Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here:

http://billpstudios.blogspot.com/

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology
“Scotty the Windows Watchdog” projects a somewhat dated image
http://www.winpatrol.com/
28.6.2013
900 kb
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.966665
Average: 4 (60 votes)
Your rating: None

Comments

by MidnightCowboy on 19. October 2009 - 12:03  (34981)

Received confirmation from Drive Sentry today that V3.4 Desktop "should" still work on W2K assuming SP4 or above. I've asked for a bit more detail than this as "should" is something I don't understand. Either it does or it doesn't.

by MidnightCowboy on 18. October 2009 - 10:53  (34926)

Thanks for the feedback on this. According to their website DS is still compatible with W2K but I'll mail their support for confirmation. I've not found them too responsive of late, in fact there doesn't seem to be very much activity at all.

by chris.p on 18. October 2009 - 9:56  (34921)

MC, the latest version of Threatfire does not work on Windows 2000 (won't install). Old versions install OK.

Also, TF does not prevent rootkits creating a new .exe and writing it to the disk. If it doesn't do this, I'm not sure what use it is, since the only other useful facility it might contain would be to stop unknown apps dialling out - but your HIPS firewall does that (and much more effectively, in my ongoing live test, which involves trying to get rid of a damn pesky rootkit).

Threatfire - on W2K at any rate - doesn't stop unknown exe's being written onto the disk, and it hardly ever stops new processes dialling out. All these are caught by Avast and Online Armor, not TF.

chris.p

by MidnightCowboy on 18. October 2009 - 11:12  (34931)

Thanks for the heads up about the version install on W2K. I tend to use Softpedia as my reference source for this and they still list it although PC Tools and Cnet (our own link) have removed it.

In truth I've no knowledge of how effective even the older versions of Threatfire might be on W2K because I've never used this system. Many users add Threatfire as an additional layer of security for it's keylogging and buffer overflow prevention capabilities.

The real strengths of Threatfire though lie in it's ability for custom rule creation which unfortunately is beyond the abilities of most average users to configure and inadvisable for same to try. This tutorial though has been well written and includes a section for outbound protection.

http://www.wilderssecurity.com/showthread.php?t=253507

To be honest if I was using W2K and felt the need for this type of software I think I'd revert my attentions to the era from when it was written and use Cyberhawk instead, copies of which can still be found.

by sbwhiteman on 18. October 2009 - 13:43  (34940)

Threatfire 4.1 supports Win2K. See footnote 3:

http://www.threatfire.com/updates/

Steve

by chris.p on 18. October 2009 - 14:15  (34943)

Thanks for this, SBW.

MC, maybe you could add this info to the TF details :

W2K users need to download the ThreatFire 4.1 version, the download link is at the foot of this page: www.threatfire.com/updates/

Personally though, I've deleted it and won't be reinstalling it. It never picked up one single disk write out of dozens that a rootkit I had was creating (additional .exe's), and that were stopped by Avast. It never picked up any of the added (malware-created) tasks in Task Scheduler, that WinPatrol stopped. It never picked up any dial-outs, which Online Armor stopped.

Therefore as far as I can see it is not much practical use. Perhaps this just applies to W2K. However it uses very little in the way of system resources :)

chris.p

by MidnightCowboy on 18. October 2009 - 14:08  (34941)

Thanks Steve.

by belphegor on 15. September 2009 - 10:11  (32626)

Hi all.Dont know wether anyone has tried iobit security 360.I suppose it is a hips,running it now myself,seems to work okay,any chance of giving it a test???? Had trouble with drive sentry and threatfire.thought i mite give this a go....

by Anonymous on 15. September 2009 - 11:03  (32631)

Iobit 360 is an anti-malware product, not a HIPS. It is possible that it will be reviewed here now that the final version has been released, but this decision will be made by the editor of the category concerned.

by Anonymous on 30. August 2009 - 22:20  (31919)

DriveSentry put a BSOD on bith my pc and my wife's, both run Comodo and Avira. There is a basic conflict when I removed DriveSentry the PCs reverted to problem free

by MidnightCowboy on 10. September 2009 - 17:21  (32486)

When I was trialing DriveSentry for the review my own machine (XPSP2) was also running Comodo and Avira without any problems. Without knowing a lot more details about your system and how you had your other security components configured it's not possible to second guess what might have gone wrong.
Unfortunately these instances are very system specific and often here and in the forums we see similar posts relating to troublesome combinations which others are running quite happily. The (yawn) long awaited new version of DriveSentry is meant to be more imminent now than it was so maybe you might feel confident in re-visiting this software then?

by Anonymous on 29. July 2009 - 21:45  (25979)

I am surprised not to see ProcessGuard included in the review. It is by far one of the best hips i have ever used if not the best. Can you please consider reviewing ProcessGuard?

by MidnightCowboy on 29. July 2009 - 22:31  (25982)

The products reviewed here all have full featured protection. All of the important functions such as Rootkit protection, hooking, driver installation, registry and memory protection are all missing from the free version of ProcessGuard. It doesn't even block new or changed programs. You can achieve far more protection with other software.

by Anonymous on 29. July 2009 - 4:05  (25912)

I'm having two major issues with Dynamic Security Agent. I installed it a few days ago and after a couple days it was using over 200 megs of memory. If I restart it, it goes back down to about 18 or 20 megs, but then starts increasing fast. The other issue is that every time I restart DSA, it turns off my Windows firewall. Any ideas?

by MidnightCowboy on 29. July 2009 - 10:31  (25932)

DSA is now discontinued as a standalone application and no longer supported. An updated version is now included with the Privatefirewall package. This excellent firewall used to be commercial but is now freeware.
http://www.privacyware.com/personal_firewall.html

by Anonymous on 29. July 2009 - 15:47  (25952)

Thanks for the info. I can't find many reviews of Privatefirewall. How do you think it compares to the ones listed on this site (Outpost, Comodo, Online Armor, and PC Tools)?

by Anonymous on 16. September 2009 - 6:49  (32689)

I have been testing it for a few days. It has an 'old' looking interface and is a bit buggy on an XP SP3 machine. It seems to get confused sometimes about what process is doing what and starts blocking the wrong things.

I will be uninstalling it shortly. Not up to par, IMHO.

by MidnightCowboy on 16. September 2009 - 8:47  (32691)

It would be helpful to know which applications and processes you are referring to as the firewall doesn't block anything. It produces an alert to prompt an action, depending on how you have it set up.

by Dogpile on 18. July 2009 - 23:05  (25326)

Hi,

I watched a video on YoutTube from mrizos. He reviews a lot of software. He said Geswall was pretty good in his opinion. I DL'd the freeware version.

Any reason the free version doesn't make the list? Is it a poor cousin to the Professional Edition?

Thanks.

Dogpile

by JonathanT on 19. July 2009 - 4:57  (25342)

Although GesWall can be considered a HIPS, it's not really a HIPS as in a behavioural blocker, it's more of a browser protection utility:
http://www.techsupportalert.com/best-free-browser-protection-utility.htm

by MidnightCowboy on 18. July 2009 - 23:33  (25329)

As with all software groups we try to mix performance with ease of use. We also try to reduce the overall amount of items reviewed otherwise the whole thing can become more confusing than it already is, especially for security programs. Also, the following warning is posted on the Softpedia page for GeSWall

NOTE: Only for advanced users. Please be very careful. Your operating system may not start anymore!

On balance therefore I decided to leave it out. If your system knowledge is at a sufficiently high level to operate this software correctly then it would indeed be a good addition to your security setup.

by Dogpile on 19. July 2009 - 0:41  (25335)

Thanks for the quick reply. I removed it from my computer.

by Anonymous on 8. July 2009 - 22:34  (24805)

I tried DriveSentry on XP but it conflicts with Sandboxie causing it to blackout to DOS and switch off abruptly. I have since changed to Vista and decided that PREVX 3 free version is the best available as it effortlessly flags malware without any intrusive pop alerts of safe executables. This and Nod 32 online scanner will find malware that everything else could miss including Avira Antivir.

by Anonymous on 10. July 2009 - 21:43  (24913)

I was infected by what Nod 32 Identified b.exe c.exe d.exe as fake Trojan. I then scanned using Virus Total and Nod32,PrevX perhaps Trend and Norman also showed positive results. Malwarebytes, SuperAntispyware, A2 all proved usefull in identifying and removing but only Prevx was able to provide early detection of something that very few other products could prevent. All without having to check every executable message asociated with HIPS.
I want to keep SandboxIE and therefore give up on DriveSentry. Therefore PREVX to me is a double blessing.

by MidnightCowboy on 9. July 2009 - 1:11  (24808)

The free version of Prevx provides no protection, only the means to identify malware after it has infected your computer. You would then need considerable system knowledge or another third party application to undertake the removal process. As prevention is always better than cure you would be better to re-consider using a solution with real-time protection. That said, with Sandboxie used properly many would argue that you need nothing else at all.
In terms of detection statistics you will see from the file scan results in various places that all of the recognized software misses something. In this respect Prevx is no better than the other top marques despite all the rhetoric and charts on their homepage. It's also no worse either. Overall the best two at the moment are Avira and a-squared. Next week it might be two different ones. Malware is evolving at such a fast pace these days it's almost impossible for the traditional software to keep up. This is one area where Prevx does score, but only in the paid version if you want real time protection. Prevx is also not a HIPS in the true sense so it was never designed to alert for executables like DriveSentry.

by Anonymous on 10. July 2009 - 21:20  (24912)

No reconsiderations. I am convinced by the my own trials. Avira Antivir + Outpost + PrevX is all I need.

by JonathanT on 9. July 2009 - 1:43  (24810)

"In terms of detection statistics you will see from the file scan results in various places that all of the recognized software misses something." Are you referring to VirusTotal?

by MidnightCowboy on 9. July 2009 - 11:09  (24820)

Yes, Virus Total is perhaps the best example to demonstrate how one program might find something that another misses, or vice versa. It also serves to demonstrate those programs with a regular high incidence of false positives as enjoyed by a-squared recently.

by JonathanT on 9. July 2009 - 14:38  (24830)

But VirusTotal does not take into account the real-time protection offered by the programs. In particular with a program like Prevx, where the main protection lies in the real-time cloud database, so VirusTotal isn't a good tool to judge the effectiveness of Prevx (or many other software).

by MidnightCowboy on 9. July 2009 - 17:54  (24844)

The comment was merely an illustration about how certain threats can be missed by one application and not another, and how the results could well be reversed with a new batch of malware. I accept the point about Prevx but the original comment was about the free version.

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here