Subscribe to our Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)
|
In a Hurry?
|
 Go straight to the Quick Selection Guide |
|
Introduction
|
|
Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail. Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”). Review Criteria |
|
Discussion
|
|
With signature based scanners becoming less effective against new threats, programs like Threatfire have an increasing role to play in PC security. This has also been recognised by commercial vendors like F-Secure (DeepGuard) and Emsisoft (Mamutu) who have been using this technology for some time. Like these other programs, Threatfire constantly monitors your system for behaviour typical of that exhibited by malware such as capturing your keystrokes etc. When used together with a traditional real-time anti virus and a good firewall, Threatfire provides the often missing link for behavioral based detection. Threatfire also contains a highly effective system activity monitor which will display your autoruns in addition to other useful information. The other tab on the advanced settings though is only for truly experienced users with a high degree of Windows system knowledge. Creating advanced rules with Threatfire can render your system unusable unless you know exactly what you are doing. In the hands of experienced users though this facility is a formidable tool. Be aware that automatic updates are not provided with the free version if you elect to “opt out” of the ThreatFire Community. The paid version does offer this option plus other flexibility, permissions for commercial use and telephone support. *Windows 2000 users please note that you need V4.1 of Threatfire. See footnote 3 and other useful information including the download link on this page.
WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates. WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you. The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here: http://billpstudios.blogspot.com/ Softpedia review link (2007) http://www.softpedia.com/reviews/windows/WinPatrol-Review-62232.shtml
No less than ten real-time shields are provided for system protection and each one can be enabled separately. An install mode is included for use when adding new software and there's a separate cookie scanner. Other features include locked file removal, file analysis, browser restoration and even a system restore function. See the full details here. There are several scan options including customized and context menu scanning. The updates are compressed to minimize bandwidth usage, and there's even free support via email and the forum. The spyware scanner is 64-bit compatible for both XP, Vista and Windows 7, but unfortunately the Real Time Shield is not despite being promised for the final quarter of 2009. Resource use and system impact will vary according to your component strength and what you ask Spyware Terminator to do. It is always likely to be on the moderate side but unless you have a really old computer it's worth living with. Be advised that Spyware Terminator only loads a small installer program initially (632kb) and then connects to the Internet to download the other stuff you've ticked as options. There is a separate link for downloading an off-line installer if preferred.
|
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
4.7.0.11 
Private Freeware (not free for commercial use) 
MS Windows XP, 2003 Server, Vista *Windows 2000 users please see footnote in the text above
MS Windows all inc. 64 bit
Delicious
Digg
StumbleUpon
Please rate this article
On this page under Related Products and Links, the link labeled "Malware Removal Guide" is 404.
Thanks a lot - I've fixed it now.
Hi MidnightCowboy,
Thank-you for your very informative article. I would be interested to know more about the performance of these HIPS applications (typical RAM usage for example), so that users like me can make take in consideration what application is suited to their hardware.
Once again many thanks,
In terms of resource use from low to high they rank: MJRW, WinPatrol, Threatfire and SpywareTerminator. ST is still some way ahead of the rest so if resource use really is an issue this might be the one to avoid. Otherwise, the need for features should maybe be considered before the amount of memory used unless you have a really low powered machine. You also might want to consider changing a resource hungry primary AV for one less demanding if you have such a beast installed. The Latest V5 of Avast! is pretty good on my machine using 25mb and 7mb respectively for the svc.exe and UI.exe. This might then enable you to put in a HIPS without having to worry about the extra resource use.
Many thanks for your prompt reply!
How does Spybot's TeaTimer system settings protection tool rate compared to these other programs? It has white/blacklists, etc. Is it good for HIPS?
This is the TeaTimer FAQ.
http://www.safer-networking.org/en/faq/33.html
Currently S&D seems to be in no mans land compared to some other spyware apps although the program does contain some other useful tools. Unless you really love S&D for what it actually is then I wouldn't install it just for the TeaTimer function. Spyware Terminator would be more effective (on x32 bit systems anyway) because it does have a proper and well thought out HIPS, otherwise stick with whatever comes bundled with your firewall and/or WinPatrol. If you just feel the need for some extra registry protection then MJ Registry Watcher might be just the tool.
Reasonable choices for this forum. There are now many excellent free HIPS, but few suitable for big audience.
P.S. PEGuard seems promising...
PEGuard? Is this Zprotect we're talking about in which case I wasn't aware there was a free version?
My favorites in the past usually combined Avira and Sygate with either EQSecure, Realtime Defender or System Safety Monitor. You can do a lot of damage with these though which is why I only "supported" them in a very limited way via the forum for people with an interest in this type of stuff. They are all redundant beyond XPSP2 (although I think EQS is OK with SP3) so in effect they are dying a natural death as the world moves on to x64 and beyond. IMO currently D+ wants a lot of beating and now that the firewall is 100% stable for the majority of us I see little point in using anything else. Comodo isn't everyone's cup of tea though so naturally programs like Threatfire and Winpatrol add this extra layer if required.
There is some interest in it at Wilders.
http://www.softpedia.com/get/Antivirus/PE-GUARD.shtml
It is free.
You idea of Defence+ being enough for classical HIPS fans seems justified.
Thanks for the link. There's another program of the same name which was confusing me!
Having now found the right thread at Wilders there seems to be quite a few conflicting reports and errors including BSOD's considering the small usage numbers. I think I'll add this one to my "has potential" pile for the time being and wait for some further development.
Yes. It seems promising, but not yet fully recommentable.
If that is the case, then we can categorize the products according to different levels of proficiency. That way, users will be aware of the good choices that are available. Just a suggestion.
You find many at my list. MC gave some ideas above why only fraction of them are really important.
Thanks for the reply :).
You are welcome. Your idea of mentioning some extra possibilities is good.
MC, I think you could mention here something about Defence+ plus at least. (Eg. repeat above the comment you gave here.)
Thanks for the suggestion. The only issue I have with this at the moment is that in order to utilize D+ fully then the AV component from CIS also has to be installed even if the firewall is not. If on the other hand we view this as a firewall/HIPS combination then it's already covered in Rizar's excellent article. Spyware Terminator is the same in that the anti-spyware component (such as it is) comes bundled with the HIPS whether you want it or not. That said, this one is designed to work with other programs whereas CIS is not. In this vane, to install D+ and the Comodo AV without also including the firewall doesn't seem to make much sense, well not to me anyway :)
Those more familiar with HIPS might wonder why some programs are not included. Couldn't you explain this (eg. about Defence+, SSM) in the end of this article?
Yes, this is certainly an idea for enabling a more complete picture. Although the article has been updated recently it is still maybe due a re-write and this is one of the areas I'll add in to it next time.
What about the HIPS that is part of the Free Comodo Firewall (i.e. Defense Plus)?
D+ is excellent, some would say even the best as part of the CIS firewall. This review though concentrates on applications which can be used as separate programs alongside other software to form a layered defense. Unfortunately, in order to use D+ in this way (without the firewall) the AV component also needs installing and so rules it out.
There are other excellent alternatives which are no longer in development such as EQSecure (3.41), System Safety Monitor and Realtime Defender. These however are not simple programs to manage and understand, are only good up to XPSP2 and have no support so unsuitable for inclusion here.
Is Threatfire to be recommended above WinPatrol? What criteria can I use if no one wants to answer this directly?! Thank You
Threatfire is a more comprehensive solution but potentially capable of giving you more system problems than WinPatrol. The only real way to judge the benefits of either for your own use is to digest the relevant home page feature lists and then make a decision from there. The support forums are also a necessary source of reference. Although there are less issues now with Threatfire than there were with previous versions it's still worth looking to see what is happening to other users. If anything you see there is something you would not wish to cope with yourself then maybe WinPatrol would be the best option.
I tried Threatfire again yesterday on XP SP-3 and the latest version had very little noticeable drag unlike earlier versions, so this time I kept it on all day. This morning when I started my PC, I got a popup that Windows turned off Services and Controller App and next another popup stating Internet Explorer Has Encountered a Problem and Has to Close. I knew the problem had to be with Threatfire, so I uninstalled it in safe mode and no more problems.
I have tried various versions of Threatfire (including the original Cyberhawk) and found it to be problematic in ALL its various guises. I think people should be very wary of installing HIPS-type programs since they almost always create more problems than the threats they supposedly protect against. My advice: practice safe computing thereby reducing the necessity for such programs.
This is very good advice and matches my own sentiments exactly.
Unfortunately it is not up to us to tell people what they should install so rather we try to advise responsibly on what is likely to happen. Undoubtedly Threatfire is better than it was but still the one most likely to cause system problems, and for some users this will involve seeking outside help to fix.
This is why I used to like DSA so much when it was still supported as a standalone program, and not just a part of Privatefirewall. Having just "allow" or "Block" is great when mistakes get made because it's a relatively easy process to return things to normal.
The above article places threatfire as top pick!
i believe the version of Threatfire is 4.7.0.11, not 4.9.11.23
I believe this to be incorrect as both Softpedia and MajorGeeks report 4.9.11.23 as of 4th December. To be certain I've mailed PC Tools support.
I will agree with LordRahl here. I have seen this increasing trend of discrepancy of the download available on the download sites, and on the home page of the software. I have seen download sites hold a newer version of a software, but the version available at the main site of the software would still be an older version. In such cases I trust the site of the software, and not the download sites.
There could indeed be a number of reason for this but the only true answer is going to come from the vendor. To date I'm still waiting for their reply which considering it's Christmas week is not unusual.
My grateful thanks to those who spotted the different Threatfire file version numbers. PC Tools have now replied to my query and indeed there was an error with the file numbers sent to Softpedia, MajorGeeks and some others. The correct version as of 23.12.09 is 4.7.0.11 which has now been amended above.
Thanks for the feedback MC. I too had seen the version on MajorGeeks, but I had checked on the PC Tools site, and there it was the older version. I had been regularly checking the site for an updated version, but never happened.
As said before, I have been watching this trend of wrong information grow since some months, and with lots of software.
at the bottom of the page
http://www.threatfire.com/download/
this is probably the most reliable source
I’ve just updated the review to the format you now see above.
I’ve hesitated for some time about which direction to go in but eventually decided to remove DriveSentry.
My thoughts are echoed in other places too as illustrated by this thread from our friends at Wilders.
http://www.wilderssecurity.com/showthread.php?s=d8a377715f9f5f48cc9780ab...
Ultimately I was also helped by recent developments with Threatfire which is much improved from previous versions. I never doubted it’s detection capabilities but it’s tendency to also munch some of your system drivers for breakfast was nothing I would recommend for average folk to endure.
Thankfully, these issues are now behind us and Threatfire can regain it’s top spot with pride.
I tried the new Threatfire version from Major Geeks and the noticeable drag on my older XP is reduced to the point that I can now keep it installed. Thanks for the heads up MC. Is there any problem with keeping the Community Monitoring on for auto-updates or is it security-wise to turn this function off and manual update?
I notice a drag with Threatfire on an older XP. What ever happened with DSA? I assumed a lot of users liked it.
Unfortunately DSA is no longer being developed or supported as a standalone program. It remains an integral part of the now freeware Privatefirewall however and is being improved further as we speak to achieve full x64 bit compatibility. I was a great fan of DSA myself but unfortunately all of the freestanding HIPS applications are now dying out as vendors seek to incorporate everything into either a firewall or complete suite. This is hardly surprising when you consider the amount of alerts generated and work necessary to manage this type of program. EQSecure, System Safety Monitor and Realtime Defender are other examples of excellent products which have also ceased although all will continue to work very happily on XP up to SP2.
Older versions of Threatfire had several issues which I wasn't happy with which is why it ended up being downgraded in my review here. The "drag" I can identify with myself from my own XP days, so much so that I used to use an old version of Cyberhawk instead. Threatfire has improved a lot lately though and I notice no system performance drop on x64 Windows 7 at all. As I say in my review this has maybe been influenced by Symantec's involvement and the use of Threatfire components within the PC Tools Internet Security suite. Whatever the reasons though, Threatfire is now a solid choice for zero day protection although users will still need to be mindful of possible conflicts if their main solution also contains similar technology. Duplicating behavior based software on the same system is not always a good idea.
What are your thoughts on users who use a good firewall with strong os/hips protection such as those on the top of matousecs tree? Is a seperate hips such as threatfire for eg still needed?
This is a difficult question to answer for everybody because it’s largely dependent on your surfing habits. If you visit porn, social networking and file sharing sites then you need all the help you can get. In this respect complimentary software such as Threatfire with behavioral recognition technology is almost a necessity. Otherwise I would say it isn't with the type of firewall you describe. Resource use is reasonable though at less than 10mb and on my Windows 7 x64 I notice none of the system slowdowns associated with previous versions.
Anyone not wanting to install too many programs anyway could always choose a firewall like Privatefirewall which has good similar technology included. Be aware though that the process monitor is not yet x64 compatible although the other functions are. Full x64 compatibility is still being developed and won’t be in service until around the first quarter of next year. Not only does Privatefirewall notify you about what things are doing, it will also warn you if they are doing it differently to the last time they ran in terms of CPU cycles, memory use etc. This type of annomoly detection is a good resource to have, and with Privatefirewall this extends to emails too. You do need to read their PDF guide first though before installing it to understand fully how to set up a suitable training period otherwise it will end up annoying you with superfluous alerts and/or not work to it’s best potential.
MC, would your previous comments about protection still be needed/valid if using a program such as Returnil or Sandboxie? Would that not eliminate the need for such "extra" protection or as you stated "all the help you can get?"
Also would you still recommend PrivateFirewall if browsing is done almost exclusively with Returnil or Sandboxie or would that be overkill?
Ultimately, it's what works best for you and what you feel most happy to manage. You say browsing would be done "almost" exclusively with these other programs so that to me still implies a risk for which the use of Private firewall could prove beneficial. I for one have never been able to get on with Sandboxie so I'm not in the best position to comment but I do know that it requires discipline to use effectively.
I installed the free version of Drive Sentry and liked it enough to pay the $15 for the full version. My problems started at that point. First of all I had to use a round about way to even purchase Drive Sentry. The pop up link you get after creating an account sent me to a local address on my computer.
I tried registering on their support forums and apparently a Board Admin is required to approve you even after the activation email. It's been 4 days and nothing.
I'm now getting run time errors and Drive Sentry shut downs. I can not find any support information besides the forum which I can not get to. The contact numbers are always closed.
I've waisted $15 before, it's not the end of the world. I would really second think installing Drive Sentry or even purchasing a product that has limited support.
I admit myself that I can't really understand the direction that this company is meant to be going in. Just when I'm ready to have a category re-think they come up with a burst of activity to keep me interested. This has happened twice now but I am definitely running out of patience.
On a personal note, if you care to register here and then send me a PM via the forum I'll take your situation up directly with the vendor. For obvious reasons they won't entertain a request about an anonymous post.
Does Winpatrol need any special tweaking for optimum performance/protection once installed?
WinPatrol is fine at its default settings. All security software is designed to install at an "optimum" level, i.e. one which the devs have determined to offer the best protection for the most people on the majority of average systems. Of course advanced settings are possible, but unless your knowledge of Windows (or in the case of firewalls, networking) is at a sufficiently high level then these are best left alone.
Could someone please tell me if I can use DriveSentry with my existing AVG 9 and a firewall? I remember reading (here?) a while back that if you had DriveSentry you had to turn off any existing installed AV or firewall program -- or is that only if you have a firewall with a HIPS component enabled...? Thanks.
I don't have any personal knowledge of compatibility with AVG because I've never used it. You can always try installing DriveSentry because it will warn you if AVG is not compatible and you can then abort the process. In this case you could try WinPatrol instead which is widely regarded.
I think I'll try the little "watch dog" with my avira and PC tools firewall plus. Sure is a lot of good feed back on WinPatrol.
Post new comment