Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology. Acquired in July 2014 by the former lead developer of Sunbelt & Viper software with the current status of the product guaranteed.
Alerts can be confusing to the non technical and distracting when they arrive during an install process.
http://www.winpatrol.com/
31.0
1.1 MB
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.98387
Average: 4 (62 votes)
Your rating: None

Comments

by SkuterB on 5. July 2014 - 3:42  (117151)

This may be old news to some here, but it was news to me today.
WinPatrol has apparently been sold to Ruiware.
According to the WinPatrol site, nothing will change and the new owner says he plans to continue as before.

I was aware Mr. Pytlovany has had some personal issues, I thank him for everything and wish him the best....

SkuterB

by MidnightCowboy on 5. July 2014 - 5:08  (117154)

Alliances and takeovers happen all the time in this industry and we as consumers are mostly unaware of them. Bill has always been upfront with his development objectives however and Bret Lowry appears to be in the same mould. You can read the product statement here. MC - Site Manager.

http://billpstudios.blogspot.com.br/2014/06/winpatrol-generation-ii.html

by Paxmilitaris on 27. September 2013 - 0:51  (111048)

About MJ Registry Watcher:

How can you write "Installation is not required, simply run the program from whichever directory you un-zip it to." and then "There is no portable version of this product available."?

by MidnightCowboy on 27. September 2013 - 5:24  (111049)

Thank you for pointing this out. The wrong box was ticked when it was entered into our products database. MC - Site Manager.

by Lassar on 24. October 2012 - 21:55  (101306)

I have used threatfire for a hips.

It does not play nice with powerbasic.

And seems to slow down firefox and windows explorer.

Is there a threatfire alternative?

by MidnightCowboy on 25. October 2012 - 2:22  (101315)

This is difficult. In one way these programs all operate the same, but in another they adopt different approaches to achieve the same objective. The Threatfire code has evolved over a long time, ever since it was first marketed as Cyberhawk, so in reality there is no direct equivalent. IMO the closest would be Privatefirewall, but maybe you don't use a third party firewall, or wish to change what you already have. Standalone HIPS are now a dying breed, and since the days of System Safety Monitor and Eqsecure some might say the genre has died anyway. Programs like Immunet and SpyShelter showed promise at one point but IMO the amount of false positives and potential for system conflicts render these of little use except for knowledgeable enthusiasts.

by Lassar on 25. October 2012 - 19:47  (101338)

Is winpatrol any good?

by MidnightCowboy on 26. October 2012 - 2:39  (101351)

WinPatrol is truly excellent at what it does but it is not a full blown HIPS. It will not say prompt for "program X is trying to access the memory of program Y - do you allow this?" etc. Although it has many features, the main ones are to warn about items being added to the start list, the installation of toolbars/browser add-ons and potentially unwanted system changes. I understand the developer is running a 99c sale at the moment which might interest current freeware owners who are looking to support the project.

MC
Site Manager

by George.J on 15. October 2012 - 15:22  (100794)

MalwareDefender doesn't load on x64. Just tried it out now on mine and it doesn't load the required drivers. :(

by MidnightCowboy on 15. October 2012 - 15:44  (100796)

It's 32 bit only as per the Quick Selection Guide details.

by George.J on 15. October 2012 - 19:26  (100803)

Yeah, I saw that before, but I wonder why they havn't developed a 64bit version, or atleast a 32bit version working on 64bit.

by NeilM (not verified) on 13. October 2012 - 0:39  (100710)

Threatfire website now states that Threatfire has been retired as a stand-alone product, and to get the Threatfire technology users need to purchase PC Tools Internet Security suite.

by MidnightCowboy on 13. October 2012 - 5:47  (100718)

Thank you. We are aware of this and currently deciding what to do about it. In the meantime, Threatfire is still available from Softpedia.

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/Cyberhaw...

Update 13/10/2012

After much thought I have decided to remove Threatfire altogether and keep the review to just three products. I remember deliberating before about whether or not to make Malware Defender Top Pick, but did not do so because of the complexity of the product. That said, the only way to gain any benefit from this type of software is to acquire the knowledge necessary to set them up properly and respond to alerts effectively, and on this basis the protection provided by Malware Defender excels.

I had also considered adding SpyShelter but decided against it for the following reasons.

For a long time there was no development, the vendor was not responding to contacts and their website was offline. Although they have now returned with an updated product, this does not give a very good impression for software you are relying on for security.

Very mixed test results.

The product requires to be installed into a truly pristine copy of Windows. Install it into a poorly maintained system, or one already exhibiting errors, and the likely hood of serious issues is high.

Overall, unless users are prepared to invest a considerable amount of time to learn what HIPS technology is, and how to work with it, they would be better off installing a modern firewall containing these components such as the excellent Privatefirewall. The degree of automation built into such products removes the need for much of the user based decision making, as opposed to Malware Defender which asks you to allow or block everything.

Bear in mind also that HIPS products with a learning mode are basically useless except when installed into a new copy of Windows, because they can potentially allow your whole malware collection to run unchallenged. :)

by GraveDigger on 16. October 2012 - 16:14  (100846)

The latest News item in ThreatFire dates back to October 2010. If you click the "smart update" button you'll get a notice that there's a product update available and if you click "next" it appears to download and install the update. But if you click the "smart update" later you find the same update as being available (nothing is getting updated...) The about ThreatFire menu item comes up as PC Tools 2004-2011 and the version is 4.7.0.53.

[Commercial references removed]

ThreatFire is Dead. People need to remove the program and find another alternative if they believe they need something as an addition to their anti-virus program. Just like PC Tools' free firewall program, this is a program that is no longer being developed by Symantec and has fallen into an orphan status. While it may provide some protection against older threats, it's not being actively supported or updated and probably will expose users to potential problems that are not being blocked by the old definitions. Brightfort's (formerly Javacool) SpywareBlaster may be a viable alternative - you can download it for free (although there is an option to buy an auto-update add-on) and it's still being updated (latest definitions were as of October 8, 2012)

by DavidQ762 (not verified) on 28. July 2012 - 21:56  (96795)

Just an FYI:

Have a windows 7 64 system. And based upon many of the recommendations found on this site. I've utilized the following security components:

BitDefender TrafficLight
Malwarebytes Anti-Malware
MJ RegWatcher
Microsoft Security Essentials (Prerelease)
Threatfire
Windows 7 Firewall Control
WinPatrol (Free)

To keep everything in line I use Process Tamer.

My computer now runs better than when I first purchased it over a year ago. The only downfall I've noticed is when I'm watching an online video. (But if I close Bitdefender TrafficLight while watching then it returns to playing perfectly).

by MidnightCowboy on 29. July 2012 - 1:27  (96806)

I'm pleased you have found a combination of programs that works well together.

by AJNorth on 8. July 2012 - 19:43  (95909)

WinPatrol has been updated to version 25.0.2012.0 (2012.07.08) -- http://www.winpatrol.com/upgrade.html.

by Anono (not verified) on 8. July 2012 - 4:20  (95891)

Would there be there any conflict between the HIPS components of the new WinPatrol and Private firewall?

by MidnightCowboy on 8. July 2012 - 4:35  (95892)

There shouldn't be as both these vendors invest a lot of effort to ensure compatibility. That said, there is always the possibility of conflicts, especially if the system itself has some corruptions and/or is already displaying Windows error messages. As the addition of WinPatrol is unlikely to cause any major issues, I would use it and report back here if anything unwanted occurs. I will then feed this directly to the vendor(s) so please be comprehensive with the details if making a report.

by Anono (not verified) on 8. July 2012 - 15:55  (95904)

Thanks MC. I should have asked this earlier, but would the addition of Private firewall provide any significant protection compared to the Windows Vista firewall? I assume it would with outbound but what about overall?

by MidnightCowboy on 8. July 2012 - 17:35  (95906)

Yes, any firewall with HIPS (and Privatefirewall is one of the best) will give significant extra protection over the built in firewall, but it does require a reasonable amount of system knowledge in order to answer the alerts effectively. If on the other hand your general surfing habits are not "risky", i.e. you use a ratings agent such as WOT (Web of Trust), other browser security extensions and don't enter high risk sites, then maybe a firewall with HIPS is not necessary at all. In this case, try TinyWall. I use this firewall myself and it's a real gem. No HIPS but plenty of ability to control your inward/outward traffic. It takes a time to learn how to work with it but the settings configuration is simple enough once you get to know the program.

http://tinywall.pados.hu/

by darrin71 on 26. March 2012 - 21:15  (91224)

Hi MC! I'm just curious if you have heard of or could find out if there is any plans for a 64-bit version of Malware Defender in the future? Thanks as always...D.

by MidnightCowboy on 27. March 2012 - 3:29  (91237)

To my best knowledge no, but I would welcome comments from anyone who can understand Chinese if this information is contained on their site somewhere.

by Spithus (not verified) on 7. March 2012 - 10:38  (90050)

I believe that Malware Defender has been updated

by MidnightCowboy on 7. March 2012 - 12:08  (90054)

Thank you. I've now changed the version details.

by Spithus (not verified) on 8. March 2012 - 11:38  (90093)

Btw, the installer is available at 360Labs. It's digitally signed and, according to VT, clean. Keep up the excellent work.

[Edit] Thanks for this but the site has a bad WOT rating so we are unable to post the link.

by Spithus (not verified) on 8. March 2012 - 12:16  (90095)

Np. I was misled by the green WOT mark. Just viewed the users comments. IMHO, the app itself should be safe, though.

by Anupam on 26. February 2012 - 8:55  (89512)

Seems like Spyware Terminator has been taken over by Pcrx. Now when you try to open the Spyware Terminator site, it redirects to the site of pcrx which is rated red on WOT.

by MidnightCowboy on 26. February 2012 - 9:44  (89516)

Yes, I've been following this for a while now since they also aligned with F-Prot. I was rather hoping for some better developments but under the circumstances probably best to remove it altogether.

by Anupam on 26. February 2012 - 10:02  (89517)

Good decision I think. Best to remove, and keep a watch on further developments.

Gizmo's Freeware is Recruiting!

Gizmos Needs YouShare your knowledge of free software with millions of Gizmo's readers by joining our editing team.  Details here.