Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.


Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.


Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!


WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.


MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology. Acquired in July 2014 by the former lead developer of Sunbelt & Viper software with the current status of the product guaranteed.
Alerts can be confusing to the non technical and distracting when they arrive during an install process.
1.1 MB
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
Average: 4 (62 votes)
Your rating: None


by GreenArrow (not verified) on 9. September 2010 - 15:40  (57518)

Malware Defender has been a mixed bag of excessive popups initially (even for silly things like showing picture previews in a Explorer folder), and extra helpful control -- it's a rare HIPS that actually stops programs from launching IE!

If it ever trains up to silence, then it may be a keeper.

Same poster as above.

by MidnightCowboy on 9. September 2010 - 15:57  (57519)

Hi GreenArrow.

Unfortunately this is very true. There is no half way house between the protection offered by a true HIPS like this and not having alerts. There are just too many possible variables for the vendors to code a silent HIPS which means that the questions will get asked and you, the user, will need to supply the answers to set the rules. Two other fine examples which I used during my XP days (RealtimeDefender and EQSecure) were the same. Certainly the benefits of sticking with it are that you can achieve a usable lock-down status for your machine. Equally, a lot of folks will say that a HIPS is only of any value if you plan to get infected otherwise why would you need to answer questions about what you've just installed? In reality, the proper use of say ClearCloud, WOT and a Chrome based browser will remove 95% of the reasons for having a HIPS in the first place and therefore a simpler and much more user friendly example such as WinPatrol is then all you need :)

by Jesse (not verified) on 30. August 2010 - 21:32  (57010)

MC, I am using WinPatrol and am pleased with it except there does seem to be a little delay in notifying me with its popups when detecting a new program or new "activity." Is this normal for WP?

Also are WP and Threatfire similar enough in what they do that one could substitute for the other? In other words would Threatfire provide any more protection than WinPatrol or just a somewhat different type of protection? I am currently using Avast5 Free, Superantispyware in real time,Vista firewall and Malwarebytes,SafeReturner and Hitman Pro as scanners. Thank You

by MidnightCowboy on 30. August 2010 - 21:59  (57012)

Yes, the delay with WinPatrol is normal. Threatfire is a more complete antimalware solution and as with all of these programs there is bound to be a certain amount of redundancy when using two together. That said, there is enough of a difference to make keeping both acceptable if you really feel the need. Resist the temptation to increase the protection level of Threatfire above it's default setting though as on some systems this can cause problems. If you are using Sandboxie then both of these become redundant, it just depends on personal preference. It's also worth looking at WOT (Web Of Trust) and ClearCloud (DNS). If you don't visit bad places to start with then you need far less protection against them. WOT isn't infallible but orange and red rated sites have still got that way for a reason :)

by Anonymous456 (not verified) on 29. August 2010 - 1:40  (56926)

Can you do a review on immunet protect it seem like a good product.


by MidnightCowboy on 29. August 2010 - 8:54  (56933)

Immunet is an antivirus solution not a HIPS, so it won't be included in this category.

by krogo (not verified) on 16. August 2010 - 0:16  (56095)

I just want to report what a terrible time I had after installing Threatfire. My xp computer with Avira froze up and kept restarting and then freezing again before I could do anything. Finally had to restart my computer in safe mode and then uninstall Threatfire.
Now all is fine again.
Although I'm a big fan of and have been for a long time, I really can't recommend this product at all.

by MidnightCowboy on 16. August 2010 - 9:02  (56107)

Thanks for sharing your experiences. I have often warned about this possibility myself but have to take note now of the large numbers of people using Threatfire without any issues. The latest versions have been more stable than previous releases but still Threatfire can react like this depending on the system it´s being installed into. Such instability can be caused by a variety of factors including remnants left over from previous security software installations or corrupt\missing Windows files. If you like what Threatfire does, and still being with XP, try Googling for the last version of Cyberhawk from which Threatfire evolved before being taken over by PC Tools. Obviously the protection will not be so comprehensive but it should be stable for you. Otherwise, check out WinPatrol.

by Stefan (not verified) on 13. August 2010 - 3:42  (55894)

WinPatrol seems to spike quite often when I am clicking on to different webpages and sites.The CPU in Task Manager will show on average about 35-45,used by WP, for a few seconds then a drop. Does anyone else experience this? I have Vista if that helps any with a Toshiba laptop with 2GBRAM and 160GB hard drive.

by A Guy (not verified) on 26. July 2010 - 0:20  (54924)

Hi MC! Hope all is well! I would like to know if Malware Defender plays nice with WinPatrol as I like the heuristic based detection. Does MD play nice with Avira, SAS, Malwarebytes, Sandboxie, & Autorun Eator? I always value your advice so any help would be greatly appreciated.

by MidnightCowboy on 26. July 2010 - 9:05  (54937)

To be honest, WinPatrol would be pretty much redundant running with the power of Malware Defender but on my W7 Ultimate x32 the two exist together without conflicting if this is what you feel happy to do. I'm also running it with Avira 10, Sandboxie and MWB without problems.

by MidnightCowboy on 28. June 2010 - 21:28  (53404)

In the end, we decided to award eight of the ten licenses donated by Immunet for our "how to stay safe online" competition winners here:

The remaining two plus three more will be given away to the first five members to send me what I think are the funniest one sentence reasons why they should get one! Humorous personal abuse is acceptable so long as it's only directed at me :D

Entries by PM only please. Keep them clean as we need to publish the results!

by Anonymous on 25. June 2010 - 16:42  (53120)

you want almost a malware PROOF computer? You want to know what the best security software is? The guy that wrote this is a little off; HIPS IPS; are OK and are of value, but I have just 2 things to say about security if you are RUNNING WINDOWS!!! An OUNCE of prevention is worth a POUND of cure; I don't even have an anti-virus simply for the fact I never get them lol. All I can say "Virtual Machines, and Sandboxes". If you don't know what these are I suggest you look them up.

There are some awesome ones out there that you can pay for like Deep Freeze, Returnil. Returnil is an elite sandbox application that deletes EVERY CHANGE MADE TO YOUR COMPUTER and contains changes within a sandbox however it's a PARTIAL pay application i.e. there is a free version and a paid version; The free version is fine though.

Next up SANDBOXIE is one of my favorites it contains malware as well within a sandboxed web browser and then you can just empty the sandbox lol.

If you want a virtual machine that you don't have to pay for (like me) use VIRTUALBOX it's TOTALLY FREE. Here is how I have the security on my computer.

If I am going to sites like Gmail ie sites I trust and emails I know who they are from I don't run anything I call them green sites in which the odds of contracting a virus are EXTREMELY REMOTELY LOW. I might turn on something like A HIPS but I have yet to get infected by Gmail, Yahooanswers and youtube.

Orange Alert Sites; Are sites that are commonly gone to but still not 100% secure and therefore questionable lol. These would be like forums, information searching, etc. For those I use a Sandboxie or a sandbox application.

The Red Alert Sites: These are sites of EXTREME DANGER in terms of malware i.e. Adult sites, downloading sites etc. If I am going to visit any sites like these I use my VirtualMachine which is running LINUX UBUNTU lol. Any malware I get is contained within that virtual drive in the guest OS and not my main OS i.e. windows lol.

This system is close to full-proof since there is really no malware in the wild for Linux i.e. even less than Mac OSX. It's ok to use Windows as long as you are using smart enough system like I have outlined to stop the malware from ever coming in. I use windows for gaming and there is nothing wrong with that so long as you KNOW WHAT YOU ARE DOING; it's the people that don't know a lot about computers and prevention that have issues. IF you don't stop it dead in it's tracks on a windows computer then Malare, security issues are imminent.

By it's very nature windows is NOT a secure Operating System once malware gets in because of it's design. So my point is you can use windows if you know what you are doing but it's poorly designed BY ITSELF TO STOP MALWARE since everything has access to write in the registry, hard-drive system drives etc. unless YOU DON'T LET IT!!

by Anonymous on 24. June 2010 - 23:22  (53044)

Has Threatfire been renamed? The Threatfire website directs you the PCTools website where's there no product called Threatfire. Is Threatfire the same as PCTools "Spyware Doctor with Antivirus"?

by Anupam on 25. June 2010 - 6:05  (53080)

I was able to open the ThreatFire site without any problem. It did not redirect anywhere.

by MidnightCowboy on 25. June 2010 - 8:17  (53086)

Threatfire page opens fine for me too.

by Anonymous on 11. June 2010 - 16:30  (51907)

Madness volume of fullfield work! Thank You worshipful mr. Antti Koponen and the other! Many thanks from the Krym republic, Ukraine (former republic of the USSR). ex-tovariszch

by Anonymous on 11. June 2010 - 13:55  (51902)

Does all malware have malicious behavior? I'm thinking about downloading Threatfire.

by MidnightCowboy on 11. June 2010 - 16:36  (51909)

All malware has malicious intentions or at least is designed to act in a manner not acceptable to normal computer users. It is the means by which it arrives on your PC, activates and runs which makes one type of malware different to another. Threatfire is just one of the layers necessary to give optimum protection but is very good at what it does.

by Anonymous on 27. May 2010 - 6:30  (50423)

Try this two great software one is freeware & another is open source

by Anupam on 27. May 2010 - 7:16  (50426)

Thanks for the suggestions, but these software do not fit into the HIPS category.

by Chiron on 12. May 2010 - 3:43  (49613)

I don't understand why Comodo Internet Security (CIS) is not included in this test.

From the tests here:
CIS performs quite well as a HIPS.

In case the problem is that Defense+ is part of a suite and therefore not part of a layered approach CIS can easily be configured so that Defense+ is the only part running.

1) Download CIS without the AV from here:

2) After installing click on the CIS icon and disable the firewall and the Sandbox.

Now all that is running is the HIPS portion of CIS, and it runs well with other security products.

Can someone please tell me why Comodo isn't included in these reviews?

by MidnightCowboy on 12. May 2010 - 8:37  (49628)

CIS is already reviewed in the Free Firewall category where it is best suited and to include it's presence here would only cause confusion. With the exception of Spyware Terminator which was included as an alternative offering additional features, all of these programs are designed to perform just one group function. With CIS, even with the firewall disabled, it's installed components may well cause conflicts with the users firewall choice, and I never recommend dismembering applications to use just one part when alternative solutions are available. By all means if you wish to use CIS in this way fair enough, but it isn't something I would recommend as the components are designed to achieve maximum effectiveness by working together.

by Anonymous on 9. May 2010 - 23:58  (49434)

If we consider that the article refer to "Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)", should "Spyware Terminator" be rated a little bit more higher than "3" for people who just want to use this product for its HIPS capacity and for not too old computers with a x86 technology ?

If its detection rate is poorer than other softwares, who cares if we are not going to use this software for scanning ?

If we consider the most important aspect of this software, the HIPS function, should we not rate this product with a "4", a "4 1/2" or even a "5" ?

I am not saying that it got to be so : I am just asking a question...

by bleep (not verified) on 29. January 2012 - 11:52  (87982)

Spyware Terminator should get a 5 as it`s HIPS component(if set high) keeps your system at a water tight security level.

The install mode feature insures a hassle free install of trusted programs while the more you answer the popups the better the white-listing and the quieter it will become without having to be an ubber-tech.

There`s not to many HIPS programs with real time shield/scan features out there(for free)and it`s good to go after adjusting a couple of settings unlike Malware Defender.

by MidnightCowboy on 10. May 2010 - 9:11  (49454)

It's never easy trying to strike a balance for grading which will appeal to everyone. Although Spyware Terminator does have an effective HIPS component, installing something only to switch bits of it off is not something that a lot of folks would advocate when there are alternatives available. On the other hand, a lot of people don't rate their exposure to spyware as being high enough to warrant the use of a higher performing solution in this category, so for them ST could be an acceptable all round option.

by Anonymous on 7. May 2010 - 15:20  (49288)

I've had threatfire for a while now and I've only had one false positive since I installed it. I suspect spywareblaster is giving me the same protection. I haven't seen it mentioned anywhere on this site but it works great. Here's a link if anyone is interested.

All you have to do is click on "updates", then "check for updates" then click on "protection status" then click on "enable all protection" and then close it and it somehow protects your PC without using up your RAM. Only downside is that it doesn't automatically update though unless you get the paid version.

by Anonymous on 10. May 2010 - 1:35  (49437)

Yeah, that's what I would like to know. The software that is best at real-time protection would be the best intrusion prevention software in my mind, but it doesn't seem that is the case in this article.

by Rizar on 7. May 2010 - 21:30  (49304)

Here is a little test I wrote on the forum to check how SpywareBlaster works in Firefox:

It does similar tricks for Internet Explorer, adding filter lists to IE features.

This is why Ako lists SpywareBlaster under IP-blocking and blacklists for IE:

I also list it under security filters (at the end):

One downside of it is that it doesn't support certain browsers and has limited Firefox support, mainly filtering bad cookies (which is next to useless if you use CS Lite on global block with selected whitelisted sites).

But the good thing about it, or the bad thing, is that Internet Explorer is very difficult to uninstall without causing instability to windows. And sometimes you have to use IE, or see it get used when a program launches it without asking! You could easily stop IE in its tracks by internal settings, but that might prevent other programs that use IE settings from connecting to the Internet. (Windows at its best! But they were even worse at pushing IE before a few lawsuits from competitors!) So SpywareBlaster continues to have some usefulness by better protecting IE, IE based browsers, and programs that prefer to launch to IE.

by MidnightCowboy on 7. May 2010 - 18:05  (49296)

Threatfire is an altogether different animal to SpywareBlaster, employing behavioural analysis and other techniques to protect against a much wider spectrum of malware. That said, both programs will compliment each other's presence as part of a layered security solution.

Gizmo's Freeware is Recruiting!

Gizmos Needs YouShare your knowledge of free software with millions of Gizmo's readers by joining our editing team.  Details here.