Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here:

http://billpstudios.blogspot.com/

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology
“Scotty the Windows Watchdog” projects a somewhat dated image
http://www.winpatrol.com/
28.6.2013
900 kb
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.966665
Average: 4 (60 votes)
Your rating: None

Comments

by Anonymous on 9. November 2009 - 9:11  (36253)

Hi MC! I've got a question pertaining to MJ Reg Watcher. When you said... Installation is not required, simply run the program from whichever directory you un-zip it to. Where you referring to Program Files Directory or Windows Directory? Mark mentions to make a shortcut to C:\MJRegWatcher\RegWatcher.exe which sounds like its extracted to the Windows Directory. Also, to make Reg Watcher start up with WindowsXP, should I copy/paste the Reg Watcher.exe into the Start folder in the all programs menu? Thanks alot as always!!

by MidnightCowboy on 9. November 2009 - 9:41  (36254)

Hi
I keep all of these things in my program files, or at least I did because MJRW won't work on my new system. If you create a new folder for it in Programs and unzip the contents into this, then you can open the folder, right click on the file and then "send to desktop - create shortcut". The auto start can be configured from the options menu after you start it for the first time with the shortcut.

by Anonymous on 2. December 2009 - 13:46  (37690)

Note: Current WinPatrol version is 17.1.2010.0

by MidnightCowboy on 2. December 2009 - 17:47  (37711)

Thanks for the jolt - I've changed it. I'll try to get round to checking the others too because I'm pretty sure that the version of ST at least has also changed. If only there were 25 hours in the day........

by Rizar on 2. December 2009 - 21:03  (37722)

I've been trying out Scotty of late and find it very light and especially excellent on XP. But I get mixed results on Vista. For some reason it won't detect some types of scheduled tasks. It fails to stop Secunia PSI from secretly infiltrating the task scheduler, and it never picked up my manual task with Ccleaner. It stopped Secunia on my XP system though.

by MidnightCowboy on 2. December 2009 - 21:22  (37724)

Thanks for the feedback. I'll take this up with Bill and let you know what he comes back with.

by MidnightCowboy on 3. December 2009 - 19:02  (37784)

This is Bill's response now from WinPatrol which others might also find of interest.

"Starting with Vista, Microsoft introduced Task Scheduler 2.0. Luckily, Microsoft made Task Scheduler more secure so it hasn't been a priority to add monitoring to WinPatrol. Under the original Task Scheduler an attack could be introduced by just adding a .job file in the right location. Vista and Windows7 still support the original Task Scheduler model for compatibility so it's still monitored by WinPatrol.

I'm not sure what manual task was done using CCleaner but Scotty would not have objected to a user choosing to run an application unless it tried to embed itself in the registry. WinPatrol monitors particular registry entries which allow programs to become resident. If we monitored any registry change users wouldn't like the performance"

by Rizar on 4. December 2009 - 1:05  (37792)

Thanks, MC/Bill. It was CCleaner.exe /AUTO, by the way. The reason I thought it was odd is that it detects Defraggler's automatically added task (df.exe C: /ts) but not Secunia's (psi.exe --start-in-tray). Though it just detects Defraggler to the extent that it lists it in its manager; Secunia & CCleaner don't appear at all.

Windows Defender, of all programs, does detect the Secunia task scheduler change and prompts me about it.

All of the programs are excellent and known to be safe, of course, but many users know zero about the task scheduler and would be stuck with extra programs loading at every startup. Many Vista Home editions bog down enough just on their own and I usually find a bunch of startup programs as the first thing I have to manage to try to make the computer (sort of) fast again (which is rarely successful to my satisfaction in home editions for some reason). I would think WinPatrol would be interested in managing the startup/task-scheduler as much as providing protection, as a multi purpose utility, and to alert the user of "changes that may occur without your knowledge".

For example, a common way to avoid startup popup alerts in Vista (from the UAC) is to use the task scheduler to autostart a program (which is what Secunia does).

It's still a great little program and will remain in my portable reserve, but it probably won't make the cut for me as an installed program on Vista (I will continue using it on XP probably).

Thanks for the work MC.

by Anonymous on 10. December 2009 - 18:52  (38209)

I think I'll try the little "watch dog" with my avira and PC tools firewall plus. Sure is a lot of good feed back on WinPatrol.

by MidnightCowboy on 10. December 2009 - 20:32  (38212)

I'm sure you won't be disappointed. Even gets an excellent status in the review at Softpedia which is one of the better sites for such things. The version reviewed there is not the latest either so none of the recent improvements will have been considered. There are two roads to go down with this type of software. You can do it the hard way with old stuff like System Safety Monitor or EQSecure, or you can do it the easy way with WinPatrol. OK, so there's no real comparison with the individual component control possible but for most folks the end result will be the same, but the headaches a lot less!

by Anonymous on 11. December 2009 - 16:22  (38301)

Could someone please tell me if I can use DriveSentry with my existing AVG 9 and a firewall? I remember reading (here?) a while back that if you had DriveSentry you had to turn off any existing installed AV or firewall program -- or is that only if you have a firewall with a HIPS component enabled...? Thanks.

by MidnightCowboy on 11. December 2009 - 16:42  (38307)

I don't have any personal knowledge of compatibility with AVG because I've never used it. You can always try installing DriveSentry because it will warn you if AVG is not compatible and you can then abort the process. In this case you could try WinPatrol instead which is widely regarded.

by Anonymous on 12. December 2009 - 2:32  (38357)

Like to ask further...I was using threatfire but it seemed to slow my system down somewhat. Not so with winPatrol along with avira and pc tools firewall plus. Question is do threatfire and winPatrol perform the same functions basically ?

by Anonymous on 12. December 2009 - 5:09  (38369)

Does Winpatrol need any special tweaking for optimum performance/protection once installed?

by MidnightCowboy on 12. December 2009 - 8:48  (38378)

WinPatrol is fine at its default settings. All security software is designed to install at an "optimum" level, i.e. one which the devs have determined to offer the best protection for the most people on the majority of average systems. Of course advanced settings are possible, but unless your knowledge of Windows (or in the case of firewalls, networking) is at a sufficiently high level then these are best left alone.

by MidnightCowboy on 12. December 2009 - 8:58  (38381)

Ultimately both are seeking to achieve the same thing although the way they go about this is somewhat different. Threatfire contains behavior analysis technology designed to watch for actions typical of and possibly caused by malware.
WinPatrol still takes a heuristic approach to the same subject but is far less involved with your system than Threatfire which is why, in general, people have less issues with it. With your current setup, WinPatrol will be more than adequate to partner the programs you already have, all of which are excellent choices.

by Anonymous on 14. December 2009 - 21:12  (38667)

I installed the free version of Drive Sentry and liked it enough to pay the $15 for the full version. My problems started at that point. First of all I had to use a round about way to even purchase Drive Sentry. The pop up link you get after creating an account sent me to a local address on my computer.
I tried registering on their support forums and apparently a Board Admin is required to approve you even after the activation email. It's been 4 days and nothing.

I'm now getting run time errors and Drive Sentry shut downs. I can not find any support information besides the forum which I can not get to. The contact numbers are always closed.

I've waisted $15 before, it's not the end of the world. I would really second think installing Drive Sentry or even purchasing a product that has limited support.

by MidnightCowboy on 14. December 2009 - 23:04  (38681)

I admit myself that I can't really understand the direction that this company is meant to be going in. Just when I'm ready to have a category re-think they come up with a burst of activity to keep me interested. This has happened twice now but I am definitely running out of patience.

On a personal note, if you care to register here and then send me a PM via the forum I'll take your situation up directly with the vendor. For obvious reasons they won't entertain a request about an anonymous post.

by MidnightCowboy on 20. December 2009 - 22:34  (39082)

I’ve just updated the review to the format you now see above.
I’ve hesitated for some time about which direction to go in but eventually decided to remove DriveSentry.
My thoughts are echoed in other places too as illustrated by this thread from our friends at Wilders.

http://www.wilderssecurity.com/showthread.php?s=d8a377715f9f5f48cc9780ab...

Ultimately I was also helped by recent developments with Threatfire which is much improved from previous versions. I never doubted it’s detection capabilities but it’s tendency to also munch some of your system drivers for breakfast was nothing I would recommend for average folk to endure.
Thankfully, these issues are now behind us and Threatfire can regain it’s top spot with pride.

by LordRahl on 21. December 2009 - 0:31  (39085)

i believe the version of Threatfire is 4.7.0.11, not 4.9.11.23

by Anonymous on 21. December 2009 - 1:42  (39087)

I notice a drag with Threatfire on an older XP. What ever happened with DSA? I assumed a lot of users liked it.

by MidnightCowboy on 21. December 2009 - 9:23  (39095)

I believe this to be incorrect as both Softpedia and MajorGeeks report 4.9.11.23 as of 4th December. To be certain I've mailed PC Tools support.

by MidnightCowboy on 21. December 2009 - 9:36  (39096)

Unfortunately DSA is no longer being developed or supported as a standalone program. It remains an integral part of the now freeware Privatefirewall however and is being improved further as we speak to achieve full x64 bit compatibility. I was a great fan of DSA myself but unfortunately all of the freestanding HIPS applications are now dying out as vendors seek to incorporate everything into either a firewall or complete suite. This is hardly surprising when you consider the amount of alerts generated and work necessary to manage this type of program. EQSecure, System Safety Monitor and Realtime Defender are other examples of excellent products which have also ceased although all will continue to work very happily on XP up to SP2.

Older versions of Threatfire had several issues which I wasn't happy with which is why it ended up being downgraded in my review here. The "drag" I can identify with myself from my own XP days, so much so that I used to use an old version of Cyberhawk instead. Threatfire has improved a lot lately though and I notice no system performance drop on x64 Windows 7 at all. As I say in my review this has maybe been influenced by Symantec's involvement and the use of Threatfire components within the PC Tools Internet Security suite. Whatever the reasons though, Threatfire is now a solid choice for zero day protection although users will still need to be mindful of possible conflicts if their main solution also contains similar technology. Duplicating behavior based software on the same system is not always a good idea.

by LordRahl on 21. December 2009 - 18:39  (39112)

at the bottom of the page

http://www.threatfire.com/download/

this is probably the most reliable source

by Anonymous on 21. December 2009 - 18:48  (39113)

What are your thoughts on users who use a good firewall with strong os/hips protection such as those on the top of matousecs tree? Is a seperate hips such as threatfire for eg still needed?

by Anonymous on 21. December 2009 - 20:42  (39115)

I tried the new Threatfire version from Major Geeks and the noticeable drag on my older XP is reduced to the point that I can now keep it installed. Thanks for the heads up MC. Is there any problem with keeping the Community Monitoring on for auto-updates or is it security-wise to turn this function off and manual update?

by MidnightCowboy on 21. December 2009 - 21:03  (39117)

This is a difficult question to answer for everybody because it’s largely dependent on your surfing habits. If you visit porn, social networking and file sharing sites then you need all the help you can get. In this respect complimentary software such as Threatfire with behavioral recognition technology is almost a necessity. Otherwise I would say it isn't with the type of firewall you describe. Resource use is reasonable though at less than 10mb and on my Windows 7 x64 I notice none of the system slowdowns associated with previous versions.

Anyone not wanting to install too many programs anyway could always choose a firewall like Privatefirewall which has good similar technology included. Be aware though that the process monitor is not yet x64 compatible although the other functions are. Full x64 compatibility is still being developed and won’t be in service until around the first quarter of next year. Not only does Privatefirewall notify you about what things are doing, it will also warn you if they are doing it differently to the last time they ran in terms of CPU cycles, memory use etc. This type of annomoly detection is a good resource to have, and with Privatefirewall this extends to emails too. You do need to read their PDF guide first though before installing it to understand fully how to set up a suitable training period otherwise it will end up annoying you with superfluous alerts and/or not work to it’s best potential.

by Anonymous on 21. December 2009 - 23:10  (39123)

Is Threatfire to be recommended above WinPatrol? What criteria can I use if no one wants to answer this directly?! Thank You

by Anonymous on 21. December 2009 - 23:27  (39125)

The above article places threatfire as top pick!

by Anonymous on 22. December 2009 - 4:11  (39137)

MC, would your previous comments about protection still be needed/valid if using a program such as Returnil or Sandboxie? Would that not eliminate the need for such "extra" protection or as you stated "all the help you can get?"

Also would you still recommend PrivateFirewall if browsing is done almost exclusively with Returnil or Sandboxie or would that be overkill?

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here