Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here



Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.


Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.


Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!


WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.


MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology. Acquired in July 2014 by the former lead developer of Sunbelt & Viper software with the current status of the product guaranteed.
Alerts can be confusing to the non technical and distracting when they arrive during an install process.
1.1 MB
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
Average: 4 (62 votes)
Your rating: None


by Anonym (not verified) on 16. September 2011 - 9:00  (79710)

What's your opinion of combination like Panda Cloud AV and Online Armor Free firewall?

by MidnightCowboy on 16. September 2011 - 9:44  (79712)

Thanks for asking but it will be just my opinion because I've not had a very positive experience with either of these products.

At the outset I think all users should ask themselves this question. What is my risk exposure value? If they surf p@rn, social network links and cr@ck sites then nothing is going to protect them short of religiously sandboxing everything.

For general users who are prepared to follow WOT recommendations and use a DNS filter like Norton, then any of the top freeware solutions will do just fine no matter where they might appear in some site's "test" results (excluding YouTube):D

This narrows choice down towards usability and compatibility. The best way to assess this is to browse the product forum (if they have one) or the threads over at Wilder's. If what you see in those places looks like something to avoid, I'd consider another product. Unfortunately the more comprehensive HIPS like Comodo and Online Armor are extremely sensitive to being installed into a system that has either a) instabilities already or b) has had a variety of similar applications installed before it which could have left conflicting remnants behind.

IMO WinPatrol is still a good lightweight choice and is always being improved thanks to Bill's efforts. Another in this category would be PCTools firewall which offers enough without wanting to strangle your system in the process.

Otherwise, Malware Defender is a great old school solution but it does require considerable knowledge, patience and commitment to set up properly.

Programs like Sandboxie and BufferZone remove any need for this amount of stuff and for folks who are prepared to be disciplined in their use, this is an alternative solution.

When I'm not using Linux I run a standard firewall (no HIPS) and a real-time antimalware. It used to be Ad-Aware until the latest AVG which I now prefer. I use WOT + Norton DNS and never enter a red rated site despite some troll saying it's been given this rating unfairly. Why? simply because the risk when set against the fact I've never seen anything I need or want in a red rated site, just isn't worth it. I also have Returnil System Safe (Free) installed (with the optional antivirus disabled) and I just engage this in Virtual Mode to test new software.

by Anonym (not verified) on 17. September 2011 - 1:58  (79753)

Thank you so much for sharing your opinion and experience. What browser do you use?

by MidnightCowboy on 17. September 2011 - 6:21  (79767)

Being honest, I liked IE9 a lot but couldn't really appreciate what Windows 7 gave me above XP for the extra resources it used. I therefore reverted to XP and use mostly SRWareIron for general browsing and Firefox for site work (editing), although I have several others installed for when comments arrive about them, including Opera and Lunascape. One of my favorites is QtWeb but unfortunately you can only use WOT as a bookmarklet which isn't suitable for site work. 95% of the time though I use Linux with Chromium.

by TraderX (not verified) on 17. December 2011 - 22:39  (85207)

i checked out SWare Iron and it reads like it is from CHINA. the english reads like it is written by chinese. ie, "SRWare Iron is a real alternative. The browser is based on the Chromium-source and offers the same features as Chrome - but without the critical points that the privacy concern." So i am not going to use it. I like "palemoon" it is based on firefox.

by Anonym (not verified) on 25. December 2011 - 22:46  (85976)

SRWare Iron browser is from Germany. TheWorld Chrome is from China and is based on Chromuim.

by MidnightCowboy on 18. December 2011 - 3:12  (85214)

I too prefer Pale Moon as an alternative to Firefox. I've also switched to Comodo Dragon as my preferred Chrome based browser.

by Javier (not verified) on 17. September 2011 - 16:59  (79797)

MC I just looked at QTWeb and it appears to be a nice browser. However I am wondering what type security add-ons it will take. Which ones if any did you use with this browser?

by MidnightCowboy on 17. September 2011 - 17:24  (79799)

I could be wrong because I've never looked into this but as far as I'm aware it has some built-in aids such as an adblock and that's it. There are a couple of questions about security/add-ons in their forum but neither has received a reply.

by Anonym (not verified) on 17. September 2011 - 9:27  (79777)

Thank you very much again. Your info is so helpful. I used all of the mentioned browsers and IE9 is the fastest in my comp. I'd also like to ask if you use any browser add-ons. If so, which ones.

by MidnightCowboy on 17. September 2011 - 10:05  (79778)

I'm not a great fan of loading browsers up with extensions because they're the main cause of slowdowns and instability. That said, there are some I regard as indispensable (on Windows) like NoScript. Depending on the browser I also use WOT, AdBlock Plus, Dr. Web link scanner, the Virus Total extension and Google (English). I should also state that I'm no power user nor am I into social networking, and I appreciate those that are will want more than my meager collection of add-ons :)

by 23Anonymous23 (not verified) on 11. September 2011 - 5:57  (79403)

Depending on which commercial suite you have there is a chance a HIPS program could conflict with it. Normally it's best to check with the user forum or help desk of the program you are using to see what other users have tried. There are fewer stand alone HIPS programs these days as compared to a few years back. And most suites have some sort of behavior monitor built in anyway, although most are not that great. About the only really good stand alone HIPS programs are Malware Defender and Comodo D+. The rest have significant protection issues, have lots of conflicts, run heavy or are no longer continually developed.

by Anonymous007 (not verified) on 2. September 2011 - 19:52  (78906)

My experience with threatfire: I got a fast PC, but i dont notice any loss in ressources, but when driving up windows it takes a bit longer(maybe 3-4secs), but bearable. Therefore very low system ressources are used, it doesnt slow anything else I do down.

Defense: well its my first HIPS i ever installed. For the defense level i experienced the last days: I think its good, there surely are better HIPS out there, but threatfire definitely does its job, at least on maximum defense level, i would not recommend lower levels, since those didnt seem to provide a good enough intrusion protection.

What was very positive was the very easy GUI, for a person advanced in computer use but new to HIPS its easy stuff i would highly recommend for beginners using HIPS.

Compatibility: I use windows 7 64bit version. I noticed no problems so far, except 1, only a small one but still annoying: For some reason threatfire seems to mess with my SPTD and/or kerneldebugging, thanks to this daemontools doesnt run anymore. Well i had this problem before thanks to a firewall, there are other cost free mount tools I could get, but still its annoying, and daemontools is simply faster and easier. Will have to either look in to the problem further, or change to a different cost free mount tool. Unless that I had no problems(lucky me^^). But still for compatibility in my own review: I definitely have to give threatfire a minus point for this.

My fazit: Easy and above average strong in defense, but lacks compatibilty, here PCtools definitely should work on it for future versions. But overall im happy with it.

And last a general advice on HIPS: HIPS are no easy tools, and even things like threatfire are unfortunately not suitable for beginners, its more suited for advanced users or better. A HIPS is not as simple and easy as a firewall or antivirus, this is a total different dimension and system, here you are administrating also sensible windows and system processes, also other even deeper processes. You must never forget that a HIPS means a drastic measure in administrating your processes. Thats why: of course installing a HIPS is likely to cause problems, even the easy ones like threatfire, so dont wonder if there are problems in the beggining. Also again this is no firewall, nor a taskmanager, you can seriously mess with your system, thats why my general advice is: only change options if you really know what your doing. However because of this, thats why HIPS are such a big and valuable aid in generall, overall defense, and definitely worth the trouble your going through with it.

Btw: At the moment of course im busy dealing with threatfire^^ But in time i will as always seek more. Thats why Malware Defender hit my eye. I will read the comments but: Can anyone else give me a personal review on Malware Defender? Would be much appreciated, thanks in forward for any reviews on Malware Defender.

by MidnightCowboy on 3. September 2011 - 5:51  (78921)

Thanks for sharing your experiences with Threatfire :) Your conclusion pretty much sums up HIPS in general. My own tech always says HIPS is only useful for those who plan to get infected and you certainly need well above knowledge of Windows to configure and manage one effectively.
Threatfire, as with all HIPS, is very system specific in how it behaves, and your hardware/software mix will determine how much or how little trouble you are likely to encounter.

Malware Defender is a lot less automated than Threatfire. This means for most users it will be more stable in use but you will also need to answer a deluge of popups during the early stages, especially with the network module enabled. Please let us know how you get on with it.

by Anonymous1234 (not verified) on 13. August 2011 - 2:12  (77570)

SpyShelter free version did not make the list?

by MidnightCowboy on 13. August 2011 - 6:47  (77588)

No. Too many compatibility issues.

by Anonymous2345 (not verified) on 14. August 2011 - 2:20  (77630)

What were the compatibility problems?

Also, did you see the ThreatFire review made by EP_X0FF over at kernelmode? Here is the link-

His words "I'm not recommending to anyone use this ThreatTrash. Save your time and health of your OS." I'm sure since you are the HIPS expert here you are well aware of the credentials of EP_X0FF. Your response to his review of ThreatFire?

by MidnightCowboy on 14. August 2011 - 7:51  (77637)

Sorry, but I have no interest in commenting on other reviews all of which vary greatly for every product available. Nor do I wish to comment further on a product not chosen to be included. The compatibility issues with SpyShelter are well documented around the net but as with anything else, user experience will vary. For me is was BSOD and inoperable keyboard, both reason enough. If SpyShelter is a program you like to use and it works for you, fine.

by Anonymous1234 (not verified) on 14. August 2011 - 10:15  (77642)

A broken keyboard was the reason I stopped using Threatfire. Actually it was a Threatfire incompatibility with Vista. That problem was listed on the PC Tools forum as well as WildersSecurity. I'm not sure what steps (if any) were ever done to correct the issue though. I suspect PC Tools just waited it out until Windows 7 came along. Some of the final free versions of CyberHawk can still be found around the net and I would much rather use that ob XP than Threatfire. CH and TF are not much different, although CH runs lighter and has fewer compatibility problems. But note the keyboard issue remains with CH and Vista.

by rajendra negi (not verified) on 10. June 2011 - 19:52  (73611)

Thnx, it is very useful pieces of advice. I'm grateful, i was trying to build up defence of my pc and your advices are boon for me.

by MidnightCowboy on 11. June 2011 - 6:51  (73627)

I'm pleased you found it useful :)

Another very useful HIPS is not listed here because it forms part of a suite and to do so would make things even more confusing than they already are. If however anyone is into suites (single program - complete solution) then do check out Outpost Internet Security Free. On paper the test results for the AV component are not in the top group but don't be fooled by these. Nothing on the planet will protect high-risk surfers and for the rest of us Outpost Free is more than adequate. I even have a bunch of ex.customers still running FortiClient which I recommended for different reasons. This (supposedly) is even worse but in almost a year none has been infected.

You do need to ensure that your system is clean though before installing any type of security program which contains an auto-learn mode (like Outpost). Scanning first with Malwarebytes and HitmanPro is what I recommend.

Also, using good DNS service like Norton and the site rating agent WOT reduces your exposure to some malware groups by at least half before even considering what your resident AV might do.

by kjohnny76 on 18. July 2011 - 19:41  (75789)

mc is Outpost Internet Security Free your talking about good i like (single program - complete solution right now i use avast free, wot, xp firewall,norton dns ,Malwarebytes free,Superantispyware free is my setup better than the Outpost Internet Security Free your talking about? out of all the single program - complete what is your best? and if my setup i have now better would i gain anything using zonealarm free instead of xp firewall?

by MidnightCowboy on 18. July 2011 - 19:51  (75790)

The detection rate of Outpost Internet Security Suite Free is not as good as Avast! The HIPS component in the firewall is first rate but requires some degree of Windows system knowledge in order to use it effectively. With any third party firewall like Zone Alarm you will gain the ability to monitor outbound connections, but with the setup you already have this should not be necessary to the point of changing anything. It's always tempting when you see something "new" or "improved", but in reality you can do more damage by changing security programs than keeping a stable system with those you already have. Certainly if you have not been infected during the past few months, the combination you have now must be working.

by davwar on 9. June 2011 - 8:16  (73536)

starting to get confused:

just got rid of: AVG, Spyware Terminator and ZoneAlarm

replaced it with: Avast and Comodo FireWall as per the Security Wizard.

So do I also need to add HIPs as well??
- maybe ThreatFire or WinPatrol

Both Avast and Comodo have behavior monitoring - is theirs not enough by themselves?

thank you for any help.

by MidnightCowboy on 9. June 2011 - 8:30  (73537)

According to some tests, Comodo might offer better proactive detection, assuming you have the Defense+ module active, but you will need to learn how to use it. This is no easy task, but you might find this tutorial useful:

With Comodo correctly configured you will not need ThreatFire and/or WinPatrol as well because there will be a considerable amount of redundancy between the programs, and chances of conflicts will be high.

by davwar on 9. June 2011 - 8:47  (73538)

Thank you for the reply - makes things a little clearer.

I have just configured Comodo as per the article.

by MidnightCowboy on 9. June 2011 - 9:04  (73541)

Great, I hope it works out for you because it is worth the effort.

Chiron is one of our resident Comodo experts so if you have any specific queries, please post them in the comments under his tutorial, or better still in the forum.

by castiel (not verified) on 10. March 2011 - 2:52  (67719)

Just found out recently that Threatfire is messing up my Skype during start-up. The symptoms is when I start Skype, it will open in a first few seconds then crashed and say "Program Stops Working blah blah..." The only way I can use skype is to keep on trying opening it until the error doesn't come out.

I accidentally saw in the event viewer the faulting error about Skype and found out the threatfire together with it. So I immediately go to the custom rule and declared "Skype.exe" to be excluded in the process when Threatfire scans application that about to start. After that, no more skype crashing. :)

by MidnightCowboy on 10. March 2011 - 7:28  (67725)

Thank you for sharing your experience. This is actually quite common for all programs which contain a form of HIPS or behavior blocker. This includes many of the leading firewalls and security suites too.

by buzzyboop (not verified) on 27. February 2011 - 19:00  (67175)

As a former user of ThreatFire, I can say that while it was effective, it only picked up a couple items. However, it massively slowed down system response. When I heard that MS Security Essentials now had the same heuristic capability as ThreatFire, I went ahead and uninstalled it. Bam! system speed massive increase. My CCleaner time is cut in half, and my registry cleaner now finishes in half the time.

I am as well a fan of MSSE. It picks up where TF left off. I'll now use SuperAntispyware as an on-demand malware backup program.

Cheers, Frank