Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here:

http://billpstudios.blogspot.com/

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology
“Scotty the Windows Watchdog” projects a somewhat dated image
http://www.winpatrol.com/
28.6.2013
900 kb
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.966665
Average: 4 (60 votes)
Your rating: None

Comments

by Anonymous on 25. March 2009 - 21:29  (18554)

Hey, I'm a little curious why you chose not cover AppDefend and Online Armor, which have been two of the biggest names in HIPS (along with the now-defunct ProcessGuard) when this category of software got started. They're also quite popular on the Wilders forum you mention.

by Anonymous on 26. March 2009 - 13:19  (18588)

I used and advised others to use Threat Fire. Then I started having problems with my keyboard not working at boot up until I did a restore. Come to find out it was Threat fire. The forums on PC tools continued to pass out the business answer that they could not verify it was directly related to TF. Did not see a lot of users having this issue but enough. I removed it and the problem went away. I have not gone back to that watering hole...

by nohurf on 26. March 2009 - 14:08  (18590)

Again, I've managed to get a good freeware program from this site. Just installed drive sentry and it looks like a good program.

by Anonymous on 26. March 2009 - 15:22  (18595)

I have tried Threatfire and DSA - have removed both. I liked the idea behind Threatfire's approach, but found it slowed one PC down and caused the same lock-ups mentioned in these posts on two other computers (with version 4.x) - I have complained to PcTools. I just found that DSA was too intrusive. I'm now trying DriveSentry and Comodo Firewall. I found Comodo locked up my main computer when trying to access it with Remote Desktop, but I am using it on a laptop for additional mobile protection. We'll see how it works in the long haul.

by MidnightCowboy on 26. March 2009 - 16:49  (18606)

It's like a lot of other software, you can never say with any certainty what might happen between one PC and the next. The trouble with ThreatFire is that in some circumstances novice users can dig themselves into a deeper hole if they are unclear about what action to take in response to alerts. This is a shame because a lot of people do use this software with no difficulties at all. I also agree that maybe the support could have been better although PC Tools do appear to be working hard at correcting any issues with this latest version. Maybe this is partly because of the Symantec influence, but it remains to be seen which direction this software will eventually take.

by MidnightCowboy on 26. March 2009 - 16:50  (18607)

If you liked ThreatFire (and can understand it) the new version does have less effect on system speed, especially for browsing. Yes, DSA is a pain during the initial stages but it's a pity you didn't feel able to persevere with it because once it finishes building rules and memory the popups stop unless you have a real issue to respond to. DriveSentry from my own experience seems cool and capable. There is one minor issue that I'm waiting a response to before posting here but otherwise no problems. As well as the thread I have started in the forum here there is also some active advice on Wilders who also have a dedicated section for this software.

by MidnightCowboy on 26. March 2009 - 16:52  (18609)

We do try! Please let us know how you get on with DriveSentry so that we can share your experiences with our other visitors.

by Anonymous on 26. March 2009 - 18:28  (18621)

I appreciate Gizmo's and other's testing and recommending freeware. The discussions alone are educational. I am not a power user and have had few malware problems. BUT a review aspect missing is if the recommended/reviewed freeware will/can/maybe cause conflict with commercial software? Occassionally it is pointed out that some conflicts with other programs may occur, but this aspect should be a standard review item. This would be valuable information for average users who typically run commercial software and want to try or supplement with some newer freeware as recommended.

by Anonymous on 26. March 2009 - 19:32  (18625)

Spyware Terminator seems to have been around for almost as long as I have

This statement struck me as odd. Spyware Terminator has only been around for about 3.5 years.

if you witnessed the decline of this software a couple of years ago you might now be surprised by its rejuvenated form

The fallout is still there. Check their forums. Version 2.5 is causing all kinds of problems.

I used ST for a long time but removed it about 6 months ago. I haven't missed it one bit.

by Anonymous on 26. March 2009 - 20:18  (18629)

I used the word "seems" deliberately because it is one of those programs that many users feel they have always had.

In terms of "fallout" there are two issues to consider when analyzing problems. The first is impact or severity. Are they just an annoyance fairly easily cured by a restart or are they likely to wreck your system? Second is numbers. I accept that the ST forum, like Avira, Comodo, Avast!, Outpost and the others has it's fair share of grumbles, but the installations are now approaching 22 million. Taken in context neither of these factors give any cause for concern over and above that normally associated with any other software. ST, like Avira is also adding new features which in themselves often cause a few glitches until the developers can sort them out. May I ask which program you replaced ST with, and how you find it in comparison?

by Anonymous on 26. March 2009 - 20:48  (18630)

As volunteers, I think if you asked any of the editors here they would all say we have our hands full trying to keep up with the freeware without considering commercial apps as well! The truth is that the possibility of conflict surrounds everyone's PC like a magic mist. You never know when it is going to appear or what it's likely to do. There are so many variables it's almost impossible to make any objective comments other than those you see here on the site already. Just by pressing "start" you can begin a whole new journey into the unknown. We take expert advice ourselves from the developers who all recommend not running two active antivirus programs together, but every time we post this people complain, say we don't know what we're talking about because they can run two very happily. Also, a lot of these problems can be caused by adding new installations into a poorly maintained environment which of course we can only guess at. My advice is to visit the dedicated forums first for information about known issues and try not to crowd too many of the same type of program with active content into one PC. The bottom line though with any software is do I really need it? If you can answer "no" to this, then the conflict's gone already.

by Anonymous on 26. March 2009 - 21:40  (18634)

Dive Senty needs on my PC an account with admiinstration rights to run, it refuses to run on a limited account. For reasons of security I rarely access the Internet from an account with administration rights, therefore I'm uninstalling it.

by Anonymous on 27. March 2009 - 5:00  (18642)

Been thinking about trying out DSA but have read the reviews on download.com & this program does'nt look to promising. Also there does'nt seem to be much development as of lately. Can anybody confirm those reviews? The review here as well as the pdf sounds pretty good. Just curious as I do not want to mess up my comp.

by MidnightCowboy on 27. March 2009 - 11:36  (18659)

The reviews on cnet are typical in that they are pretty diverse. What does seem evident though is that maybe some users don't have the necessary patience required to manage this type of software in the early stages. Also, other security programs may force a delay in the DSA windows appearing, and yes there will be quite a few until the rules get built. If you make sure to tick the option "Require user approval for each alert" then a different window will be presented and remain on screen until it is answered. The default popup will time out after 30 seconds and automatically block the process flagged if unanswered. DSA will not harm your computer because it only blocks, never deletes. There is a lot of constructive information on Wilders forum but you will need to search for it because there isn't a dedicated thread. It's also worth noting how many of the knowledgeable posters on Wilders recommend using only the earlier versions of ThreatFire or even Cyberhawk pre ThreatFire. In this context new is not always better but I can confirm that DSA is still in development. Expect some news from the developers Privacyware over the next few weeks.

by Anonymous on 27. March 2009 - 19:44  (18692)

Great review! Thanks MIDNIGHTCOWBOY!

by MidnightCowboy on 27. March 2009 - 20:23  (18695)

You are welcome! What do you think to the new forum layout and thread topics?
Any feedback would be appreciated.

by Anonymous on 27. March 2009 - 20:30  (18697)

Thanks for all the work you people do. I have enjoyed the fruits of your labours numerous times, however, with regard to the "Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)" I've had nothing but lemons. My latest efforts with Drive Sentry caused some very ugly crashes (BSOD) while experiments with Threatfire ended when my computer slowed to a crawl, and even programs "permitted" in Threatfire, malfunctioned. Great concept, but not ripe for consumption.

I'm going to have to stick with crossed fingers and AVG Free for now.

Alan53

by MidnightCowboy on 27. March 2009 - 21:17  (18701)

Thanks for the feedback. I'm aware of the problems you experienced with ThreatFire but can I ask if this was the latest 4.1 or an earlier version? Certainly the speed issue is now addressed but I can't be any more help without some detail. Same for DriveSentry, never having seen this problem highlighted before. Did you raise this via their forum? If not, can you let me have some details here and I will follow it up direct and post their response. I need to know your OS and SP details plus the software affected and which process was being attempted or running when the BSOD's ocurred. It would also be helpful if you can remember any of the error information that would have been displayed onscreen at the time.

by Anonymous on 28. March 2009 - 5:28  (18718)

Thanks MIDNIGHTCOWBOY for the quick response on DSA! Can't begin to tell you how nice it is to have good editor for this HIPS software review thread. Great work, Thank You! I am still concerned about the uninstaller issue. Also, after the learning period is over & the rules are built, will I still have delays in the DSA windows appearing? Almost forgot, does DSA play nice with Sygate firewall? Thank you for all your help, I just want to be as informed as possible.

by MidnightCowboy on 28. March 2009 - 11:24  (18734)

Once the rules get built any delays should disappear unless you have a bunch of other active security programs all trying to monitor the same thing. To my knowledge there are no conflicts with Sygate and shouldn't be because of the way this firewall is built. The only real issue with Sygate is a known conflict with anything containing a proxy (such as Avast!) whereby you will lose outbound protection control from Sygate to varying degrees depending on the proxy.

Not knowing what your knowledge level of Sygate is you may find the following links of interest. The first is just a general config advisory mainly about the need to remove the “act as server” facility and the second deals with rule creation.

http://www.kotiposti.net/string/SPF_eng/SPFGuide.html
http://www.kotiposti.net/string/SPF_eng/SPF_rulemaking.html

If you do hit any problems, first reset DSA back to default settings to undo any rules and then use an independent uninstaller like revo and you should be fine.

http://www.revouninstaller.com/

by Anonymous on 28. March 2009 - 11:25  (18735)

Why not try MJ Registry Watcher? It's free, low resource usage, and pretty comprehensive in its coverage. It also sits well with other programs and doesn't do anything to upset your PC! It's available at http://www.jacobsm.com/mjsoft.htm#rgwtchr
(I am the author, so I may be a bit biased, but you can check out the latest comments from security people at Wilders - http://www.wilderssecurity.com/showthread.php?t=54666&page=25)

by Anonymous on 28. March 2009 - 16:49  (18757)

Hi. Sorry for the paucity of details, I wasn't looking for support, merely reporting results or lack thereof.

Operating System = Win XP SP3

With regard to ThreatFire, it was the current version last month (late Feb 2009), sorry don't have access to the #.

DriveSentry made its "condition" first evident via Yahoo's Widgets. The clock froze. Firefox (latest version) was also running, when I attempted to close Firefox, I got the Blue Screen of Death informing me Windows was shutting down to protect itself from some undesirable activity. This happened 3 times in the space of 15 minutes. Before this, I had some issues I believed related to improper installation, that is, I installed it while AVG was running and subsequently couldn't get rid of the setup window. I uninstalled, re-booted, shut down AVG, re-installed, re-booted and began having the problems detailed.

@ anonymous MJ Registry Watcher author: Thanks, as I said earlier, I'm going to stick with crossing my fingers and AVG Free for now.

FWIW
Alan53

by MidnightCowboy on 28. March 2009 - 17:07  (18758)

Thank you for taking the time to post these details. I agree that the problems you experienced were almost certainly due to the installation issues reported and not as such directly attributable to DriveSentry. If AVG is now functioning correctly again you are right to stick with it. A thorough manual clean up of the registry may make it possible to try again but this would be quite complex and not guaranteed to be successful.

by Anonymous on 28. March 2009 - 18:27  (18764)

I used to use Comodo Firewall with Defense+. I've uninstaled it, and now i´am looking for some lightweighted HIPS protection to replace the Defense+ (my computer has only 512MB RAM). I´m currently running Windows firewall and Avira free. What do you advice? Thanks in advance!

by kendall.a on 28. March 2009 - 19:08  (18770)

Mark, how does this compare to RegProt? (http://tds.diamondcs.com.au/freeutilities/regprot.php) I'd be interested in a comparison.

by MidnightCowboy on 28. March 2009 - 19:46  (18772)

For lightweight HIPS definitely give DSA a try. Make sure to tick the box "Require user approval for each alert" so that any popups generated don't time out and block things before you have a chance to answer. Also, despite what you might read elsewhere, leave the default training period set unchanged. Privacyware, the makers, assure me that this is the correct period needed by DSA to memorize a pattern of normal system use. After that you will be advised about anything which deviates from it's average pattern and asked to allow or block. It's important that you read the PFD guide from the link in the review to gain a better understanding about how to respond to alerts and what they mean. Any real issues, post back here and I'll try to help you out.

by MidnightCowboy on 29. March 2009 - 1:05  (18792)

Sorry - meant to add also (in case you've already seen my other reply) that this plug-in is a must have for Sygate if you haven't discovered it already.
It's a firewall log filter with many options and you can instruct a "who is" direct from the page with a right click. Just un-zip to a new folder in your program files and place a shortcut on the desktop. There's a screenshot on this, the download page.

http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm

by Anonymous on 29. March 2009 - 2:25  (18793)

Thanks! I'll give it a try! :)

by Anonymous on 29. March 2009 - 3:33  (18798)

Hey MIDNIGHTCOWBOY! Thanks for the info on DSA & the plug-in for Sygate! I did not know about the plug-in but I do know about the proxy issue with Sygate. Pretty cool. I've always felt that these current firewall companys should look at Sygates logging to see how logging should be. I've tried pretty much every firewall out there & always come back to Sygate. To bad they are not supported anymore as they were ahead of their time in their day. Anyway, sorry, got carried away... I'll get back to HIPS now! Thanks again, & yes, Revos already installed.

by Anonymous on 29. March 2009 - 10:42  (18818)

Regprot has a fixed list of registry locations that it protects. MJRW protects a far greater range of locations, including important files and directories used by the system. It can also be configured by the user to protect any area of the system. Regprot has a simple Yes/No/Cancel prompt on alerts as to allow the change. MJRW can quarantine entries, exempt certain values and subkeys, always disallow or prompt for certain entries using prefixes, and is more configurable as to what areas alert you and how they alert you. MJRW has many more features and is more evolved than Regprot.

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here