Get our latest top picks
Subscribe to our Top Picks RSS Feed or enter your email address below to get the feed delivered to you by email:
|
Follow Gizmo |
 |
 |
 |
Register/Login
Top Rated
Gizmo's Freeware is Recruiting
We are looking for people with skills or interest in the following:
- Mobile Platform App Reviews for Android and iOS
- Anonymous Surfing Service
- Rootkit Scanner and Remover
- Streaming Media Recorder
- PDF Writer
Interested? Click here
Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)
|
In a Hurry?
|
|
|
Go straight to the |
Introduction
|
|
Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail. Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”). Review Criteria |
|
Discussion
|
|
Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.
In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results. It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!
WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates. WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you. As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version. One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users. The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here: http://billpstudios.blogspot.com/
The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested. |
- Article type:
- Login or register to post comments
Printer-friendly version
Comments
if you're using a soft firewall with 'hips' incorp'd, such as comodo or pctools for eg, then there's no real need for a third party hips, imo
I think you should add ProcessGuard Free in there, especially for people still using XP.
Thanks for the suggestion. I did look at the free version of Process Guard before, but it's too crippled compared to the paid one.
http://www.diamondcs.com.au/processguard/download.php
I find WinPatrol to be better than PC Tools Threatfire, mostly in terms of system stability. Using XP SP3.
This is a very good point. I've never known WinPatrol to conflict with anything, whereas Threatfire may cause issues which a lot of folks can do without. The latest version is better in this respect, but still not immune. This is more likely to happen is systems which already have some instabilities, but there are a lot like this around.
Hi MC! Hope all is well. I have a question for you, I am considering using Spyware Terminator for its HIPS component only simply because Winpatrol has become increasingly slow to react to changes. Does ST's HIPS component rely on the real time protection or can you run the HIPS with the real time protection turned off? Also does it play nicely with SAS, MBAM, & Avira 10? Thanks!!!
Hi, I'm fine thanks.
I've never advocated switching bits of a program off which has been carefully designed to function as a complete unit. An exception would be something like CIS which gives a default option to include the AV component or not. If you didn't want to use ST in it's entirety then I'd consider something else. For Windows 7 there isn't much choice outside of the firewalls with HIPS combined, but if you're still with XP then EQSecure or better still (IMO) System Safety Monitor are excellent, although be prepared for a lot of alert answering in the early stages. SSM is better in this respect because it has a learning mode and also network protection which makes it a highly effective and comprehensive option. If you'd like a key for the last commercial version then please register and request one from me via the forum PM system as I'm authorized by the program author to issue these. Spyware Terminator will be fine with the scan only versions of SAS and MBAM. I can't answer for Avira 10 because it's too new, but I've not seen any adverse reports and I can't see why there should be any problems.
According to Matousec, ThreatFire provides no protection whatsoever!!!
Why, then, is it recommended as the top choice?
Thanks for all the hard work here at the site.
I tried Threatfire and found it to be quite good although it tended to hog my CPU resources, particularly at start up.
I recently installed a freebie known as "Hazard Shield" version 2.2.0.279. It's just another antispyware program which does an average job of finding and eliminating spyware. The best feature is its real time protection in the form of HIPS. It's amazingly quick at flagging anything not quite right,.. by comparison, WinPatrol always seems to be a little to late to spring into action,.. sometimes up to a minute later.
Check it out here:
http://hazard-shield.software.informer.com/
This application is not recommended. I had serious issues at install on my own machine. Others have experienced similar issues and it's detection is very poor.
http://www.wilderssecurity.com/showthread.php?t=264275&highlight=hazard+...
Thanks for your comment MidnightCowboy,.. I wasn't aware of any adverse issues with it so "forewarned is forearmed".
So far it hasn't caused me any grief,.. only alerting me to any HIPS activities. I'll continue using it for the time being but will be vigilant for any nasty surprises. If it does indeed "intrude", I'll nuke it to that great redundant software cemetery in the sky !
cheers
PS. I checked the Wilders Security Forum via your link and it certainly doesn't come up smelling of roses.
I recommend always looking at the "level reached". If the level says anything other than "10", then ignore the score results. The only way to interpret the results for products with few testing levels is to click on the PDF report.
Matousec calculates the final score by dividing the level 1 results by the total number of possible testing levels. For Threatfire, it's similar to dividing level 1 results by 10 other untested levels (or possible testing levels), which might be a very different score if they divided their 1 level of testing by the total tests at level 1.
Or let's consider an analogy. You go bowling, bowl 1 game, and get a 270. But then you sit out the next 2 games. The other players with you, including your annoying little brother, bowled all three games at around 100 every time. None of them scored more than your 270 in any single game. But your little brother snickers that he beat you three times! Matousec testing method would say he's right and that he did in fact beat you, even in the first game!
How does your little brother support his claim? He decides to lower your 270 score by dividing it by all three games, so you bowled a 90 in game 1! You actually got beat by your snot nosed little brother!
That is what Matousec does!
Thus the low score. What would the score be if they had completely tested the product to level 10?
See this vendor comment from the maker of Outpost for example: "93% is a good result but we regret that level 9 turned out to be an obstacle for the product whereas our internal testing revealed that level 10 was passed with flying colors".
So the other way to interpret the results is to completely ignore the score in the table and test it yourself. I don't recommend it since the tests are for advanced users.
The main use of the table is to compare products at the top. All the other product scores are less informative and somewhat deceptive, especially when the final score gets the most attention. But they cover themselves by warning readers to read all the information on their site before interpreting the results.
I rambled about my interpretation of their scoring here: Matousec Personal Firewall Tests Analyzed.
Threatfire was never designed to be used as a firewall/HIPS combination which is why it scores poorly on Matousec, although truly experienced users can set advanced rules for some network operations. The same applies to Emsisoft's Mamutu which is a pure behavior blocker and also shouldn't be there. Why Matousec decided to complicate his presentation even further by including this type of program only he knows. Suffice to say that for people who can understand the alerts correctly, Threatfire is an excellent compliment to traditional anti-virus programs. This type of zero-day technology is now being included in more and more programs which is testament in itself to the value it has over traditional signature based methods.
Matousec basically offers a H.I.P.S. Test.
As a result,
Pure/Classic Firewalls (i.e. Firewalls without H.I.P.S.)
and
Behavioral Blockers
traditionally score
Low at Matousec's Tests.
I appreciate the quick and informative response!
Your hard work makes choosing the right software that little bit easier.
Kudos
On this page under Related Products and Links, the link labeled "Malware Removal Guide" is 404.
Thanks a lot - I've fixed it now.
Hi MidnightCowboy,
Thank-you for your very informative article. I would be interested to know more about the performance of these HIPS applications (typical RAM usage for example), so that users like me can make take in consideration what application is suited to their hardware.
Once again many thanks,
In terms of resource use from low to high they rank: MJRW, WinPatrol, Threatfire and SpywareTerminator. ST is still some way ahead of the rest so if resource use really is an issue this might be the one to avoid. Otherwise, the need for features should maybe be considered before the amount of memory used unless you have a really low powered machine. You also might want to consider changing a resource hungry primary AV for one less demanding if you have such a beast installed. The Latest V5 of Avast! is pretty good on my machine using 25mb and 7mb respectively for the svc.exe and UI.exe. This might then enable you to put in a HIPS without having to worry about the extra resource use.
Many thanks for your prompt reply!
How does Spybot's TeaTimer system settings protection tool rate compared to these other programs? It has white/blacklists, etc. Is it good for HIPS?
This is the TeaTimer FAQ.
http://www.safer-networking.org/en/faq/33.html
Currently S&D seems to be in no mans land compared to some other spyware apps although the program does contain some other useful tools. Unless you really love S&D for what it actually is then I wouldn't install it just for the TeaTimer function. Spyware Terminator would be more effective (on x32 bit systems anyway) because it does have a proper and well thought out HIPS, otherwise stick with whatever comes bundled with your firewall and/or WinPatrol. If you just feel the need for some extra registry protection then MJ Registry Watcher might be just the tool.
Reasonable choices for this forum. There are now many excellent free HIPS, but few suitable for big audience.
P.S. PEGuard seems promising...
PEGuard? Is this Zprotect we're talking about in which case I wasn't aware there was a free version?
My favorites in the past usually combined Avira and Sygate with either EQSecure, Realtime Defender or System Safety Monitor. You can do a lot of damage with these though which is why I only "supported" them in a very limited way via the forum for people with an interest in this type of stuff. They are all redundant beyond XPSP2 (although I think EQS is OK with SP3) so in effect they are dying a natural death as the world moves on to x64 and beyond. IMO currently D+ wants a lot of beating and now that the firewall is 100% stable for the majority of us I see little point in using anything else. Comodo isn't everyone's cup of tea though so naturally programs like Threatfire and Winpatrol add this extra layer if required.
There is some interest in it at Wilders.
http://www.softpedia.com/get/Antivirus/PE-GUARD.shtml
It is free.
You idea of Defence+ being enough for classical HIPS fans seems justified.
Thanks for the link. There's another program of the same name which was confusing me!
Having now found the right thread at Wilders there seems to be quite a few conflicting reports and errors including BSOD's considering the small usage numbers. I think I'll add this one to my "has potential" pile for the time being and wait for some further development.
Yes. It seems promising, but not yet fully recommentable.
If that is the case, then we can categorize the products according to different levels of proficiency. That way, users will be aware of the good choices that are available. Just a suggestion.
You find many at my list. MC gave some ideas above why only fraction of them are really important.