Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here:

http://billpstudios.blogspot.com/

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology
“Scotty the Windows Watchdog” projects a somewhat dated image
http://www.winpatrol.com/
28.6.2013
900 kb
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.966665
Average: 4 (60 votes)
Your rating: None

Comments

by Anupam on 4. January 2010 - 11:52  (40218)

If that is the case, then we can categorize the products according to different levels of proficiency. That way, users will be aware of the good choices that are available. Just a suggestion.

by ako (not verified) on 4. January 2010 - 13:43  (40228)

You find many at my list. MC gave some ideas above why only fraction of them are really important.

by Anupam on 4. January 2010 - 13:56  (40229)

Thanks for the reply :).

by ako (not verified) on 4. January 2010 - 15:38  (40238)

You are welcome. Your idea of mentioning some extra possibilities is good.
MC, I think you could mention here something about Defence+ plus at least. (Eg. repeat above the comment you gave here.)

by MidnightCowboy on 4. January 2010 - 15:51  (40243)

Thanks for the suggestion. The only issue I have with this at the moment is that in order to utilize D+ fully then the AV component from CIS also has to be installed even if the firewall is not. If on the other hand we view this as a firewall/HIPS combination then it's already covered in Rizar's excellent article. Spyware Terminator is the same in that the anti-spyware component (such as it is) comes bundled with the HIPS whether you want it or not. That said, this one is designed to work with other programs whereas CIS is not. In this vane, to install D+ and the Comodo AV without also including the firewall doesn't seem to make much sense, well not to me anyway :)

by ako (not verified) on 4. January 2010 - 16:03  (40244)

Those more familiar with HIPS might wonder why some programs are not included. Couldn't you explain this (eg. about Defence+, SSM) in the end of this article?

by MidnightCowboy on 4. January 2010 - 16:08  (40245)

Yes, this is certainly an idea for enabling a more complete picture. Although the article has been updated recently it is still maybe due a re-write and this is one of the areas I'll add in to it next time.

by Anonymous on 3. January 2010 - 12:27  (40124)

What about the HIPS that is part of the Free Comodo Firewall (i.e. Defense Plus)?

by MidnightCowboy on 3. January 2010 - 12:46  (40126)

D+ is excellent, some would say even the best as part of the CIS firewall. This review though concentrates on applications which can be used as separate programs alongside other software to form a layered defense. Unfortunately, in order to use D+ in this way (without the firewall) the AV component also needs installing and so rules it out.

There are other excellent alternatives which are no longer in development such as EQSecure (3.41), System Safety Monitor and Realtime Defender. These however are not simple programs to manage and understand, are only good up to XPSP2 and have no support so unsuitable for inclusion here.

by Anonymous on 12. May 2010 - 3:35  (49608)

Not true.

Comodo can be installed without the AV. The download is located here:
http://www.comodo.com/home/internet-security/free-internet-security.php

After installing merely right click on the icon and change the Firewall and Sandbox to disabled.

Defense+ works very well with other security programs and thus should be included in this review.

by Anonymous on 21. December 2009 - 23:10  (39123)

Is Threatfire to be recommended above WinPatrol? What criteria can I use if no one wants to answer this directly?! Thank You

by MidnightCowboy on 22. December 2009 - 9:27  (39146)

Threatfire is a more comprehensive solution but potentially capable of giving you more system problems than WinPatrol. The only real way to judge the benefits of either for your own use is to digest the relevant home page feature lists and then make a decision from there. The support forums are also a necessary source of reference. Although there are less issues now with Threatfire than there were with previous versions it's still worth looking to see what is happening to other users. If anything you see there is something you would not wish to cope with yourself then maybe WinPatrol would be the best option.

by Anonymous on 22. December 2009 - 19:01  (39171)

I tried Threatfire again yesterday on XP SP-3 and the latest version had very little noticeable drag unlike earlier versions, so this time I kept it on all day. This morning when I started my PC, I got a popup that Windows turned off Services and Controller App and next another popup stating Internet Explorer Has Encountered a Problem and Has to Close. I knew the problem had to be with Threatfire, so I uninstalled it in safe mode and no more problems.

by Anonymous on 14. January 2010 - 12:03  (41007)

I have tried various versions of Threatfire (including the original Cyberhawk) and found it to be problematic in ALL its various guises. I think people should be very wary of installing HIPS-type programs since they almost always create more problems than the threats they supposedly protect against. My advice: practice safe computing thereby reducing the necessity for such programs.

by MidnightCowboy on 14. January 2010 - 12:56  (41008)

This is very good advice and matches my own sentiments exactly.

Unfortunately it is not up to us to tell people what they should install so rather we try to advise responsibly on what is likely to happen. Undoubtedly Threatfire is better than it was but still the one most likely to cause system problems, and for some users this will involve seeking outside help to fix.

This is why I used to like DSA so much when it was still supported as a standalone program, and not just a part of Privatefirewall. Having just "allow" or "Block" is great when mistakes get made because it's a relatively easy process to return things to normal.

by Anonymous on 21. December 2009 - 23:27  (39125)

The above article places threatfire as top pick!

by LordRahl on 21. December 2009 - 0:31  (39085)

i believe the version of Threatfire is 4.7.0.11, not 4.9.11.23

by MidnightCowboy on 21. December 2009 - 9:23  (39095)

I believe this to be incorrect as both Softpedia and MajorGeeks report 4.9.11.23 as of 4th December. To be certain I've mailed PC Tools support.

by Anupam on 22. December 2009 - 5:16  (39141)

I will agree with LordRahl here. I have seen this increasing trend of discrepancy of the download available on the download sites, and on the home page of the software. I have seen download sites hold a newer version of a software, but the version available at the main site of the software would still be an older version. In such cases I trust the site of the software, and not the download sites.

by MidnightCowboy on 22. December 2009 - 9:21  (39145)

There could indeed be a number of reason for this but the only true answer is going to come from the vendor. To date I'm still waiting for their reply which considering it's Christmas week is not unusual.

by MidnightCowboy on 23. December 2009 - 11:11  (39199)

My grateful thanks to those who spotted the different Threatfire file version numbers. PC Tools have now replied to my query and indeed there was an error with the file numbers sent to Softpedia, MajorGeeks and some others. The correct version as of 23.12.09 is 4.7.0.11 which has now been amended above.

by Anupam on 23. December 2009 - 11:54  (39204)

Thanks for the feedback MC. I too had seen the version on MajorGeeks, but I had checked on the PC Tools site, and there it was the older version. I had been regularly checking the site for an updated version, but never happened.

As said before, I have been watching this trend of wrong information grow since some months, and with lots of software.

by LordRahl on 21. December 2009 - 18:39  (39112)

at the bottom of the page

http://www.threatfire.com/download/

this is probably the most reliable source

by MidnightCowboy on 20. December 2009 - 22:34  (39082)

I’ve just updated the review to the format you now see above.
I’ve hesitated for some time about which direction to go in but eventually decided to remove DriveSentry.
My thoughts are echoed in other places too as illustrated by this thread from our friends at Wilders.

http://www.wilderssecurity.com/showthread.php?s=d8a377715f9f5f48cc9780ab...

Ultimately I was also helped by recent developments with Threatfire which is much improved from previous versions. I never doubted it’s detection capabilities but it’s tendency to also munch some of your system drivers for breakfast was nothing I would recommend for average folk to endure.
Thankfully, these issues are now behind us and Threatfire can regain it’s top spot with pride.

by Anonymous on 21. December 2009 - 20:42  (39115)

I tried the new Threatfire version from Major Geeks and the noticeable drag on my older XP is reduced to the point that I can now keep it installed. Thanks for the heads up MC. Is there any problem with keeping the Community Monitoring on for auto-updates or is it security-wise to turn this function off and manual update?

by Anonymous on 21. December 2009 - 1:42  (39087)

I notice a drag with Threatfire on an older XP. What ever happened with DSA? I assumed a lot of users liked it.

by MidnightCowboy on 21. December 2009 - 9:36  (39096)

Unfortunately DSA is no longer being developed or supported as a standalone program. It remains an integral part of the now freeware Privatefirewall however and is being improved further as we speak to achieve full x64 bit compatibility. I was a great fan of DSA myself but unfortunately all of the freestanding HIPS applications are now dying out as vendors seek to incorporate everything into either a firewall or complete suite. This is hardly surprising when you consider the amount of alerts generated and work necessary to manage this type of program. EQSecure, System Safety Monitor and Realtime Defender are other examples of excellent products which have also ceased although all will continue to work very happily on XP up to SP2.

Older versions of Threatfire had several issues which I wasn't happy with which is why it ended up being downgraded in my review here. The "drag" I can identify with myself from my own XP days, so much so that I used to use an old version of Cyberhawk instead. Threatfire has improved a lot lately though and I notice no system performance drop on x64 Windows 7 at all. As I say in my review this has maybe been influenced by Symantec's involvement and the use of Threatfire components within the PC Tools Internet Security suite. Whatever the reasons though, Threatfire is now a solid choice for zero day protection although users will still need to be mindful of possible conflicts if their main solution also contains similar technology. Duplicating behavior based software on the same system is not always a good idea.

by Anonymous on 21. December 2009 - 18:48  (39113)

What are your thoughts on users who use a good firewall with strong os/hips protection such as those on the top of matousecs tree? Is a seperate hips such as threatfire for eg still needed?

by MidnightCowboy on 21. December 2009 - 21:03  (39117)

This is a difficult question to answer for everybody because it’s largely dependent on your surfing habits. If you visit porn, social networking and file sharing sites then you need all the help you can get. In this respect complimentary software such as Threatfire with behavioral recognition technology is almost a necessity. Otherwise I would say it isn't with the type of firewall you describe. Resource use is reasonable though at less than 10mb and on my Windows 7 x64 I notice none of the system slowdowns associated with previous versions.

Anyone not wanting to install too many programs anyway could always choose a firewall like Privatefirewall which has good similar technology included. Be aware though that the process monitor is not yet x64 compatible although the other functions are. Full x64 compatibility is still being developed and won’t be in service until around the first quarter of next year. Not only does Privatefirewall notify you about what things are doing, it will also warn you if they are doing it differently to the last time they ran in terms of CPU cycles, memory use etc. This type of annomoly detection is a good resource to have, and with Privatefirewall this extends to emails too. You do need to read their PDF guide first though before installing it to understand fully how to set up a suitable training period otherwise it will end up annoying you with superfluous alerts and/or not work to it’s best potential.

by Anonymous on 22. December 2009 - 4:11  (39137)

MC, would your previous comments about protection still be needed/valid if using a program such as Returnil or Sandboxie? Would that not eliminate the need for such "extra" protection or as you stated "all the help you can get?"

Also would you still recommend PrivateFirewall if browsing is done almost exclusively with Returnil or Sandboxie or would that be overkill?

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here