Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here:

http://billpstudios.blogspot.com/

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology
“Scotty the Windows Watchdog” projects a somewhat dated image
http://www.winpatrol.com/
28.6.2013
900 kb
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.966665
Average: 4 (60 votes)
Your rating: None

Comments

by JamesD (not verified) on 7. January 2011 - 9:07  (64054)

Hi MC, I have a question with online armor and threatfire as can I use these programs together, would u think if malware did appear from the net would there be any conflicts in picking the malware up.

Because at the moment I have these two programs install together on my pc, there is only a conflict when threatfire is turn up to level 4 or higher then it will pick up some of the online armor processes as a threat. But when threatfire has it's default level it has no conflict.

So in this situation would u say threatfire is redundant when I have online armor installed, would both programs do the same thing, or would u think it will increase my protection.

I currently have online armor, avira and threatfire on in real time. Would u say that is a good setup.

Thanks for u help MC.

Other comments from other users can help me to reply to this question as well.

by MidnightCowboy on 7. January 2011 - 9:22  (64055)

Hi JamesD,

There is always a certain amount of redundancy between programs which operate in a similar way, but not always identically. I see the same thing sometimes with Privatefirewall and WinPatrol. Usually there's no real conflict as the programs compete for system access to check things and the result is mostly just a double alert. As you've found though, increasing the settings is definitely going to make this worse.

I think the setup you describe is excellent and with Threatfire at default settings I would keep it as it is. The only other thing to bear in mind is that most malware just doesn't "appear from the net" on its own. In fact nearly all of it requires at least some help from you :)

You may already have these programs/extensions but if not I would look at a DNS filter such as ClearCloud or Comodo, Trend Micro's Browser Guard service (if you use IE) and a website ratings guide such as WOT. These on their own will prevent you from visiting a lot of potentially bad places by accident so long as you follow the advice they give.

Site ratings agencies are the most open for debate because they all have their weaknesses. WOT relies on user opinion so sites with a low traffic volume can have their rating manipulated unfairly and others like McAfee don't update often enough. Overall we've found WOT to be the most reliable on balance which is why it is used by us to rate every link published here.

by mrpink on 7. December 2010 - 19:05  (62170)

MC, maybe you should consider having a look at Spyshelter free. It is not only an anti-logger, but seems to be a full HIPS application. In their latest releases they added a "restricted mode" similar to DropMyRights and OA's "run safer"

by MidnightCowboy on 7. December 2010 - 20:21  (62175)

Thanks for the suggestion.

by Zâmbi (not verified) on 17. January 2011 - 11:16  (64703)

Hi, Mid:

I thought that, while you're about seeking and reviewing new software options of this kind, you might get an interest in taking a look also at the free version of Xyvos (http://www.xyvos.com/).

Greetings from Brazil.

by MidnightCowboy on 17. January 2011 - 13:58  (64715)

Thanks for the information about this new product but I would want to see a lot more detail first, including independent test results, before considering something like this with no site rating and no active forum (despite having a link).There is also no published privacy policy despite there being a link for this too.

IMO I would stay well away for the time being at least.

The PC security industry is highly competitive and highly profitable which is why so many try to climb on board the gravy wagon. The truth is that no new product is likely to outperform the top existing solutions unless those behind it's inception have a bottomless wallet and access to top industry techs.

by DarkVision (not verified) on 3. December 2010 - 21:18  (61995)

I'm a blind user and I've found PcTools Threatfire very friendly. I highly recommend this to anyone. I have never had any issues with it and it appears to play nice with Microsoft Security Essentials. WinPatrol I believe does not offer real time protection in the free version. I found this out when I got infected and then WinPatrol alert me of something new and at this point was to late to remove. So personally I would throw out WinPatrol right out of this list. Threatfire at least offers real time protection. When, I did use WinPatrol I didn't like the lag before it would pop up either. Threatfire was found to be very simple to use for me to use.

by MidnightCowboy on 4. December 2010 - 7:07  (62011)

Ultimately it depends on what you expect a program to do for you and how much interaction you want with it. This is the full list of WnPatrol capabilities and a comparison between the two options.

http://www.winpatrol.com/compare.html

by DarkVision (not verified) on 6. December 2010 - 2:53  (62073)

That is a very good run down of what WinPatrol can do. Very impressive. However, I did notice that the default lag for WinPatrol is 2 minutes. You can change this to 1 minute. You have to purchase the product for real-time. The real question to ask now is will either product help you stop a new threat in its track just enough you can do a scan to remove a new virus of some sort? Suppose a new threat pops up. I kill the process with threatfire and it looks like WinPatrol does the same at this point should I be able to find it and remove it with HijaackThis or something?

by MidnightCowboy on 6. December 2010 - 5:58  (62080)

There are always dangers when using software with crossover features. At best you have some redundancy between their various functions, at worst you can introduce conflicts as the software competes for system resources and file access. This introduces the possibility that your overall protection could be worse with two competing products, rather than better. As Threatfire is more aggressive than WinPatrol I would decide at what level you surf at and then choose just one program. With general safe surfing habits then WinPatrol is going to be adequate. If on the other hand you are prone to surfing risky areas then I'd use Threatfire instead. Either way, a comprehensive scanner such as HitmanPro or Malwarebytes should still enable you to find and delete malicious files which have otherwise not been dealt with.

by DarkVision (not verified) on 6. December 2010 - 16:03  (62102)

Thanks so much Midnight Cowboy. You answered my question. I agree that WinPatrol has a leg up on what it offers but Threatfire I think offers a better real-time protection where WinPatrol lacks and can potentially leave you helpless as it did to me as where Threatfire was able to halt the threat cold in its tracks. I just feel Threatfire is a better choice because things will get past your Firewall and AntiVirus at times. This is a third layer protection I feel will suffice for a blind user. Luck with you all and keep up the good work. Love the site. Now if only I could get Comodo make it more blind friendly then I wouldn't need Threatfire! ;)

by MidnightCowboy on 6. December 2010 - 17:17  (62108)

Pleased this has helped you out.

Why don't you try posting your comments about Comodo in their forum?
Despite the occasional ego trip I do know that Melih is very approachable about such things and maybe can offer some suggestions.

by grimbles on 23. November 2010 - 1:22  (61531)

Hi MC - Great intro and reviews (as usual).

Just on the Threatfire/Comodo conflicts (as reported by "Munkie"). Is it not inadvisable to install more than one HIPS based application (or which includes a HIPS based component)? Is that not inviting the likelihood of incompatibilities, in much the same way as installing more than one AV with real time protection running?

I have used Threatfire for years, through XP, Vista and Windows 7. Never had a problem, never experienced any issues. I've also recommended it to many of my clients and associates, never had one call back because of anything caused by Threatfire....go figure!!

I agree 100% with your assessment. I recommend Threatfire largely because it requires virtually zero configuration (works well right out of the box) and minimal user input (decision making). Suits my clientele/associates who range primarily from 'wouldn't have a clue' to 'novice'. LOL

Sheesh, I can't believe how many respondents (not only here but all across the forum spectrum) are employing soooo many security products......at times, the list seems to go on forever!

Guys!! Security is very important but you CAN overdo it!! LOL

Cheers....Jimbo

by MidnightCowboy on 23. November 2010 - 6:42  (61540)

Hi grimbles,

The difficult part is defining where a conflict might lie. On some
systems Threatfire coexists with other HIPS components and on others not. The only definite thing is that aggressive HIPS like CIS and that contained in Privatefirewall are more likely to cause issues.

When I was using Windows I never had a lot of luck personally with Threatfire so with XP I reverted to the last free version of Cyberhawk (before PCTools called it Threatfire) which was error free.

by spellinggg (not verified) on 30. September 2010 - 1:25  (58682)

"feint hearted" should be
"faint hearted"

by Jojo Yee on 30. September 2010 - 6:18  (58696)

The typo is fixed now. Thanks for pointing out.

by MidnightCowboy on 30. September 2010 - 8:03  (58702)

Thanks to both :) I was amazed at how much confusion there still is about this when I Googled it, and unfortunately a spell checker isn't much use :D

by MidnightCowboy on 29. October 2010 - 13:16  (60417)

test post - mc

by Munkie (not verified) on 26. September 2010 - 3:26  (58451)

tried threatfire unfortunately had to uninstall immediately
I'm running windows 7 and threatfire seemed to conflict with comodo firewall on its initial install scan after threatfire wouldn't open comodo did not pop up anything, but there was something about it in the defense events (terminated process)
after a forced reboot comodo and avira would not load on restart but threatfire would and the program would open
now it might be my setup but they programs didn't seem to be compatible together or a possible setting somewhere needs adjusting
program seems worth a try but need antivirus and firewall more

by MidnightCowboy on 26. September 2010 - 7:49  (58457)

Thanks for the notice Munkie. Unfortunately this has always been the problem with Threatfire although the later releases have been much better regarding compatibility. The strange thing I've seen is that this can happen (or not) on very similar setups so it's almost impossible to pin down the cause. Most would say that with Comodo installed you wouldn't need Threatfire anyway because there would be too much redundancy between the two. Supposedly Comodo is at last to be featured in the next round of AV Comparatives tests and depending on how well it does you might not need Avira either :)

by Tinkerbell (not verified) on 13. September 2010 - 18:37  (57754)

How can I temporarily disable WinPatrol to try and determine if it is slowing FireFox? Thanks

by Bigcced (not verified) on 15. October 2010 - 17:13  (59590)

Simply use your task manager (right click on the bottom tool bar) and turn off WinPatrol (End Task,End Process or End Process Tree).I use FireFox and WinPatrol.If you know what you're doing you can use WinPatrol to speed up your system by disabling unnecessary start ups,etc.

by MidnightCowboy on 15. October 2010 - 17:18  (59593)

Good tip. In concentrating on WinPatrol's malware blocking abilities I tend to forget about it's excellent start-up control feature.

by MidnightCowboy on 13. September 2010 - 18:45  (57757)

Can't think of how WinPatrol could be slowing up Firefox. This is more likely to be your AV's web scanner (if you have one) or the number/type of Firefox extensions you have installed. You might also like to try opening the same few pages with an alternative browser such as SRWareIron and see how the timing compares. To close WinPatrol just right-click the tray icon and select "Exit Program". You can restart it again from the start menu.

by Tinkerbell (not verified) on 13. September 2010 - 22:25  (57774)

Thanks MC-You were correct as the problem was actually with my AT&T connection.Did not consider this initially but Vista(or was it AT&T?) diagnosed and repaired it automatically. Yes Vista does have some good points!

by MidnightCowboy on 13. September 2010 - 23:19  (57778)

Pleased you got it sorted. Here I refer to my ISP as Indescribable Service Provider but out of a choice of two they are still the better option :D

by Anonymou (not verified) on 2. September 2010 - 19:28  (57157)

Thanks, very good review of Malware Defender. It's very light on resources too. Just used MD to replace PC Tools, alongside windows firewall, Avast, GeSWall.

Windows Task Manager is another way to view network activity holistically since MD only shows the port connections.

by MidnightCowboy on 2. September 2010 - 19:38  (57158)

I'm pleased you like Malware Defender. It's a bit labour intensive to start with if you have the network option enabled but once you get your rules set it's a great program.

by GreenArrow (not verified) on 9. September 2010 - 15:40  (57518)

Malware Defender has been a mixed bag of excessive popups initially (even for silly things like showing picture previews in a Explorer folder), and extra helpful control -- it's a rare HIPS that actually stops programs from launching IE!

If it ever trains up to silence, then it may be a keeper.

Same poster as above.

by MidnightCowboy on 9. September 2010 - 15:57  (57519)

Hi GreenArrow.

Unfortunately this is very true. There is no half way house between the protection offered by a true HIPS like this and not having alerts. There are just too many possible variables for the vendors to code a silent HIPS which means that the questions will get asked and you, the user, will need to supply the answers to set the rules. Two other fine examples which I used during my XP days (RealtimeDefender and EQSecure) were the same. Certainly the benefits of sticking with it are that you can achieve a usable lock-down status for your machine. Equally, a lot of folks will say that a HIPS is only of any value if you plan to get infected otherwise why would you need to answer questions about what you've just installed? In reality, the proper use of say ClearCloud, WOT and a Chrome based browser will remove 95% of the reasons for having a HIPS in the first place and therefore a simpler and much more user friendly example such as WinPatrol is then all you need :)

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here