Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

DriveSentry is a relative newcomer to security software but it is still my top pick. People who have already discovered this product will appreciate what a solid option it is. Released for the first time four years ago, DriveSentry adopts a novel and innovative approach to malware detection. It assumes (quite rightly) that in order to operate, any program on your computer needs disc access, and in particular it needs to be able to write data to your hard drive. Without this ability it cannot launch, control or change another process, replicate or use the Internet. This includes things sitting in your temporary folders and on your desktop as well as the installed applications in your program files. The key feature is that DriveSentry will only allow trusted programs to write to your protected areas. DriveSentry contains a white list of safe files which it will allow to run and also a black list of known malware which it will block. There are now 2.8 million files in the malware database. A new feature is powerful “honey pot” feeds which provide real time signature updates as soon as the virus is discovered (paid version only after 30 days). In addition to the real-time protection you can use DriveSentry to scan for malicious files including scripts, macros, Trojans, viruses and rootkits.

DriveSentry also includes a community advisory for each alert showing details of how many people have either allowed or blocked an event previously. A similar function called Threatcast is now included with Comodo's CIS Internet Security suite. Whilst this format for sharing information is always welcome, community based advisories should be viewed with a degree of caution. If an alert is presented for a new safe program and nine out of the ten people who first saw it chose to “block” then you will see a 90% advice to do the same and may be tempted to follow suit. The good thing is that with DriveSentry you can always change or remove the rule created later if you discover that something blocked is really OK to run.

There are considerable options for adding extra rules but this facility is only for experienced users. The logging facility is excellent and provides an invaluable source of data for determining any changes you may wish to make to an application's access rights. Some programs bestow levels of system “invadability” upon themselves at install which they either don't need, or in some cases, shouldn't have! Only you can decide if this amount of adjustment and control is really necessary for your own circumstances. As with all rule settings, if you do make changes it's best to do them individually and then check your system functions. One error can usually be tracked back and altered fairly easily but several might take some finding!

DriveSentry's own literature describes it first as being a “firewall” (for drives) and then an “antivirus” so it's little wonder that many of us end up a bit confused as to exactly what this program does! It's not altogether the manufacturers fault as it's becoming more difficult to classify the threats too, hence maybe the confusion.

I've given DriveSentry our top pick award because not only does it do what it says on the box but it does it in a way less likely to cause you problems than some of the alternatives. Whilst it will automatically block and quarantine known malware, the other automated features are fully controllable, keeping you in the DrivingSeat if that's the way you want it. The GUI is easy enough to navigate and the information presented is clear and concise. Resource consumption, in particular memory use, was an issue with previous versions but this has now been fixed in this release.

There is also a paid version of DriveSentry which offers automatic updates and a portable version called “GoAnywhere” aimed at USB drives, but this too is paid.

The free version “trickle” updates cease after 30 days but users can still download these manually by clicking the “Synchronize” button on the options page. If DS doesn't require an update it will tell you, otherwise it will go ahead and download the latest signatures.

The PDF available is not exactly what you might expect, containing just two pages similar to the web layout, but it does give some additional information.

DriveSentry Security Suite

In line with the trend already set by other vendors, DriveSentry have now released a "Security Suite" which combines the separate DriveSentry desktop and GoAnywhere programs.

This basically adds Drag & Drop AES 256bit data encryption and File Synchronisation/backup to the features list.  Users should be aware though that this package does not contain a network firewall as you might expect from the description so if you are not using the Windows firewall you will need to consider a third party application to perform this role.

Despite being in direct contact with the vendor I've found this to be one of the most confusing product juggling exercises to follow, and I'm not alone as visitors to the dedicated thread at Wilders will see.

This FAQ link now answers some of the questions raised since the suite was introduced.  

forum.drivesentry.com/viewtopic.php

I guess this would be the one on most people's minds.

Will you continue to support and offer updates to DriveSentry Desktop (paid & free version)?
"Yes, we have no plans to discontinue the free or paid version of DriveSentry Desktop. We are continuously researching and developing new premium features for our paid products/suites whilst offering simple next generation anti-virus protection for free".

Both the suite and desktop applications are evolving products and as such have suffered less of the stability issues reported by users of comparable software.   DriveSentry remains a solid choice for PC security and a real alternative to established protection methods, but do expect some bugs as the upgrades become implemented.

Despite the reassurances in the FAQ above it remains to be seen which direction the "free" version of this software will eventually take.

Dynamic Security Agent (DSA) is another option which has been gaining in popularity since it's release in 2006. The producers Privacyware are also responsible for the excellent Privatefirewall and the software is licensed to Webroot who include it in their own firewall and other desktop security products. DSA monitors a range of functions including;

- Attempts to access a protected registry area
- Attempts to access a protected object
- Attempts to initiate a foreign process
- Attempts to control a Windows service
- Attempts to create a DNS request
- Attempts to initiate outgoing TCP traffic

There is also an email and system anomaly analyzer.

The thing I like most about DSA is that it can stop a lot of things but it never deletes them so in case of error you can always return things to how they were before. There is a “learning period” for this software which is adjustable but best left at it's default settings to ensure maximum efficiency afterwards. If you decide to disable this be prepared for a blizzard of popups. A little extra care is needed to monitor your system activities until after the learning period has finished, but then DSA will warn you if an application deviates from it's normal pattern of resource and system use. The alerts are displayed in the usual popup format but can be configured to remain on screen until user input determines an action. With default settings the alert will “time out” after 30 seconds and block whatever process has been flagged. Privacyware refer to this as detecting “unacceptable deviations from typical use”. In so doing DSA provides protection against viruses, spyware, Trojans, worms, rootkits and hackers.

Because of it's ability to monitor incoming and outgoing Internet traffic it is also possible to use DSA to compliment your existing standard firewall application. Matousec even test this function in DSA. Whilst I wouldn't want to rely solely on DSA for firewall protection it will add another layer of security to your existing line-up. If left at default, the settings will automatically block anything trying to “phone home” should you not be at your computer when the attempt is initiated.

I've been unable to dig up any real conflict issues affecting DSA ,and Privacyware who have been highly cooperative assure me that support requests of any nature for DSA are rare. The PDF available is excellent and includes screen shots.

This is a pretty impressive line-up of abilities, resource usage is light, and the software deserves to be better known.

PC Tools ThreatFire continues to evolve but with the latest version 4.5 they've taken some bits away as well as adding new ones. Gone is the antivirus scanner and users must now find an alternative program to perform this function. A facility to download the PC Tools antivirus is provided from the ThreatFire GUI. The immediate effect of not having the virus scanning engine and signature database is to reduce the download size from some 22MB to just 7.5, but what about the rest of it? Well the old “Threat Detection” map remains which in terms of security provision is about as much use as a paper bag in a thunderstorm but the other features are solid enough. To detect malicious behavior, ThreatFire monitors every file operation, every process creation, every network communication (inbound and outbound) and every interaction with critical components of the operating system. They say rootkit detection has been improved to discover “deeply hidden threats” but I thought this was why rootkits were called rootkits in the first place (because they were deeply hidden!).

The thing that concerns me most though is that the level of program automation has been increased with the addition of “in-the-clouds black and white lists to automatically handle threats, significantly reducing user interaction”. This means it will now do more things without asking you! You may prefer to keep your feet on the ground instead of “in-the-clouds”. Maybe I'm being a little unfair as this program continues to be hugely popular but with forum posts highlighting a range of issues, some relating to the (supposed) automated removal of Windows system files I can't help but think that increasing the automation still further was a bad choice. I've never questioned the value of behavioral based detectors in a balanced security line-up but what I do doubt is the wisdom of giving them an increased automatic ability for process termination. General feedback for the new version though appears to be very positive and from personal contact with PC Tools I can confirm they are working hard on fixes for any remaining issues. Certainly browsing performance with this version shows a significant improvement. Time will tell if the major problems some have experienced with ThreatFire have finally been smoked out.

Despite my reservations ThreatFire continues to be a top contender amongst the free behavioral detectors, but I am wary of recommending it for average users. Especially since the removal of the signature based virus scanner, I believe DriveSentry to be a better option.

Be aware that automatic updates are not provided with the free version if you elect to “opt out” of the ThreatFire Community. The paid version does offer this option plus other flexibility, permissions for commercial use and telephone support.

Spyware Terminator seems to have been around for almost as long as I have and some might argue it's about as much use too! That said if you witnessed the decline of this software a couple of years ago you might now be surprised by its rejuvenated format. I'm not going to pretend that the spyware detection rates are that good because they're not, but the HIPS component is. Added to that is the option to integrate the ClamAV antivirus shield and Web Security Guard. An adware toolbar (Web Security Guard Toolbar) is included but you can un-check this at installation. There is a choice of two proficiency levels for the default install (basic and advanced) which then sets the rules and notification levels (number of popups) accordingly.

No less than ten real-time shields are provided for system protection and each one can be enabled separately. An install mode is included for use when adding new software and there's a separate cookie scanner. Other features include locked file removal, file analysis, browser restoration and even a system restore function. See the full details here. There are several scan options including customized and context menu scanning. The updates are compressed to minimize bandwidth usage, and there's even free support via email and the forum. The spyware scanner is 64-bit compatible for both XP and Vista but unfortunately the Real Time Shield is not. This is planned for the third quarter of 2009. Free for home and commercial use. How do they do it!?

Resource use and system impact will vary according to your component strength and what you ask Spyware Terminator to do. It is always likely to be on the moderate side but unless you have a really old computer it's worth living with.

Be advised that Spyware Terminator only loads a small installer program initially (632kb) and then connects to the Internet to download the other stuff you've ticked as options. There is a separate link for downloading an off-line installer if preferred.

MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.** New features in V1.2.6.7 released 4th April, 2009 : Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts, Quarantining of Files and Directories **  There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

• Best Free Antivirus Software
• Best Free Firewall
• Best Free Adware/Spyware/Scumware Remover
• Best Free Trojan Scanner/Trojan Remover
• Internet Safety Raters and Site Scanners
• Gizmo's Guide to Securing Your PC
• How to Surf More Securely
• Best Free Browser Protection Utility
• Malware Removal Guide