Get our latest top picks
Subscribe to our Top Picks RSS Feed or enter your email address below to get the feed delivered to you by email:
|
Follow Gizmo |
 |
 |
 |
Register/Login
Top Rated
Gizmo's Freeware is Recruiting
We are looking for people with skills or interest in the following:
- Mobile Platform Reviews
- Rootkit Scanner and Remover
- Streaming Media Recorder
- Email Client
- Archive Manager Interested? Click here
Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)
|
In a Hurry?
|
|
|
Go straight to the |
Introduction
|
|
Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail. Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”). Review Criteria |
|
Discussion
|
|
Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.
In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results. It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!
WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates. WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you. As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version. One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users. The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here: http://billpstudios.blogspot.com/
The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested. |
- Article type:
- Login or register to post comments
Printer-friendly version
Comments
Thanks MIDNIGHTCOWBOY for the quick response on DSA! Can't begin to tell you how nice it is to have good editor for this HIPS software review thread. Great work, Thank You! I am still concerned about the uninstaller issue. Also, after the learning period is over & the rules are built, will I still have delays in the DSA windows appearing? Almost forgot, does DSA play nice with Sygate firewall? Thank you for all your help, I just want to be as informed as possible.
Once the rules get built any delays should disappear unless you have a bunch of other active security programs all trying to monitor the same thing. To my knowledge there are no conflicts with Sygate and shouldn't be because of the way this firewall is built. The only real issue with Sygate is a known conflict with anything containing a proxy (such as Avast!) whereby you will lose outbound protection control from Sygate to varying degrees depending on the proxy.
Not knowing what your knowledge level of Sygate is you may find the following links of interest. The first is just a general config advisory mainly about the need to remove the “act as server” facility and the second deals with rule creation.
http://www.kotiposti.net/string/SPF_eng/SPFGuide.html
http://www.kotiposti.net/string/SPF_eng/SPF_rulemaking.html
If you do hit any problems, first reset DSA back to default settings to undo any rules and then use an independent uninstaller like revo and you should be fine.
http://www.revouninstaller.com/
Sorry - meant to add also (in case you've already seen my other reply) that this plug-in is a must have for Sygate if you haven't discovered it already.
It's a firewall log filter with many options and you can instruct a "who is" direct from the page with a right click. Just un-zip to a new folder in your program files and place a shortcut on the desktop. There's a screenshot on this, the download page.
http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm
Hey MIDNIGHTCOWBOY! Thanks for the info on DSA & the plug-in for Sygate! I did not know about the plug-in but I do know about the proxy issue with Sygate. Pretty cool. I've always felt that these current firewall companys should look at Sygates logging to see how logging should be. I've tried pretty much every firewall out there & always come back to Sygate. To bad they are not supported anymore as they were ahead of their time in their day. Anyway, sorry, got carried away... I'll get back to HIPS now! Thanks again, & yes, Revos already installed.
No problem. Me too, I keep coming back to Sygate which is running on the machine I'm using now. The general feeling is that this was just too good to be free which is why Symantec bought it up and then dropped it. It remains to be seen just how much their influence extends into the PC Tools range of software now that they own them too. No doubt Sygate would not pass all of the modern leak tests but then you can use another program to plug the gaps if you feel this is necessary. For 95% of average users though Sygate with maybe DSA and Avira 9 is plenty good enough. The other 5% might have a need for stronger active spyware protection but in this case the free options are not really up to the job. To my knowledge there are no pure firewalls (free) still in development except Filselab and SoftPerfect. The existing Filseclab still has quite a following but the Chinese are completely re-writing the software and it's due out this summer. It definitely won't include a HIPS and unlike EQSecure will still be made available in English. If it has good self and leak protection then it could be an alternative to Sygate - depends on the other features. I'm in contact with the Chinese end and will post any news in the forum.
Spyware Terminator seems to have been around for almost as long as I have
This statement struck me as odd. Spyware Terminator has only been around for about 3.5 years.
if you witnessed the decline of this software a couple of years ago you might now be surprised by its rejuvenated form
The fallout is still there. Check their forums. Version 2.5 is causing all kinds of problems.
I used ST for a long time but removed it about 6 months ago. I haven't missed it one bit.
I used the word "seems" deliberately because it is one of those programs that many users feel they have always had.
In terms of "fallout" there are two issues to consider when analyzing problems. The first is impact or severity. Are they just an annoyance fairly easily cured by a restart or are they likely to wreck your system? Second is numbers. I accept that the ST forum, like Avira, Comodo, Avast!, Outpost and the others has it's fair share of grumbles, but the installations are now approaching 22 million. Taken in context neither of these factors give any cause for concern over and above that normally associated with any other software. ST, like Avira is also adding new features which in themselves often cause a few glitches until the developers can sort them out. May I ask which program you replaced ST with, and how you find it in comparison?
I appreciate Gizmo's and other's testing and recommending freeware. The discussions alone are educational. I am not a power user and have had few malware problems. BUT a review aspect missing is if the recommended/reviewed freeware will/can/maybe cause conflict with commercial software? Occassionally it is pointed out that some conflicts with other programs may occur, but this aspect should be a standard review item. This would be valuable information for average users who typically run commercial software and want to try or supplement with some newer freeware as recommended.
As volunteers, I think if you asked any of the editors here they would all say we have our hands full trying to keep up with the freeware without considering commercial apps as well! The truth is that the possibility of conflict surrounds everyone's PC like a magic mist. You never know when it is going to appear or what it's likely to do. There are so many variables it's almost impossible to make any objective comments other than those you see here on the site already. Just by pressing "start" you can begin a whole new journey into the unknown. We take expert advice ourselves from the developers who all recommend not running two active antivirus programs together, but every time we post this people complain, say we don't know what we're talking about because they can run two very happily. Also, a lot of these problems can be caused by adding new installations into a poorly maintained environment which of course we can only guess at. My advice is to visit the dedicated forums first for information about known issues and try not to crowd too many of the same type of program with active content into one PC. The bottom line though with any software is do I really need it? If you can answer "no" to this, then the conflict's gone already.
I have tried Threatfire and DSA - have removed both. I liked the idea behind Threatfire's approach, but found it slowed one PC down and caused the same lock-ups mentioned in these posts on two other computers (with version 4.x) - I have complained to PcTools. I just found that DSA was too intrusive. I'm now trying DriveSentry and Comodo Firewall. I found Comodo locked up my main computer when trying to access it with Remote Desktop, but I am using it on a laptop for additional mobile protection. We'll see how it works in the long haul.
If you liked ThreatFire (and can understand it) the new version does have less effect on system speed, especially for browsing. Yes, DSA is a pain during the initial stages but it's a pity you didn't feel able to persevere with it because once it finishes building rules and memory the popups stop unless you have a real issue to respond to. DriveSentry from my own experience seems cool and capable. There is one minor issue that I'm waiting a response to before posting here but otherwise no problems. As well as the thread I have started in the forum here there is also some active advice on Wilders who also have a dedicated section for this software.
Again, I've managed to get a good freeware program from this site. Just installed drive sentry and it looks like a good program.
We do try! Please let us know how you get on with DriveSentry so that we can share your experiences with our other visitors.
Dive Senty needs on my PC an account with admiinstration rights to run, it refuses to run on a limited account. For reasons of security I rarely access the Internet from an account with administration rights, therefore I'm uninstalling it.
I used and advised others to use Threat Fire. Then I started having problems with my keyboard not working at boot up until I did a restore. Come to find out it was Threat fire. The forums on PC tools continued to pass out the business answer that they could not verify it was directly related to TF. Did not see a lot of users having this issue but enough. I removed it and the problem went away. I have not gone back to that watering hole...
It's like a lot of other software, you can never say with any certainty what might happen between one PC and the next. The trouble with ThreatFire is that in some circumstances novice users can dig themselves into a deeper hole if they are unclear about what action to take in response to alerts. This is a shame because a lot of people do use this software with no difficulties at all. I also agree that maybe the support could have been better although PC Tools do appear to be working hard at correcting any issues with this latest version. Maybe this is partly because of the Symantec influence, but it remains to be seen which direction this software will eventually take.
Hey, I'm a little curious why you chose not cover AppDefend and Online Armor, which have been two of the biggest names in HIPS (along with the now-defunct ProcessGuard) when this category of software got started. They're also quite popular on the Wilders forum you mention.