Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology. Acquired in July 2014 by the former lead developer of Sunbelt & Viper software with the current status of the product guaranteed.
Alerts can be confusing to the non technical and distracting when they arrive during an install process.
http://www.winpatrol.com/
31.0
1.1 MB
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.98387
Average: 4 (62 votes)
Your rating: None

Comments

by Tap Dancin' Mouse (not verified) on 22. February 2012 - 18:49  (89259)

There are compatibility issues with Avast anti-virus and Threatfire,both HIPS conflict with each other. Avast's HIPS is sufficient but if Avast is not your choice of anti-virus then it might be a good choice to install Threatfire. Some swear by WinPatrol but I have found the program to be waaay too slow in detection and that makes it unsafe to use.

by yk (not verified) on 15. October 2012 - 20:35  (100807)

I'm using avast and threatfire together on my xp sp3 for at least three years now never experiencing any compatibility problems.

by Jellybean (not verified) on 4. January 2012 - 2:40  (86506)

I am running WinPatrol at this time. Will there be a conflict also using the FF extension/add-on BrowserProtect? My AV also has some HIPS/behavioral detection ability. Thanks for this site.

by MidnightCowboy on 4. January 2012 - 2:48  (86507)

There will always be a certain element of duplicated protection when running apps of a similar type together. WinPatrol is pretty good though at coexisting with other programs. The only potential issue (with your AV) is it could cause WinPatrol to freeze when it periodically checks your system. You will see if this happens because the WinPatrol icon will lock and become unresponsive.

by Tore Aabø (not verified) on 31. December 2011 - 11:11  (86274)

I have been testing Threatfire for a few days and I have to say that I don't like it at all. It interfer and stop normal programs and games from working. Games like Planetside, Civ V and Skyrim is all having start up problems. I have tried to add custom rules and change default settings. I have added to the process lists multiple files from Planetside. Nothing seem to work. I will say that a security software should not make mistakes like this. This is probably the first software that Gizmo's have recommended that is not working well.

by Jacko (not verified) on 2. December 2011 - 20:47  (84299)

I am considering using the free version of SpyShelter. However with my current setup already including Panda Free AV, Windows XP firewall and WinPatrol will this be overkill keeping in mind that SpyShelter has a HIPS component? If not would they even be compatible? I also use Sandboxie from time to time.

by MidnightCowboy on 3. December 2011 - 3:46  (84307)

It all depends on your risk exposure. If you use a reliable site ratings agent like WOT (Web Of Trust) in conjunction with Panda's URL filtering, this will be more than adequate for normal surfing. Also, SpyShelter is known to cause issues with other products, especially if the system in which they are both resident is not 100% stable. If you are still considering SpyShelter, I would Google around for some of these issues before making a decision. Many will argue that the permanent use of Sandboxie removes such a need altogether, but operating your system this way (or not) is of course a personal choice.

by Jacko (not verified) on 3. December 2011 - 6:05  (84312)

Thanks MC. I actually removed the Panda URL filter as it was interfering with access and loading of many sites. Now I wonder if it simply needed some tweaking and configuring. My question is how much security do I sacrifice if I leave this Panda feature off?

by MidnightCowboy on 3. December 2011 - 6:23  (84313)

Well, if you only download files from trusted sources and scan them before execution, apart from the usual dangers associated with removable media, your biggest threat exposure is to online exploits. Panda's URL filter is very effective although I appreciate it gives problems for some users, but not everyone. You've therefore got two choices. You can either post for some advice direct to their forum:

http://www.cloudantivirus.com/forum/index.jspa

Or you can try something else. This one is marching up the VB RAP testing tables thanks to a lot of recent investment in the product and the web filter is top grade.

http://www.forticlient.com/lite.html

There's also a discussion about it here you might find interesting.

http://www.wilderssecurity.com/showthread.php?t=304393&highlight=forticl...

by Jacko (not verified) on 4. December 2011 - 2:03  (84341)

Thanks MC. I found what I needed on the Panda site you referenced.

by A_Nonny_Mush (not verified) on 3. December 2011 - 23:34  (84337)

Is there any other place to download forticlient Lite from, apart from c***net?

by MidnightCowboy on 4. December 2011 - 3:55  (84344)

Not to my knowledge except one other site which has a poor WOT rating and is not used or recommended by us. VirusTotal gives five hits on the installer because of how it's compiled.

http://www.techsupportalert.com/content/cnet-downloadcom-wrapped-install...

A good third party firewall firewall will warn you of any potentially unwanted connections at install and give you the option to block these. Having WinPatrol installed will also enable you to prevent the execution of unwanted toolbars or other so called browser helper objects. Otherwise, I would just download the program and scan it with your resident antivirus and malwarebytes, and then make a final decision from that. Personally, I find Fortinet to be a responsible and trustworthy vendor, but I do wish they wouldn't associate themselves with cnet.

The FortiClient Standard full freeware suite is still available on Softpedia, but this is maybe not what you want. It's also debatable for how long they will make updates available to support this version.

http://www.softpedia.com/get/Security/Security-Related/FortiClient.shtml

I still have several folks around here running this suite and none of them have ever been infected or experienced system issues.

by A_Nonny_Mush (not verified) on 4. December 2011 - 4:15  (84345)

Many Thanks for your reply MidnightCowboy. Yes I wanted the 'lite' version really. I agree with your comments re the Cnet association. Is it still the case that if you register with them you can avoid their dubious installer and just get the required executable?

by MidnightCowboy on 4. December 2011 - 4:18  (84346)

As far as I'm aware, although I haven't tested out this procedure myself.

by A_Nonny_Mush (not verified) on 18. December 2011 - 16:02  (85239)

Regarding FortiClient Lite. I downloaded the installer from freewareupdate dot com. I don't know if this was the site you were referring to or not. I found it from a search. Anyway, the installer scans as clean on VirusTotal and Jotti's. I just wondered if anybody had any experience with the aforementioned site?

by MidnightCowboy on 18. December 2011 - 17:45  (85240)

All I know is this is a new site and attempts have been made to spam links for it here :)

by Anupam on 18. December 2011 - 18:38  (85244)

And it looks like FileHippo. Many sites have come up lately, which are look alike of FileHippo. Why don't they come up with something original?

by MidnightCowboy on 19. December 2011 - 3:34  (85264)

I suppose in a way it's a compliment to the original but yes, it would be nice to see something more innovative :)

by James D (not verified) on 25. November 2011 - 13:02  (83872)

Hi Midnight Cowboy, I am looking for a registry protection/shield program and I want to ask u about MJ Registry Watcher. I have very little knowledge of the Windows registry and do you believe by using that software is safe for me to use or do you think it could damage/harm my pc, which would result in a reformat.

If it is not safe do you know another safe alternative as I know Winpatrol has a Registry shield but not in the free version.

by MidnightCowboy on 25. November 2011 - 13:21  (83873)

Hi James D. Unfortunately,there is quite a steep learning curve with MJ Registry Watcher, even when left at it's default settings. You're unlikely to wreck your system using it, but potentially not being able to respond to the alerts correctly could give you some unwanted issues.

So long as you are not running a 64 bit system, one alternative would be AVS Firewall.

http://www.avs4you.com/AVS-Firewall.aspx

I'm currently using this myself on Windows 7. Apart from the usual firewall functions, it also includes an ad-blocker, parental control and a registry protection component. All these extra components can be enabled separately. The registry protector will advise you in simple language that "component "X" is trying to modify your registry - do you allow this?" Mostly, it will be pretty obvious from what you are doing at the time what has triggered the alert and if it is safe to allow. Just be aware that some programs will throw up this type of alert when you are un-installing them. Usually this is because they need to run a component on reboot to tidy up after the removal. If you block these, it could lead to items being left behind.

by Terarus on 9. October 2011 - 16:48  (81151)

i think threatfire should be reviewed again.
4.7 came out in 2009
A recent youtube test video suggest it doesnt contribute much to further protection
http://www.youtube.com/watch?v=Q_8oozyUPKc

by AnonymousGeorge (not verified) on 8. October 2011 - 13:58  (81110)

Malware Defender gives the error 'failed to load Malware Defender driver'. Tried several times to run with no luck on Win7 64 bit....

by MidnightCowboy on 8. October 2011 - 14:03  (81111)

Malware Defender is 32 bit only.

by supanut on 5. October 2011 - 14:09  (80926)

Spyware Terminator has been updated to version 3.0.0.45. The download size is now around 744KB.
Also the official requirements are XP and higher.

by Anupam on 5. October 2011 - 14:28  (80931)

That's the download size for the web based online installer. The offline installer is still available from their site, and is of 4.42 MB.

by MidnightCowboy on 5. October 2011 - 16:08  (80943)

.. plus about a ton of updates if I remember correctly.

by Anupam on 5. October 2011 - 17:44  (80946)

Oh yes, that too :D

by MidnightCowboy on 5. October 2011 - 14:14  (80927)

Thanks for the notice :)

by Anonym (not verified) on 11. September 2011 - 3:22  (79401)

I'm using commercial antivirus with firewall built-in. But it seems to not have HIPS component or it's pretty weak at least. Your recommendations if I should additionally install HIPS? If so, which one of mentioned above you would advise (except Threatfire)?

by MidnightCowboy on 11. September 2011 - 6:14  (79405)

Good advice from 23Anonymous23 below.

Another option, again depending on the structure of your AV product, would be to disable the firewall component and replace it with a third party alternative.

Our philosophy of course would be to dump the commercial altogether and use Avast!, Ad-Aware or the new AVG free instead, but I appreciate you might not want to do this.

Out of interest (with HIPS enabled), Privatefirewall IMO is the best all round solution for performance and stability. PCTools is also worth a look. Not such full blown capabilities as some of the others but plenty enough for normal use. Comodo with D+ enabled gives varying levels of stability depending on the system and also conflicts with the latest AVG.

Gizmo's Freeware is Recruiting!

Gizmos Needs YouShare your knowledge of free software with millions of Gizmo's readers by joining our editing team.  Details here.