Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here:

http://billpstudios.blogspot.com/

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology
“Scotty the Windows Watchdog” projects a somewhat dated image
http://www.winpatrol.com/
28.6.2013
900 kb
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.966665
Average: 4 (60 votes)
Your rating: None

Comments

by MidnightCowboy on 30. April 2010 - 8:26  (48804)

So does everywhere else. I'll remove these later if no link appears. Thanks, Kendall.

by EscapeVelocity on 4. April 2010 - 2:26  (46904)

I just tried ThreatFire and had no conflict issues. I liked it, but I like WinPatrol better.

Trying out ProcessGuard Free now too. I really like that it teaches the user as well....with lots of info in the form of tips.

Im also trying out Mamutu (which is paid but free trial for 30 days). I like it better than ThreatFire. But I didnt dislike ThreatFire.

On to Immunet for a try next.

Running XP Home SP3

by Anonymous on 4. April 2010 - 18:54  (46958)

if you're using a soft firewall with 'hips' incorp'd, such as comodo or pctools for eg, then there's no real need for a third party hips, imo

by EscapeVelocity on 4. April 2010 - 2:23  (46903)

I think you should add ProcessGuard Free in there, especially for people still using XP.

by MidnightCowboy on 4. April 2010 - 10:28  (46919)

Thanks for the suggestion. I did look at the free version of Process Guard before, but it's too crippled compared to the paid one.

http://www.diamondcs.com.au/processguard/download.php

by Anonymous on 3. April 2010 - 2:24  (46816)

I find WinPatrol to be better than PC Tools Threatfire, mostly in terms of system stability. Using XP SP3.

by MidnightCowboy on 3. April 2010 - 8:38  (46845)

This is a very good point. I've never known WinPatrol to conflict with anything, whereas Threatfire may cause issues which a lot of folks can do without. The latest version is better in this respect, but still not immune. This is more likely to happen is systems which already have some instabilities, but there are a lot like this around.

by Anonymous on 1. April 2010 - 19:19  (46706)

Hi MC! Hope all is well. I have a question for you, I am considering using Spyware Terminator for its HIPS component only simply because Winpatrol has become increasingly slow to react to changes. Does ST's HIPS component rely on the real time protection or can you run the HIPS with the real time protection turned off? Also does it play nicely with SAS, MBAM, & Avira 10? Thanks!!!

by MidnightCowboy on 2. April 2010 - 0:37  (46718)

Hi, I'm fine thanks.
I've never advocated switching bits of a program off which has been carefully designed to function as a complete unit. An exception would be something like CIS which gives a default option to include the AV component or not. If you didn't want to use ST in it's entirety then I'd consider something else. For Windows 7 there isn't much choice outside of the firewalls with HIPS combined, but if you're still with XP then EQSecure or better still (IMO) System Safety Monitor are excellent, although be prepared for a lot of alert answering in the early stages. SSM is better in this respect because it has a learning mode and also network protection which makes it a highly effective and comprehensive option. If you'd like a key for the last commercial version then please register and request one from me via the forum PM system as I'm authorized by the program author to issue these. Spyware Terminator will be fine with the scan only versions of SAS and MBAM. I can't answer for Avira 10 because it's too new, but I've not seen any adverse reports and I can't see why there should be any problems.

by Anonymous on 23. February 2010 - 10:15  (44244)

According to Matousec, ThreatFire provides no protection whatsoever!!!
Why, then, is it recommended as the top choice?
Thanks for all the hard work here at the site.

by terrawarra on 7. March 2010 - 0:29  (45123)

I tried Threatfire and found it to be quite good although it tended to hog my CPU resources, particularly at start up.
I recently installed a freebie known as "Hazard Shield" version 2.2.0.279. It's just another antispyware program which does an average job of finding and eliminating spyware. The best feature is its real time protection in the form of HIPS. It's amazingly quick at flagging anything not quite right,.. by comparison, WinPatrol always seems to be a little to late to spring into action,.. sometimes up to a minute later.
Check it out here:
http://hazard-shield.software.informer.com/

by MidnightCowboy on 7. March 2010 - 8:01  (45145)

This application is not recommended. I had serious issues at install on my own machine. Others have experienced similar issues and it's detection is very poor.

http://www.wilderssecurity.com/showthread.php?t=264275&highlight=hazard+...

by terrawarra on 7. March 2010 - 8:56  (45148)

Thanks for your comment MidnightCowboy,.. I wasn't aware of any adverse issues with it so "forewarned is forearmed".
So far it hasn't caused me any grief,.. only alerting me to any HIPS activities. I'll continue using it for the time being but will be vigilant for any nasty surprises. If it does indeed "intrude", I'll nuke it to that great redundant software cemetery in the sky !
cheers

PS. I checked the Wilders Security Forum via your link and it certainly doesn't come up smelling of roses.

by Rizar on 23. February 2010 - 15:56  (44261)

I recommend always looking at the "level reached". If the level says anything other than "10", then ignore the score results. The only way to interpret the results for products with few testing levels is to click on the PDF report.

Matousec calculates the final score by dividing the level 1 results by the total number of possible testing levels. For Threatfire, it's similar to dividing level 1 results by 10 other untested levels (or possible testing levels), which might be a very different score if they divided their 1 level of testing by the total tests at level 1.

Or let's consider an analogy. You go bowling, bowl 1 game, and get a 270. But then you sit out the next 2 games. The other players with you, including your annoying little brother, bowled all three games at around 100 every time. None of them scored more than your 270 in any single game. But your little brother snickers that he beat you three times! Matousec testing method would say he's right and that he did in fact beat you, even in the first game!

How does your little brother support his claim? He decides to lower your 270 score by dividing it by all three games, so you bowled a 90 in game 1! You actually got beat by your snot nosed little brother!

That is what Matousec does!

Thus the low score. What would the score be if they had completely tested the product to level 10?

See this vendor comment from the maker of Outpost for example: "93% is a good result but we regret that level 9 turned out to be an obstacle for the product whereas our internal testing revealed that level 10 was passed with flying colors".

So the other way to interpret the results is to completely ignore the score in the table and test it yourself. I don't recommend it since the tests are for advanced users.

The main use of the table is to compare products at the top. All the other product scores are less informative and somewhat deceptive, especially when the final score gets the most attention. But they cover themselves by warning readers to read all the information on their site before interpreting the results.

I rambled about my interpretation of their scoring here: Matousec Personal Firewall Tests Analyzed.

by MidnightCowboy on 23. February 2010 - 10:28  (44245)

Threatfire was never designed to be used as a firewall/HIPS combination which is why it scores poorly on Matousec, although truly experienced users can set advanced rules for some network operations. The same applies to Emsisoft's Mamutu which is a pure behavior blocker and also shouldn't be there. Why Matousec decided to complicate his presentation even further by including this type of program only he knows. Suffice to say that for people who can understand the alerts correctly, Threatfire is an excellent compliment to traditional anti-virus programs. This type of zero-day technology is now being included in more and more programs which is testament in itself to the value it has over traditional signature based methods.

by Anonymous on 23. February 2010 - 11:32  (44250)

Matousec basically offers a H.I.P.S. Test.
As a result,
Pure/Classic Firewalls (i.e. Firewalls without H.I.P.S.)
and
Behavioral Blockers
traditionally score
Low at Matousec's Tests.

by Anonymous on 23. February 2010 - 11:18  (44247)

I appreciate the quick and informative response!
Your hard work makes choosing the right software that little bit easier.
Kudos

by Anonymous on 28. January 2010 - 15:30  (42274)

On this page under Related Products and Links, the link labeled "Malware Removal Guide" is 404.

by MidnightCowboy on 28. January 2010 - 15:59  (42276)

Thanks a lot - I've fixed it now.

by Anonymous on 20. January 2010 - 21:39  (41629)

Hi MidnightCowboy,

Thank-you for your very informative article. I would be interested to know more about the performance of these HIPS applications (typical RAM usage for example), so that users like me can make take in consideration what application is suited to their hardware.

Once again many thanks,

by MidnightCowboy on 21. January 2010 - 10:10  (41675)

In terms of resource use from low to high they rank: MJRW, WinPatrol, Threatfire and SpywareTerminator. ST is still some way ahead of the rest so if resource use really is an issue this might be the one to avoid. Otherwise, the need for features should maybe be considered before the amount of memory used unless you have a really low powered machine. You also might want to consider changing a resource hungry primary AV for one less demanding if you have such a beast installed. The Latest V5 of Avast! is pretty good on my machine using 25mb and 7mb respectively for the svc.exe and UI.exe. This might then enable you to put in a HIPS without having to worry about the extra resource use.

by Anonymous on 22. January 2010 - 20:03  (41762)

Many thanks for your prompt reply!

by Anonymous on 6. January 2010 - 13:14  (40385)

How does Spybot's TeaTimer system settings protection tool rate compared to these other programs? It has white/blacklists, etc. Is it good for HIPS?

by MidnightCowboy on 6. January 2010 - 16:39  (40401)

This is the TeaTimer FAQ.

http://www.safer-networking.org/en/faq/33.html

Currently S&D seems to be in no mans land compared to some other spyware apps although the program does contain some other useful tools. Unless you really love S&D for what it actually is then I wouldn't install it just for the TeaTimer function. Spyware Terminator would be more effective (on x32 bit systems anyway) because it does have a proper and well thought out HIPS, otherwise stick with whatever comes bundled with your firewall and/or WinPatrol. If you just feel the need for some extra registry protection then MJ Registry Watcher might be just the tool.

by ako (not verified) on 4. January 2010 - 11:39  (40217)

Reasonable choices for this forum. There are now many excellent free HIPS, but few suitable for big audience.

P.S. PEGuard seems promising...

by MidnightCowboy on 4. January 2010 - 12:39  (40223)

PEGuard? Is this Zprotect we're talking about in which case I wasn't aware there was a free version?

My favorites in the past usually combined Avira and Sygate with either EQSecure, Realtime Defender or System Safety Monitor. You can do a lot of damage with these though which is why I only "supported" them in a very limited way via the forum for people with an interest in this type of stuff. They are all redundant beyond XPSP2 (although I think EQS is OK with SP3) so in effect they are dying a natural death as the world moves on to x64 and beyond. IMO currently D+ wants a lot of beating and now that the firewall is 100% stable for the majority of us I see little point in using anything else. Comodo isn't everyone's cup of tea though so naturally programs like Threatfire and Winpatrol add this extra layer if required.

by ako (not verified) on 4. January 2010 - 13:40  (40227)

There is some interest in it at Wilders.

http://www.softpedia.com/get/Antivirus/PE-GUARD.shtml

It is free.

You idea of Defence+ being enough for classical HIPS fans seems justified.

by MidnightCowboy on 4. January 2010 - 14:01  (40230)

Thanks for the link. There's another program of the same name which was confusing me!

by MidnightCowboy on 4. January 2010 - 14:15  (40231)

Having now found the right thread at Wilders there seems to be quite a few conflicting reports and errors including BSOD's considering the small usage numbers. I think I'll add this one to my "has potential" pile for the time being and wait for some further development.

by ako (not verified) on 4. January 2010 - 15:27  (40237)

Yes. It seems promising, but not yet fully recommentable.

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here