Dear all,

Thanks PC Tools for giving such a wonderfull application for free. The beta is in fact CyberHawk Pro with a refurbished GUI. All functionality works okay, so for a Beta it is a stable version regarding the free functionality (only a few minor GUI glitches).



Regards Kees.

Install Threatfire

Click on the icon, main screen appears and click on the advanced rules button

Choose custom rules setting (click on button)

Now we are going to enter our custum rules.

We will start with file protection.

Click on the NEW button

Next the rule wizzardscreen appears, explaining the basic process sequence and setup logic of the custom rules.

Choose NEXT (is volgende in Dutch).

Now we have to define the source. Because we want to apply this to all processes, select Any Proces and Click Next (Volgende)

Now the trigger screen appears.

The event triggering this rule is when a process tries to access a file, so select this [shown as a. SELECT].

Now look at the lower part of this screen and click on the underlined text (access), [shown as b. CLICK (in red)]

A file pop up appears (with four options), please only select three of them (write, create and delete) [shown as c. SELECT].

Click on the OK button of the file access pop-up screen [shown as d. CLICK]

I have forgotton to also mark the option "that looks like an executable". Please also select this (sorry).

Next text explains the attached picture

Now the rule options screen appears, select "named file name" [shown as a. SELECT].

Look again at the lower half of the screen and click on the underlined text "file name" [shown as b. CLICK].

A file list pop-up appears and in which you can enter file names or in this case file suffixes. We start to enter the first file extention "*.exe" [shown as c. ENTER extention in red]. Click on the + button [shown as d. CLICK] to add this extention to the list in the lower part of the screen. Repeat this for all extentions which are executable like, for instance

*.ax, *. bin, *.cab, *.cmd, *.com, *.dll, *. drv, *.exe, *. hta, *.ocx, *.sys, *.tlb, *.vxd, *.x32, et cetera.

When you have entered all extentions, choose/click the OK button

Now we are going to specify which directories should be watched.

So we also select the option "in the folder", [a] and (hope you are getting familiar with the user interface, so I am leaving out explanatory text).

Click on the underlined text "the folder" [b] and a Folder list screen appears.

Enter the directories in the text field [c] or navigate with the tripple dot button to the desired directory. Repeat [d] and choose ok [e] by clicking on this button.

Your entered options are shown (make the screen larger for clearity), choose Next by clicking on it (Volgende means Next in Dutch).

Next the exceptions screen appears, choose trusted processes and system processes, continue by clicking on Next button

Finish this rule by giving it a name and a description, click on the second button (Voltooien = complete) when ready.

Now activate this rule by selecting and choose Apply (Toepassen)

Now we are familiar with the user interface, the next pictures will show you how to set up registry protection, for instance the startup protection explained by Toni Klein (see regdefend part of wilders).

I have encluded screen shots with the registry keys and values which Toni mentions, only (being lazy) I have not entered them all.

We want to make a new rule, so choose NEW in the (see post #4). The rule wizzard appears choose next (post 5) and the Trigger screen appears, again we want to apply this to all processes (post 6) and the Trigger screen appears.

The event we want to watch is when a process "tries to write to the registry", selct this [a] and click on next [b].

Next the rule options screen pops up.

We wil start with registry keys and will enter the values to watch later on,
so select "to the key" [a] and click on the underlined text 'the key" [b] on the lower half of the screen.

Next the registry keys screen pops-up. You can enter text in the text field according the standard registry syntax. Important notice is that Threatfire requires a \ on the end for registry keys.

Enter a registry key to protect (e.g. HKCR\Folder\ColumnHandlers\ ) [c], click on add [d] and repeat this for all registry keys (shown in the next post as a picture). Click OK when ready [f]

The next picture shows Toni Klein's watch list for keys, enter them all (by repeatingly entering this in the text field and choosing add, as explained in the previous post).

Now we are also going to specify the registry values to watch. Field names entered are according to common registry syntax, with teh field name as last (withiut the \).

Unluckily Threatfire does not has wildcards as regdefend or winpooch, so it is a bit of work (but then again it is free).

Select "to the value" [a], click on the underlined text "the value" [b]

Note that in your screen all the entered registry keys will be shown as a large sequence of entries. As explained I am to lazy (having already entered them inCyberHawk Pro).

Next the Registry Values screen will appear, same logic to enter the registry values to watch, by entering this in the text field (e.g. HKCU\Control Panel\Desktop\ScreenSaveActive ) [c], cick on the add button [d].

Repeat this for all values to be watched (see next post for a list) [e] and click on ok when ready [f]

The list of registry values you have to enter repeatedly as explained in the previous post.

The options screen will display to show what you have entered (left of picture), choose Next and the Exclusions screen will appear. Select system proceses and trusted processes to allow them to make changes and click on Next [b].

Enter a rule name and description, choose complete (the second button shown in Dutch 'voltooien'). And select this self made rule to activate protecton as shown in post 14.

The last custom rule is that of a process not communicating with the user seeking outbound traffic.

To reduce number of post this is shown in 2 pictures.

Again select new, proceed to wizzard and select as a source

"any non-interactive process" [a] (left upper)

The trigger is "creates x network connections" [b] (right upper)
Click on the underlined "x" (lower half of screen on right upper corner [d]). Next a Count pop-up appears and up this with one [e] by clicking on the upward pointer. Next the count pop-up will shown 1 connections, select OK [f] and the screen on the left lower corner appears. Choose Next [g].

When choosing next in the previous post the options screen appears (obviously I having trouble with the alfabet, because I continue with G while G is also the last step in the previous screen).

Select the port number [g],

Click on underlined text "number" [h]


Enter port numbers in the Ports pop-up [i], click add to select [j] and repeat [k]. In this example a range is entered and a single value. ThreatFire recognises port 80 and by itself adds the text (HTTP) Click on OK [l]

An the options screen appears to show what you have entered, choose next [k], specify exclusions and give this rule a name/description and activate, et cetera.

Enjoy. You now have the ideal companion (as second layer) to your hardware firewall and DefenseWall (or GeSWall Pro).

Excellent post. I appreciate the knowledge you've displayed. Thanks.

Thx,

but the good thing about forums is that it is now also your knowledge. Same as I have acquired a lot from Aigle, Bigc, Bellgamin, Easter, Herbalist, Kerodo, Mrkvonic, Nicm, Solcroft, TopperID, ZopZop and many others.

Some specific startup files I forgot:
- C:\ntldr
- C:\boot.ini
- C:\Windows\system.ini
- C:\Windows\wininit.ini
- C:\Windows\win.ini

Regards Kees

Kind of you to post all this.
Hope you get a gong from PCTools. :thumb:

I'm still on CH 1.2: heh: time to move on?

Have you got some screenies of your set-up wrt resources in ProcExplorer?

Regards.

ThreatFire uses the same amount of memory as CyberHawk 2.04 (i think around 8 MB) and it stills issues a suspend when your browser starts (although since 2.04 a great improvement has been made).

I think you should really give it a try CB 2.04 only took a bit more CPU and time than the CyberHawk version 1.2.0.36 I used before.

{QUOTE-> The next picture shows Toni Klein's watch list for keys, enter them all (by repeatingly entering this in the text field and choosing add, as explained in the previous post). <-QUOTE}

Do you have a text list of these registry keys and values? I hope they develop some kind of import fucntion to make this easier. :wacko:

I was going to ask why you specified 1-99999 and port 80 in the port settings but now I see it's a bug ( you can't delete entries unless you delete the rule and make a new one). Ports only go to 65535 anyway.

Does this program block UDP and TCP?

See attached file

{QUOTE-> See attached file <-QUOTE}

Thanks.

I just noticed that TF doesn't block a little program called Neutron from updating time. I have a network rule blocking ports 1-65535 and no matter if I select TCP or UDP, Neutron still gets through.

Thanks so much for the walkthrough. I actually implented all the rules, took quite a while, but I'm sure it's a good layer of defense I've now got. I download music/movies with BitTorrent. Would the last rule interfere with these type of programs?

Is there any way to block network access without quarantining a program?

Hi Espresso--

Currently the only choices when ThreatFire enforces a Custom Rule you have created is Allow or Quarantine.

However, you'll notice that the Threat Control Center still includes a "Denied" bin. This bin is actually not used for anything in this release, but the plan for a future update (v. 3.1) would be to modify the alert dialogs for Custom Rules to show the choice of Allow or Deny, rather than Allow or Quarantine. You would also have the opportunity to check the "Remember this answer" box to always allow or always deny that action. In many cases for custom rules it just makes more sense to only "Deny" the action rather than "Quarantine" it.

In most other cases with the ThreatFire alerts (all non-custom rule alerts), Allow or Quarantine should suffice.

Kind regards,

Becky Dubrow

Import and Export of rules would be fine (to configure across PC's)

{QUOTE-> I have a network rule blocking ports 1-65535 ... <-QUOTE}

Correct me if I'm wrong, but shouldn't it be ports 0-65535 (i.e., a total of 65536 ports).

I did port blocking in TF, but isn't it suppose to ask whenever an application is trying to connect out? or am I suppose to make a rule for each application that should be excluded from the port blocking custom rule?

{QUOTE-> Correct me if I'm wrong, but shouldn't it be ports 0-65535 (i.e., a total of 65536 ports). <-QUOTE}

Yes, but I don't think you can connect out to port 0 in Windows. Somebody correct me if I'm wrong.

Just tried the Reg Test at http://www.ghostsecurity.com/products/ using the Kees 1958 modified rules, not a peep out of TF!

Maybe somebody can try the same and confirm. I may have set things up wrong but I don't think so.

Riverrun,

Do you have all the rules you have made enabled? (see picture). Sometimes you need to suspend and restart ThreatFire. I just tested it against CyberHawk Pro. The custum rules kicked in.

I am waiting for the official ThreatFire with update, because I have entered all rules I mentioned in this post in a much more granular way, for every registry key/groupe of registry keys a seperate key in stead off one rule defending the whole registry (could me control which programs to allow on much more detailed level).

Here is an example on additional worm protection.

Choose any number of files you like, add access types like write (is overwrite) and or delete. You can also set a time (number of seconds) in the options. To prevent unnessecary pop ups include your download and temporary directories (P2P, Download manager, Browser and your OS)

Kees, definitely an excellent guide with regards to making advance rules with TF. very much appreciated.

after using TF for several days now, with no hiccups, I was just wondering specifically with regards to the examples mentioned in the tutorial, namely, system file protection, startup registry protection and noninteractive application initiating outgoing traffic.
Being a smart HIPS that I try to believe it is, isn't it that TF is supposed to have out-of-the-box protection for those mentioned in the examples since the behaviors being blocked in the advance rule examples are common among malwares? I was just thinking if TF will suffer performance downgrade with advance rules 'duplicated' with TF's internal rules.
I believe TF's advance rule is more geared towards controlling specific applications', even valid ones, behavior the same way a classical HIPS does...

Glentrino2duo,

ThreaftFire, by default warns you when a exe or excutable like is changed, so there is likely to be some overlap. It also watches the startup entries of the registry. Looking at the way the rules are described (starting with a trigger) in an natural language like programming manner, I doubt whether a third or fourth rule on the same trigger by the same program will have noticeable impact on performance.

Performance bumps I noticed was from CyberHawk 1.2 to higher (worse) and from CyberHawk Pro 2.03 to 2.04 (much faster). So the overhaul of programming codes on triggers (hooks) has by far a greater impact than an additional rule.

Looking at your nickname, you problably have dual core PC, I should not worry about it.


So let´s add some extra registry protection:

Changes in XP file protection and anonymous account:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous

Changes in software not allowed to run (software you might use for protection):
HKCU\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun


Regards Kees

Will these rules cause a lot of pop-ups like a classical HIPS, like when a new program is installed or something?

Drew99GT,

You will get 2 pop-ups max when choosing remember.

Regards Kees

good grief how did i miss this excellent thread! nice job kees. i've been hearing lots of good things about threatfire. even the free version seems highly configurable. i haven't installed it yet and i have a few questions:

1a) i was looking at this post here (http://www.wilderssecurity.com/showpost.php?p=1059740&postcount=10) and it got me thinking. what would happen if you put something like "C:\*.*" in the folder list? would this prevent ANY non-system and non-trusted program from creating/deleting/writing executables to the hard drive?

1b) how would this affect the OS (like blue screening and such)?

2a) is it possible to set up a rule that would forbid any non-system and non-trusted program from writing to the registry?

2b) how would this affect the OS?

ZopZop,

I would not advice a *.* to be watched, would be to chatty I think. Better restrict to a few files like:
- C:\autoexec.bat
- C:\boot.ini
- C:\config.sys
- C:\ntdetect.com
- C:\ntldr
- C:\WINDOWS\system.ini
- C:\WINDOWS\Tasks\*.*
- C:\WINDOWS\win.ini
- C:\WINDOWS\wininit.ini
- C:\WINDOWS\System32\AUTOEXEC.nt
- C:\WINDOWS\System32\bootvrfy.exe
- C:\WINDOWS\System32\CONFIG.nt
- C:\WINDOWS\System32\control.ini
- C:\WINDOWS\system32\drivers\etc\hosts
- C:\WINDOWS\system32\svchost.exe

Be sure to exclude system and trusted processes

2. No
But you would not want that same reason. Use the list, I posted (which Toni Klein has put together for regdefend). You can exclude the run, runonce runservices (autostart locations in HKCU and HKLM etc because TF guards them now.

Regards Kees

ZopZop,

The custom rule posted in http://www.wilderssecurity.com/showpost.php?p=1059784&postcount=23

Can now be changed to

When any non-interactive process
creates 1 TriggerCount network connections
except when the source process is in the system process list
or the source process is in the trusted process list

This wil pass against the bufferzone trojandemo test.

Much thanks for the tutorial. Regarding your last post. Is it better to add that rule or modify the previously mentioned rule?

kees thank you again for the advice :)

threatfire with your custom rules seems to be an excellent addition to my security software setup (to compliment geswall). i only have 2 more questions and i'll leave you alone i promise :)

1) is it possible to export the rules? like say i want to install threatfire on my brother's pc?

2) how is threatfire on system resources? like how much ram does it use up?

{QUOTE-> Much thanks for the tutorial. Regarding your last post. Is it better to add that rule or modify the previously mentioned rule? <-QUOTE}

It is better to modify it.

Regards Kees

{QUOTE-> kees thank you again for the advice :)

threatfire with your custom rules seems to be an excellent addition to my security software setup (to compliment geswall). i only have 2 more questions and i'll leave you alone i promise :)

1) is it possible to export the rules? like say i want to install threatfire on my brother's pc?

2) how is threatfire on system resources? like how much ram does it use up? <-QUOTE}

ZopZop,
Nr 1 is high on the wishlist of the TF forum members. So it is still not possible. TF Tray uses 3,5 MB of memory and TF Service just 4 MB (with incidental spikes to 4,5 MB). Note that we have the TF Pro version now.

TF runs well with GeSWall. I had some trouble with GW blocking Digital Rights Management of purchased music songs, so I changed (the ease of having image backups) our settings on XP machines from A2 IDS + WinPooch + DW and TF + GW to A2 IDS + WinPooch + GW and TF + DW. On the Vista64 we run UAC (in quiet mode) with PRSC and HauteSecure beta.

Normally DW is a bit slower than GW, but TF works nearly as fast as with DW v2.05 as GW 2.6 We are behind a hardware NAT/SPI router and have no AV in realtime (only A2's realtime on 1 machine) and have not been infected for over a year now on the XP machines a(I always riun a Bitdefender scan before making backups). The vista64 is only three months up and running (is scanned with Avast 64 bit before backup) and no problems whatever.

Regards Kees

Here is my registry value custom rule

When any process
tries to write to the registry
to
HKCU\Control Panel\Desktop\ScreenSaveActive or
HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask or
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load or
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Programs or HKCU\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun or HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun or
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions or
HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecute or
HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\ComSpec or
HKLM\SYSTEM\ControlSet002\Control\Session Manager\BootExecute or
HKLM\SYSTEM\ControlSet002\Control\Session Manager\Environment\ComSpec or
HKLM\SYSTEM\ControlSet003\Control\Session Manager\BootExecute or
HKLM\SYSTEM\ControlSet003\Control\Session Manager\Environment\ComSpec or
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ComSpec or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path
|TriggerValues
except when the source process is in the system process list
or the source process is in the trusted process list

see post 15 in this thread on how to make it, it is easier now, just copy the values (with the OR) above one by one

Regards Kees

Here my registry keys custom rule

When any process
tries to write to the registry to HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ or
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system or
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\ or
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\ or
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ or
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ or
HKLM\SOFTWARE\Microsoft\Command Processor\ or
HKLM\SOFTWARE\Microsoft\Ole\ or
HKLM\SOFTWARE\Microsoft\Ras\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ or
HKLM\SOFTWARE\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\ or
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ or
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\ or
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ or
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\ or
HKLM\SYSTEM\CurrentControlSet\Control\WOW\ or
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\
|TriggerKeys
except when the source process is in the system process list
or the source process is in the trusted process list

I wonder if Threatfire includes any built-in rule to watch/track the reg key where URIs (http://en.wikipedia.org/wiki/Uniform_Resource_Identifier) are stored. Lots of recent vulnerabilities are involved with URI handling.

{QUOTE-> Excellent post. I appreciate the knowledge you've displayed. Thanks. <-QUOTE}

I agree.
Thank you for your time and effort.
It is appreciated!:D

{QUOTE-> The last custom rule is that of a process not communicating with the user seeking outbound traffic. <-QUOTE}

{QUOTE->
I was going to ask why you specified 1-99999 and port 80 in the port settings but now I see it's a bug ( you can't delete entries unless you delete the rule and make a new one). Ports only go to 65535 anyway. <-QUOTE}

If you enter 80 then 81 then 8080, for example, you don't get the 1-99999.

Use the new one without ports mentioned

http://www.wilderssecurity.com/showpost.php?p=1101843&postcount=47

{QUOTE-> Use the new one without ports mentioned

http://www.wilderssecurity.com/showpost.php?p=1101843&postcount=47 <-QUOTE}

Thanks for pointing that out. In case you want to insert port numbers, my previous seems to get rid of the hiccup. Thanks for your good hints though.:)

{QUOTE-> kees thank you again for the advice :)

threatfire with your custom rules seems to be an excellent addition to my security software setup (to compliment geswall). i only have 2 more questions and i'll leave you alone i promise :)

1) is it possible to export the rules? like say i want to install threatfire on my brother's pc?

2) how is threatfire on system resources? like how much ram does it use up? <-QUOTE}

Very light. On my system, less then 8k.:)

{QUOTE-> I wonder if Threatfire includes any built-in rule to watch/track the reg key where URIs (http://en.wikipedia.org/wiki/Uniform_Resource_Identifier) are stored. Lots of recent vulnerabilities are involved with URI handling. <-QUOTE}

Lucas1985,

I do not know. But my approach is to run URI related programs (adobe, quicktime, etc) as untrusted in DefenseWall/GeSWall Pro.

May be someone who knows more on this topic could join in.

Regards Kees

{QUOTE-> But my approach is to run URI related programs (adobe, quicktime, etc) as untrusted in DefenseWall/GeSWall Pro. <-QUOTE}
Yes, every app receiving commands from the browser should run isolated.
I think that should be very easy for a smart behav. blocker like TF to monitor processes reading/writing to the URI key followed by the download of an executable.
Solcroft, are you there ;D?

Kees1958, thanks for the tutorial. Very much appreciated.


Regards

Thank you very much for all the custom rules, ;D:thumb: will you be posting any more?

Gizzy,

As Solcroft pointed out TF is intelligent by itself. So you should not specify to much custom rules, because you might make the behavior blocker behave as an 'dumb' intrusion detector.

But here is one, which is normally suspicious

When and email program or web browser
tries to rename a file
in C:\ or C:\WINDOWS or C:\WINDOWS\System32|TriggerFolders
except when the source process is in the system process list
or the source process is in the trusted process list

Regards Kees

Thanks for another custom rule Kees1958,

I never noticed Solcroft's post about this, but I understand what you're saying too many custom rules and I'll be attacked by threatfire pop ups ;)

is there anyone already done this tutorials and could export the rules ? :D so others can import it....

cupez80,

Exporting/importing custom rules is still on the wish list. I do not understand why not more programs offer this (Regdefend, WinPooch EQsecure all have it and its so easy when yiu have several PC's)

Regards

{QUOTE-> cupez80,

Exporting/importing custom rules is still on the wish list. I do not understand why not more programs offer this (Regdefend, WinPooch EQsecure all have it and its so easy when yiu have several PC's)

Regards <-QUOTE}
I know a couple of discontinued firewalls (kerio, filseclab) that did that years ago. Handy as all get-out! Maybe they'll institute that in the pay-version, hopefully sooner than later!

hmm..it seems like i should enter all custom manually... :D

{QUOTE-> hmm..it seems like i should enter all custom manually... :D <-QUOTE}
First, decide on the important one's so as not to overload on the rule-set.