Get our latest top picks
Subscribe to our Top Picks RSS Feed or enter your email address below to get the feed delivered to you by email:
|
Follow Gizmo |
 |
 |
 |
Register/Login
Top Rated
Gizmo's Freeware is Recruiting
We are looking for people with skills or interest in the following:
- Mobile Platform App Reviews for Android and iOS
- Anonymous Surfing Service
- Rootkit Scanner and Remover
- Streaming Media Recorder
- PDF Writer
Interested? Click here
Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)
|
In a Hurry?
|
|
|
Go straight to the |
Introduction
|
|
Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail. Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”). Review Criteria |
|
Discussion
|
|
Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.
In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results. It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!
WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates. WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you. As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version. One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users. The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here: http://billpstudios.blogspot.com/
The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested. |
- Article type:
- Login or register to post comments
Printer-friendly version
Comments
MC, the latest version of Threatfire does not work on Windows 2000 (won't install). Old versions install OK.
Also, TF does not prevent rootkits creating a new .exe and writing it to the disk. If it doesn't do this, I'm not sure what use it is, since the only other useful facility it might contain would be to stop unknown apps dialling out - but your HIPS firewall does that (and much more effectively, in my ongoing live test, which involves trying to get rid of a damn pesky rootkit).
Threatfire - on W2K at any rate - doesn't stop unknown exe's being written onto the disk, and it hardly ever stops new processes dialling out. All these are caught by Avast and Online Armor, not TF.
chris.p
Thanks for the heads up about the version install on W2K. I tend to use Softpedia as my reference source for this and they still list it although PC Tools and Cnet (our own link) have removed it.
In truth I've no knowledge of how effective even the older versions of Threatfire might be on W2K because I've never used this system. Many users add Threatfire as an additional layer of security for it's keylogging and buffer overflow prevention capabilities.
The real strengths of Threatfire though lie in it's ability for custom rule creation which unfortunately is beyond the abilities of most average users to configure and inadvisable for same to try. This tutorial though has been well written and includes a section for outbound protection.
http://www.wilderssecurity.com/showthread.php?t=253507
To be honest if I was using W2K and felt the need for this type of software I think I'd revert my attentions to the era from when it was written and use Cyberhawk instead, copies of which can still be found.
Threatfire 4.1 supports Win2K. See footnote 3:
http://www.threatfire.com/updates/
Steve
Thanks for this, SBW.
MC, maybe you could add this info to the TF details :
W2K users need to download the ThreatFire 4.1 version, the download link is at the foot of this page: www.threatfire.com/updates/
Personally though, I've deleted it and won't be reinstalling it. It never picked up one single disk write out of dozens that a rootkit I had was creating (additional .exe's), and that were stopped by Avast. It never picked up any of the added (malware-created) tasks in Task Scheduler, that WinPatrol stopped. It never picked up any dial-outs, which Online Armor stopped.
Therefore as far as I can see it is not much practical use. Perhaps this just applies to W2K. However it uses very little in the way of system resources :)
chris.p
Thanks Steve.
Hi all.Dont know wether anyone has tried iobit security 360.I suppose it is a hips,running it now myself,seems to work okay,any chance of giving it a test???? Had trouble with drive sentry and threatfire.thought i mite give this a go....
Iobit 360 is an anti-malware product, not a HIPS. It is possible that it will be reviewed here now that the final version has been released, but this decision will be made by the editor of the category concerned.
DriveSentry put a BSOD on bith my pc and my wife's, both run Comodo and Avira. There is a basic conflict when I removed DriveSentry the PCs reverted to problem free
When I was trialing DriveSentry for the review my own machine (XPSP2) was also running Comodo and Avira without any problems. Without knowing a lot more details about your system and how you had your other security components configured it's not possible to second guess what might have gone wrong.
Unfortunately these instances are very system specific and often here and in the forums we see similar posts relating to troublesome combinations which others are running quite happily. The (yawn) long awaited new version of DriveSentry is meant to be more imminent now than it was so maybe you might feel confident in re-visiting this software then?
I am surprised not to see ProcessGuard included in the review. It is by far one of the best hips i have ever used if not the best. Can you please consider reviewing ProcessGuard?
The products reviewed here all have full featured protection. All of the important functions such as Rootkit protection, hooking, driver installation, registry and memory protection are all missing from the free version of ProcessGuard. It doesn't even block new or changed programs. You can achieve far more protection with other software.
I'm having two major issues with Dynamic Security Agent. I installed it a few days ago and after a couple days it was using over 200 megs of memory. If I restart it, it goes back down to about 18 or 20 megs, but then starts increasing fast. The other issue is that every time I restart DSA, it turns off my Windows firewall. Any ideas?
DSA is now discontinued as a standalone application and no longer supported. An updated version is now included with the Privatefirewall package. This excellent firewall used to be commercial but is now freeware.
http://www.privacyware.com/personal_firewall.html
Thanks for the info. I can't find many reviews of Privatefirewall. How do you think it compares to the ones listed on this site (Outpost, Comodo, Online Armor, and PC Tools)?
I have been testing it for a few days. It has an 'old' looking interface and is a bit buggy on an XP SP3 machine. It seems to get confused sometimes about what process is doing what and starts blocking the wrong things.
I will be uninstalling it shortly. Not up to par, IMHO.
It would be helpful to know which applications and processes you are referring to as the firewall doesn't block anything. It produces an alert to prompt an action, depending on how you have it set up.
Hi,
I watched a video on YoutTube from mrizos. He reviews a lot of software. He said Geswall was pretty good in his opinion. I DL'd the freeware version.
Any reason the free version doesn't make the list? Is it a poor cousin to the Professional Edition?
Thanks.
Dogpile
Although GesWall can be considered a HIPS, it's not really a HIPS as in a behavioural blocker, it's more of a browser protection utility:
http://www.techsupportalert.com/best-free-browser-protection-utility.htm
As with all software groups we try to mix performance with ease of use. We also try to reduce the overall amount of items reviewed otherwise the whole thing can become more confusing than it already is, especially for security programs. Also, the following warning is posted on the Softpedia page for GeSWall
NOTE: Only for advanced users. Please be very careful. Your operating system may not start anymore!
On balance therefore I decided to leave it out. If your system knowledge is at a sufficiently high level to operate this software correctly then it would indeed be a good addition to your security setup.
Thanks for the quick reply. I removed it from my computer.
I tried DriveSentry on XP but it conflicts with Sandboxie causing it to blackout to DOS and switch off abruptly. I have since changed to Vista and decided that PREVX 3 free version is the best available as it effortlessly flags malware without any intrusive pop alerts of safe executables. This and Nod 32 online scanner will find malware that everything else could miss including Avira Antivir.
I was infected by what Nod 32 Identified b.exe c.exe d.exe as fake Trojan. I then scanned using Virus Total and Nod32,PrevX perhaps Trend and Norman also showed positive results. Malwarebytes, SuperAntispyware, A2 all proved usefull in identifying and removing but only Prevx was able to provide early detection of something that very few other products could prevent. All without having to check every executable message asociated with HIPS.
I want to keep SandboxIE and therefore give up on DriveSentry. Therefore PREVX to me is a double blessing.
The free version of Prevx provides no protection, only the means to identify malware after it has infected your computer. You would then need considerable system knowledge or another third party application to undertake the removal process. As prevention is always better than cure you would be better to re-consider using a solution with real-time protection. That said, with Sandboxie used properly many would argue that you need nothing else at all.
In terms of detection statistics you will see from the file scan results in various places that all of the recognized software misses something. In this respect Prevx is no better than the other top marques despite all the rhetoric and charts on their homepage. It's also no worse either. Overall the best two at the moment are Avira and a-squared. Next week it might be two different ones. Malware is evolving at such a fast pace these days it's almost impossible for the traditional software to keep up. This is one area where Prevx does score, but only in the paid version if you want real time protection. Prevx is also not a HIPS in the true sense so it was never designed to alert for executables like DriveSentry.
No reconsiderations. I am convinced by the my own trials. Avira Antivir + Outpost + PrevX is all I need.
"In terms of detection statistics you will see from the file scan results in various places that all of the recognized software misses something." Are you referring to VirusTotal?
Yes, Virus Total is perhaps the best example to demonstrate how one program might find something that another misses, or vice versa. It also serves to demonstrate those programs with a regular high incidence of false positives as enjoyed by a-squared recently.
But VirusTotal does not take into account the real-time protection offered by the programs. In particular with a program like Prevx, where the main protection lies in the real-time cloud database, so VirusTotal isn't a good tool to judge the effectiveness of Prevx (or many other software).
The comment was merely an illustration about how certain threats can be missed by one application and not another, and how the results could well be reversed with a new batch of malware. I accept the point about Prevx but the original comment was about the free version.
The free version of Prevx has full detection capabilities of its real-time protection. So the level of detection between the free and paid are the same.
I appreciate that the detection levels are the same. It was more the "protection" capabilities I was concerned with as the OP was comparing Prevx free with DriveSentry and Avira.
This is what I saw on their website which to me suggests that "protection" is only available with an upgrade to the commercial version.
"Should Prevx 3.0 detect infections missed by your existing security product(s) you can always upgrade to add malware removal and protection at any time or report the infection to your existing security"