
For a lightweight compliment to your existing security software then WinPatrol is stable and able. I've run it extensively now without a single negative issue to report. The best possible solution in my opinion would be CIS (Comodo) but then you probably already have another firewall which you don't wish to change.
Are there any known conflicts between Winpatrol Plus and Microsoft Security Essentials?
Thanks
Scotty works and plays well with others.
I've been running both successfully under Windows 7 since early beta of both. While there may be some redundancy there are no problems.
There was a comment about WinPatrol still having a more classic user interface look. One of the reasons WinPatrol is so compact and quick is I didn't spend a lot of time on fancy graphics or transitions. The result of a simple interface is great performance and it provides support for many Enabling devices like screen readers.
Thanks,
Bill
Thanks Bill. Now that's what I call support!
Thanks by the way Bill for contributing here. Much appreciated.
To change the theme a little and go back to WinPatrol, I have a comment or two about that software. It enjoys a very good reputation and has been around for a while but I have noticed a couple of things about winpatrol that I do not like. For a short background, I have always been extremely unhappy (being diplomatic) with IE creating the index.dat files. With the "enhancement" to XP the alterations I had made to ME to drastically reduce these files would no longer work. So I began using another browser and basically buried Internet Explorer (Only needed for sites that believe their existence depends on IE). The results: better security, easily removable items that point to where you have been on the internet and very little, if any, build up of the "index.dat" files. (Again, these files have been one of my pet peeves).
If you use winpatrol, it has a tendency to favor IE and will, all of a sudden, create a build up of index.dat files for just about all your security software. As index.dat is one of the major contributors to my irritation level, I removed winpatrol. Index.dat files are back to virtually nothing.
Reckon I got a little verbose on this one.......sorry about that. Other than that, the program does a good job but needs to be altered to recognize the browser that is actually being used on the system. One would think that the authors would be aware of this issue but perhaps they are not concerned. The other option is that people consider things like index.dat files trivial. So be it but I will not accept having any software creating files I do not want or need and then making it difficult for me to eliminate.
Have a good day (tomorrow).
Dazeydog,
I welcome you to send your comments to support@WinPatrol.com. To be honest I'm a little confused about your index.dat file comment. The only index.dat file I know of is related to IE cookies. This file is related to IE cookies. This file should be reduced automatically by Windows depending on your settings for how often your cache is cleaned up. I recommend keeping your default Temporary Internet Folder size to a smaller number than the Windows default.
If you use other browsers you may be happy to hear WinPatrol 2010 now includes support for Firefox 3.x and even Chrome.
Bill
Thanks for your input dazeydog. As I have only just added WinPatrol to my review I am still learning about it's capabilities myself. This plus I tend to use my Ubuntu partition more than Vista which limits my exposure to the software. I've actually approached the author and asked him if he would like to contribute here or at least respond to your comments. Depending on the response I get I'll post the details here and maybe open up a thread in the forum for WinPatrol too.
Drive Sentry have just released V3.4.0.20 of their free desktop version. There are no new features but I'm informed that improvements have been made to existing components in several areas.
Users of the previous version please note that there are no time limited automatic updates as before. From V3.4 the free version requires updating manually.
I can't install Drive Sentry on W2K because the install throws up an error message right at the beginning:
"Drive Sentry requires the Filter Manager in order to operate. Please install the latest Service Pack for your operating sytem."
The install continues but I assume it is not 100%, so I terminate it.
I have W2K SP4 Rollup1 - which is the latest version of W2K. So it looks like DS doesn't work on W2K?
chris.p
Received confirmation from Drive Sentry today that V3.4 Desktop "should" still work on W2K assuming SP4 or above. I've asked for a bit more detail than this as "should" is something I don't understand. Either it does or it doesn't.
Thanks for the feedback on this. According to their website DS is still compatible with W2K but I'll mail their support for confirmation. I've not found them too responsive of late, in fact there doesn't seem to be very much activity at all.
MC, the latest version of Threatfire does not work on Windows 2000 (won't install). Old versions install OK.
Also, TF does not prevent rootkits creating a new .exe and writing it to the disk. If it doesn't do this, I'm not sure what use it is, since the only other useful facility it might contain would be to stop unknown apps dialling out - but your HIPS firewall does that (and much more effectively, in my ongoing live test, which involves trying to get rid of a damn pesky rootkit).
Threatfire - on W2K at any rate - doesn't stop unknown exe's being written onto the disk, and it hardly ever stops new processes dialling out. All these are caught by Avast and Online Armor, not TF.
chris.p
Thanks for the heads up about the version install on W2K. I tend to use Softpedia as my reference source for this and they still list it although PC Tools and Cnet (our own link) have removed it.
In truth I've no knowledge of how effective even the older versions of Threatfire might be on W2K because I've never used this system. Many users add Threatfire as an additional layer of security for it's keylogging and buffer overflow prevention capabilities.
The real strengths of Threatfire though lie in it's ability for custom rule creation which unfortunately is beyond the abilities of most average users to configure and inadvisable for same to try. This tutorial though has been well written and includes a section for outbound protection.
http://www.wilderssecurity.com/showthread.php?t=253507
To be honest if I was using W2K and felt the need for this type of software I think I'd revert my attentions to the era from when it was written and use Cyberhawk instead, copies of which can still be found.
Threatfire 4.1 supports Win2K. See footnote 3:
http://www.threatfire.com/updates/
Steve
Thanks for this, SBW.
MC, maybe you could add this info to the TF details :
W2K users need to download the ThreatFire 4.1 version, the download link is at the foot of this page: www.threatfire.com/updates/
Personally though, I've deleted it and won't be reinstalling it. It never picked up one single disk write out of dozens that a rootkit I had was creating (additional .exe's), and that were stopped by Avast. It never picked up any of the added (malware-created) tasks in Task Scheduler, that WinPatrol stopped. It never picked up any dial-outs, which Online Armor stopped.
Therefore as far as I can see it is not much practical use. Perhaps this just applies to W2K. However it uses very little in the way of system resources :)
chris.p
Thanks Steve.
Hi all.Dont know wether anyone has tried iobit security 360.I suppose it is a hips,running it now myself,seems to work okay,any chance of giving it a test???? Had trouble with drive sentry and threatfire.thought i mite give this a go....
Iobit 360 is an anti-malware product, not a HIPS. It is possible that it will be reviewed here now that the final version has been released, but this decision will be made by the editor of the category concerned.
DriveSentry put a BSOD on bith my pc and my wife's, both run Comodo and Avira. There is a basic conflict when I removed DriveSentry the PCs reverted to problem free
When I was trialing DriveSentry for the review my own machine (XPSP2) was also running Comodo and Avira without any problems. Without knowing a lot more details about your system and how you had your other security components configured it's not possible to second guess what might have gone wrong.
Unfortunately these instances are very system specific and often here and in the forums we see similar posts relating to troublesome combinations which others are running quite happily. The (yawn) long awaited new version of DriveSentry is meant to be more imminent now than it was so maybe you might feel confident in re-visiting this software then?
I am surprised not to see ProcessGuard included in the review. It is by far one of the best hips i have ever used if not the best. Can you please consider reviewing ProcessGuard?
The products reviewed here all have full featured protection. All of the important functions such as Rootkit protection, hooking, driver installation, registry and memory protection are all missing from the free version of ProcessGuard. It doesn't even block new or changed programs. You can achieve far more protection with other software.
I'm having two major issues with Dynamic Security Agent. I installed it a few days ago and after a couple days it was using over 200 megs of memory. If I restart it, it goes back down to about 18 or 20 megs, but then starts increasing fast. The other issue is that every time I restart DSA, it turns off my Windows firewall. Any ideas?
DSA is now discontinued as a standalone application and no longer supported. An updated version is now included with the Privatefirewall package. This excellent firewall used to be commercial but is now freeware.
http://www.privacyware.com/personal_firewall.html
Thanks for the info. I can't find many reviews of Privatefirewall. How do you think it compares to the ones listed on this site (Outpost, Comodo, Online Armor, and PC Tools)?
I have been testing it for a few days. It has an 'old' looking interface and is a bit buggy on an XP SP3 machine. It seems to get confused sometimes about what process is doing what and starts blocking the wrong things.
I will be uninstalling it shortly. Not up to par, IMHO.
It would be helpful to know which applications and processes you are referring to as the firewall doesn't block anything. It produces an alert to prompt an action, depending on how you have it set up.
Hi,
I watched a video on YoutTube from mrizos. He reviews a lot of software. He said Geswall was pretty good in his opinion. I DL'd the freeware version.
Any reason the free version doesn't make the list? Is it a poor cousin to the Professional Edition?
Thanks.
Dogpile
Although GesWall can be considered a HIPS, it's not really a HIPS as in a behavioural blocker, it's more of a browser protection utility:
http://www.techsupportalert.com/best-free-browser-protection-utility.htm
As with all software groups we try to mix performance with ease of use. We also try to reduce the overall amount of items reviewed otherwise the whole thing can become more confusing than it already is, especially for security programs. Also, the following warning is posted on the Softpedia page for GeSWall
NOTE: Only for advanced users. Please be very careful. Your operating system may not start anymore!
On balance therefore I decided to leave it out. If your system knowledge is at a sufficiently high level to operate this software correctly then it would indeed be a good addition to your security setup.
Thanks for the quick reply. I removed it from my computer.
I tried DriveSentry on XP but it conflicts with Sandboxie causing it to blackout to DOS and switch off abruptly. I have since changed to Vista and decided that PREVX 3 free version is the best available as it effortlessly flags malware without any intrusive pop alerts of safe executables. This and Nod 32 online scanner will find malware that everything else could miss including Avira Antivir.
I was infected by what Nod 32 Identified b.exe c.exe d.exe as fake Trojan. I then scanned using Virus Total and Nod32,PrevX perhaps Trend and Norman also showed positive results. Malwarebytes, SuperAntispyware, A2 all proved usefull in identifying and removing but only Prevx was able to provide early detection of something that very few other products could prevent. All without having to check every executable message asociated with HIPS.
I want to keep SandboxIE and therefore give up on DriveSentry. Therefore PREVX to me is a double blessing.
The free version of Prevx provides no protection, only the means to identify malware after it has infected your computer. You would then need considerable system knowledge or another third party application to undertake the removal process. As prevention is always better than cure you would be better to re-consider using a solution with real-time protection. That said, with Sandboxie used properly many would argue that you need nothing else at all.
In terms of detection statistics you will see from the file scan results in various places that all of the recognized software misses something. In this respect Prevx is no better than the other top marques despite all the rhetoric and charts on their homepage. It's also no worse either. Overall the best two at the moment are Avira and a-squared. Next week it might be two different ones. Malware is evolving at such a fast pace these days it's almost impossible for the traditional software to keep up. This is one area where Prevx does score, but only in the paid version if you want real time protection. Prevx is also not a HIPS in the true sense so it was never designed to alert for executables like DriveSentry.
No reconsiderations. I am convinced by the my own trials. Avira Antivir + Outpost + PrevX is all I need.
"In terms of detection statistics you will see from the file scan results in various places that all of the recognized software misses something." Are you referring to VirusTotal?
Yes, Virus Total is perhaps the best example to demonstrate how one program might find something that another misses, or vice versa. It also serves to demonstrate those programs with a regular high incidence of false positives as enjoyed by a-squared recently.
But VirusTotal does not take into account the real-time protection offered by the programs. In particular with a program like Prevx, where the main protection lies in the real-time cloud database, so VirusTotal isn't a good tool to judge the effectiveness of Prevx (or many other software).
The comment was merely an illustration about how certain threats can be missed by one application and not another, and how the results could well be reversed with a new batch of malware. I accept the point about Prevx but the original comment was about the free version.
The free version of Prevx has full detection capabilities of its real-time protection. So the level of detection between the free and paid are the same.
I appreciate that the detection levels are the same. It was more the "protection" capabilities I was concerned with as the OP was comparing Prevx free with DriveSentry and Avira.
This is what I saw on their website which to me suggests that "protection" is only available with an upgrade to the commercial version.
"Should Prevx 3.0 detect infections missed by your existing security product(s) you can always upgrade to add malware removal and protection at any time or report the infection to your existing security"
Ah OK. I assumed the OP knew that Prevx only had detection.
Hey-Ho, I misread this too because I thought the OP was just referencing Avira and not actually using it together with the free Prevx. As it is the setup now is ideal. Sorry for the confusion folks!
I recently looked into using DSA and downloaded it on my system which is windows vista home premium sp2. I've had issues installing it. I kept getting compatibility issues and I was redirected to the right version by vista error reporting. Then to top it off I get Trojan win32/agentBypass.gen!G detected by Microsoft Security Essentials on file:C:\Program Files\Privacyware\Dynamic Security Agent\pfsvc.exe. So it was automatically detected and removed by MSE. So I decided to remove it and use Webroots firewall which has DSA built in and I kept getting a error saying that it needs the DSA driver and wouldn't install. Interesting part it needed that file mentioned above as infected. Its just one error after another. I was using Panda Cloud AV since it was released but I got a few worms and Trojan infections that got through and I had to reformat. As we all know that is a big pain in the ass... So far Microsoft Security Essentials is kicking Panda's Ass. I've had no issues and it found 4 trojans that were actively messing up my computer. Just letting people know I think the download for DSA from their site is infected. Since Microsoft is known not to have any false positives. It was also detected by A-squared free scanner and I had to check on virus total to make sure and it was a trojan. Not many scanners found it but there was a few. Don't remember exactly the number since I use MSE now it won't let me check again its automatically removed. DSA seems to work fine without it though. I haven't had any issues so far but for some reason its not registering as DSA its showing PrivateFirewall now as well lol...
detected by Microsoft Security Essentials on file:C:\Program Files\Privacyware\Dynamic Security Agent\pfsvc.exe.
As expected, now confirmed by Privacyware as a false positive.
Despite Privacyware being a Microsoft Gold Certified Partner, MS are obviously having problems adding all of their files into the database!
I'm sure this detection is a false positive as I've seen similar before. To be on the safe side though I've submitted it to Privacyware for their input and will post the reply when I get it.
I've got KIS and DRive sentry.... do I need drive sentry? Are the two antiviruses conflicting in anyway?
Should one add DSA?
At the moment I've got:
Drive Sentry
KIS
SAS Professional
Comodo Memory Firewall
As well as the WOT, COmodo Verification engine, Spywareblaster, etc.....
Any thoughts?
Personally speaking if your using KIS (Kaspersky Internet Security) I don't think you need anything else mentioned above since its a full Internet Security Suite. Your taxing your system and not getting much added protection. Kaspersky is a good quality product and they have been up in the top 5 best (usually behind #1 ZoneAlarm) Internet security suits in the world. Drive Sentry is a stand alone application it can work with KIS without any issues but Drive Sentry recommends using it alone to prevent any compatibility issues. I'm not a big SAS fan it always has issues on my computer and Comodo as well all of its products. I'd recommend WOT and Spywareblaster is good as well. Passive protection.
So to recap you could be alright in just using KIS alone but if you dont want to if you use Drive Sentry either alone or along side KIS your going to be ok. If you check the remove malware forum and see the review of Drive Sentry it does offer great protection he throws enough things and it got 100% on his test and is a great product. I found it a bit restrictive of my online games lol Combat Arms and Cross Fire. Spyware blaster is good pasive protection blocking known sites but the updates aren't that often. The other products aren't really needed they will just tax your system if you use just DriveSentry you will notice a bit improvement in speed and response of your system. I would use just KIS and drive sentry if I were you. In any paring you chose either ran along side or individually. If you want to help compatibility with running drive sentry with anything else in the settings at the bottom remove automatic quarantine so you get a pop up that way it alerts you if KIS misses anything Drive Sentry will catch it that's for sure.
Hope that helps sorry its so long...
Post new comment