http://www.sanasecurity.com/products/pr/index.php

I'm looking for some feedback on Sana Security Primary Response.
How effective is it against unknown, zero day malware? I'm running the 15 day trial now and it's been running pretty smooth. It's been very quiet. I just have no idea how effective it is when it encounters a threat.

So, anyone else using it and seen it in action against malware?

Thanks.

Use the search option :D Norton AntiBot is same software, just re-branded :D

PRSC evaluates processes by assigning threat levels to the actions it performs, then flags the process when the levels go past a certain threshold.

This has its ups and downs. On the bright side, FPs do not come by easily. On the bad side, it is largely incapable of stopping malware propagation, and to some extent malware installation as well, because it assigns relatively low threat scores to self-propagation actions. An autorun trojan that does nothing but register itself to autostart and replicates itself across removable media, for instance, would slip right past PRSC, because PRSC deems those actions as not dangerous enough.

PRSC also has the problem of unable to handle massive malware bombardments. If only a trojan or two shows up, PRSC is able to function as advertised. If you visit a malicious website with a ton of iframes that launch multiple malware at once, for instance, then some will invariably slip past PRSC as it scrambles to deal with them. Again, this is a flaw due to its philosophy - PRSC seeks to block only malicious payloads, and certain less-dangerous actions like propagation and installation slip past it. When it finally does flag the malicious payload, the malware may already be too deeply-rooted in the system for PRSC to remove.

This is by no means to say that PRSC is ineffective - it's still a excellent layer of defense when coupled with a traditional scanner, and will provide good protection with minimal FPs. However, as far as I'm concerned, ThreatFire and Micropoint are the undisputed leaders of behavior blocker software right now, and when compared against them some of PRSC's shortcomings and protection level become readily apparent.

Hello Malcontent,

Assuming that you are inquiring about Primary Response SafeConnect(behavioral heuristic anti-malware), please take a look at the following links.

http://www.wilderssecurity.com/showthread.php?t=182336&highlight=antibot
http://www.wilderssecurity.com/showthread.php?t=176980&highlight=antibot
http://www.pcmag.com/article2/0,1759,2071441,00.asp
http://www.techsupportalert.com/issues/issue141.htm#Section_2.2
http://www.wilderssecurity.com/showthread.php?t=164863&highlight=primary+response
http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm
http://www.wilderssecurity.com/showpost.php?p=1051377&postcount=20
http://www.wilderssecurity.com/showpost.php?p=1057172&postcount=45
http://www.wilderssecurity.com/showpost.php?p=1083269&postcount=112

The following are current direct links to Sana Security and Primary Response SafeConnect.

http://www.sanasecurity.com/
http://www.sanasecurity.com/corporate.php
http://www.sanasecurity.com/products/home/index.php
http://www.sanasecurity.com/products/home/sc/faq.php
http://www.sanasecurity.com/why_sana/technology/activeMDT.php

FYI, Sana Security also has sells a product called Primary Response which is a IPS/HIPS that is only sold to small, medium business and enterprise(SMB).

Hope this helps.


Peace & Love,

CogitoErgoSum

CogitoErgoSum

We have PRSC on a vista64 box, you once emailed "PRSC is best appreciated by those of us who understand its strengths and limitations."

I tried some tests and really can not say what trigger PRSC to intercept. May be you can explain (sounds a bit silly after a having purchased the lisence).

Solcroft,

Where did you find that information. Reason for asking I did some testing (obviously simple single action tests) and PRSC kept awfully quiet.

I agree on ThreatFire as the best of the known (do not have experience with the chinese Micropoint) for free (but you have to have a strong CPU) and configurable with additional custom rules.

Regards Kees

Regards Kees

-{ Quote: "Solcroft,

Where did you find that information. Reason for asking I did some testing (obviously simple single action tests) and PRSC kept awfully quiet.

I agree on ThreatFire as the best of the known (do not have experience with the chinese Micropoint) for free (but you have to have a strong CPU) and configurable with additional custom rules.

Regards Kees" }-
I tested AntiBot for almost three weeks by repeatedly executing live malware - not test programs. ;)

Regarding TF, I disgree that you need custom rules to be effective. The thing is that you're trying to compare an intelligent behavior blocker that strives to block ONLY malware, and a "dumb" HIPS program that flags anything and everything, malicious or not. Obviously, with a "dumb" HIPS, you can lock your system down to the extent that nothing is capable of so much as twitching unless it has your express permission, but when it comes to intelligently blocking only real malicious code and not barraging the user with a ton of popups every time something gets executed regardless of whether they're legit or not, and (equally important) cleaning up the mess afterwards, ThreatFire and Micropoint are unmatched.

Hi, folks; I am using both TF free and PRSC paid on the same laptop. I have noticed these: when ever there is new program process added into system, TH will alert me with a pop-up seeking my approval, whereas PFSC just simply adds that process into monitoring list with few yellow-coloured squares designation, no alert. I think both are doing the same good jobs, except one is a bit more paranoid than the other. I remember some one says that PRSC will not be moved by a single behavior threat, just awaiting more of the same to confront with. These are just my non-tech observations so far. Take care.

-{ Quote: "when ever there is new program process added into system, TH will alert me with a pop-up seeking my approval" }-
I'm afraid I'll have to challenge you on that; TF does NOT alert you just because you add a new program to your computer. If you do have some screenshots of this happening, that'd be nice.

-{ Quote: "I'm afraid I'll have to challenge you on that; TF does NOT alert you just because you add a new program to your computer. If you do have some screenshots of this happening, that'd be nice." }-
Hi, To satisfy your curiosity, I have listed two popular programs:
Prevx2 and R-Wipe & Clean. TH will alert and seeking user's approval re:
Prevx2 's browser lunch and R-Wipe&Clean's EXE creation and more. Sorry I do not have screenshots to prove it, but your DIY will see what I mean.. Take care.

Hello Kees1958,

Based upon personal experience, other than throwing live malware samples(viruses, trojans, keyloggers, worms and rootkits) at PRSC, tests that will elicit a response include the prueba malware demo, Morgud's DFK blended threat simulator, Scoundrel Simulator and RegTest. Keep in mind that removal of detected threats may require multiple reboots.

Please refer to the following link.

http://www.wilderssecurity.com/showpost.php?p=1057172&postcount=45

Hope this helps.


Peace & Love,

CogitoErgoSum

-{ Quote: "Hi, To satisfy your curiosity, I have listed two popular programs:
Prevx2 and R-Wipe & Clean. TH will alert and seeking user's approval re:
Prevx2 's browser lunch and R-Wipe&Clean's EXE creation and more. Sorry I do not have screenshots to prove it, but your DIY will see what I mean.. Take care." }-

ThreatFire responses to creating exe files in the Windows directory.

Regards Kees

-{ Quote: "Hello Kees1958,

Based upon personal experience, other than throwing live malware samples(viruses, trojans, keyloggers, worms and rootkits) at PRSC, tests that will elicit a response include the prueba malware demo... " }-
prueba.exe is NOT a demo. It's actually a variant of the Bifrose trojan, and a live malware sample.

-{ Quote: "ThreatFire responses to creating exe files in the Windows directory.

Regards Kees" }-
Exactly right. TF will give popup whenever an exe is created in Windows directory or in root of C drive/ partition.

-{ Quote: "Hi, To satisfy your curiosity, I have listed two popular programs:
Prevx2 and R-Wipe & Clean. TH will alert and seeking user's approval re:
Prevx2 's browser lunch and R-Wipe&Clean's EXE creation and more. Sorry I do not have screenshots to prove it, but your DIY will see what I mean.. Take care." }-
That's a very different case from TF popping up alerts just because you added a new program.

Many times it's not easy to distinguish installer programs from non-destructive malware, as they share many common characteristics: loading drivers, creating autostart entries, etc. I've seen TF throw up FPs on occasion when installing programs, but like I mentioned, this is a different story altogether from TF alerting you just because you added a new program; the installer exhibits some malware-like characteristics that caused TF to flag it.

Even with the occasional FP on installers (again, because installers and non-destructive malware often exhibit similar actions), behavior blockers are still infinitely more useful than a "dumb" HIPS when trying to install new programs. Just try to to install, say, a firewall program if you have SSM, EQSecure or ProSecurity enabled with a good ruleset. Voila, instant popup nightmare.

-{ Quote: "Exactly right. TF will give popup whenever an exe is created in Windows directory or in root of C drive/ partition." }-
Not always. I've seen TF allow such actions by legit programs a couple of times. Seems like TF isn't just a single-behavior blocker; I'm beginning to suspect it inspects other characteristics as well: invisible window, packers, file path/location/size etc., maybe.

It,s the usual behavior of TF. Try copying any executable in windows directory or in root of C drive via ur browser or some alternative explorer( not windows explorer) and u will get an alert.

Tried it with Opera and Firefox. No such alert. =/

What explorer shell are you using?

Hi, folks: PRSC just updated to 148. This baby does not cry that much. Just stays low in the background doing its job. How they do it remains a mystery to me, although I wish developer could be more transparent, or at least come to here to acknowledge our gossips :) As I remember they showed up just once(?) when it was in beta. I know their bread and butter is in corporate sectors, but remember that little ants CAN move the Alps. Just a thought.

Hello solcroft,

I stand corrected regarding prueba. Thanks for setting the facts straight.


Peace & Love,

CogitoErgoSum

Hello Kees1958,

Here are some links that may help answer some of your questions regarding PRSC.

http://www.sanasecurity.com/common/files/prsc_eval_readme.pdf
http://www.sanasecurity.com/common/files/PRSC_WP.pdf
http://www.sanasecurity.com/common/files/TollyTS206125.pdf
http://infosecurityproductsguide.com/people/MatthewWilliamson.html

Hope this helps.


Peace & Love,

CogitoErgoSum

-{ Quote: "Tried it with Opera and Firefox. No such alert. =/

What explorer shell are you using?" }-
Hi Solcroft, See the alerts with UltraExplorer.
Just installed TF to check. No alert with the browser though.

194367
194368
194369

-{ Quote: "Hi, folks: PRSC just updated to 148. This baby does not cry that much. Just stays low in the background doing its job. How they do it remains a mystery to me, although I wish developer could be more transparent, or at least come to here to acknowledge our gossips :) As I remember they showed up just once(?) when it was in beta. I know their bread and butter is in corporate sectors, but remember that little ants CAN move the Alps. Just a thought." }-

NAB updated today to 148 as well. I haven't heard much from NAB either. It did complain about a POP mail checker gadget I had installed. It didn't work like I wanted to anyway so I uninstalled it and got another. NAB liked it better, lol.

-{ Quote: "Hi Solcroft, See the alerts with UltraExplorer.
Just installed TF to check. No alert with the browser though." }-
Weirder and weirder. :o

I googled for and grabbed a copy of UltraExplorer from http://www.mustangpeak.net/ultraexplorer.html and then copied some arbitrary files to C:\ and C:\Windows (in this example it was the Webroot Desktop Firewall setup program). TF remained silent.

:-\

194373

194374

Copied to C from where?
May be u used explorer.exe by mistake.
Herre is the way i do it. Chane Ultraexplorer to dual panel mode. Open desktop in one panel and C drive in other panle. Use UltraExplorer,s file transfer button( that is located on the separation of two panels) to transfer an exe from desktop to C.

-{ Quote: "Copied to C from where?
May be u used explorer.exe by mistake.
Herre is the way i do it. Chane Ultraexplorer to dual panel mode. Open desktop in one panel and C drive in other panle. Use UltraExplorer,s file transfer button( that is located on the separation of two panels) to transfer an exe from desktop to C." }-
Ah, there we go. TF alerts now.

I stand corrected. ;D

Good that you were able to get the popup.;D

-{ Quote: "Good that you were able to get the popup.;D" }-
Just a question. Is it possible to use UltraExplorer (not explorer.exe) to create files?

Try. Right click, new file > text document. Then right click this text document and rename as xyz.exe. EQS gives warning. I have not TF installed ATM. Not sure it will detect this behav or not?

TF does not alert if you use UltraExplorer to create a file.

It's one step to proving my suspicions: TF alerts in a file COPY operation to sensitive locations, not a create operation. Obviously it's a whole lot more suspicious for programs to copy themselves than to create files.

My guess is same. It,s good way to detect worms.

Solcroft,

You can easily add file protection to C:\WINDOWS\*.exe files. TF allows the asteric in file protection, just select on which operation (create delete write) you want to be notified.

Regards K

-{ Quote: "I tested AntiBot for almost three weeks by repeatedly executing live malware - not test programs. ;)

Regarding TF, I disgree that you need custom rules to be effective. The thing is that you're trying to compare an intelligent behavior blocker that strives to block ONLY malware, and a "dumb" HIPS program that flags anything and everything, malicious or not. Obviously, with a "dumb" HIPS, you can lock your system down to the extent that nothing is capable of so much as twitching unless it has your express permission, but when it comes to intelligently blocking only real malicious code and not barraging the user with a ton of popups every time something gets executed regardless of whether they're legit or not, and (equally important) cleaning up the mess afterwards, ThreatFire and Micropoint are unmatched." }-

Solcroft I disagree with teh fact that I am comparing TF with traditional HIPS in the way you describe.

First:
In the custom rules you can enter the exceptions (like is a system process or trusted process).

Second:
Toni Klein has put together a set of start up locations which normally would stay static/the same.

My experience:
With the "is a system process" exception on the registry startup set of Toni Klein you won't get a pop-up under normal operation, maybe one when installing a program (I can not remember TF popping up with the Toni Klein TF-set I posted). So custom rules can make TF even stronger without losing its intelligence.

Regards Kees

TF custom rule are difficult and confusing. Very poor info by its popups. I tried file protection and immediately removed them.

Kees,

The thing is, adding autostart entries mostly only happens during new software installation.

Opening msconfig on my computer reveals that I have Returnil, Sandboxie, MSN Messenger, McAfee and BitComet scheduled to autostart, for instance. By adding custom rules and excluding system files, that means TF would alert the user whenever he/she installed the above software, among numerous other things. They are obviously not malware, and it's pointless to flag them.

The other thing to consider is that the majority of your reg entries is already covered by TF! The only difference is that TF also contains inbuilt rules to determine whether the process is adding the autostart entries in a suspicious or malicious manner, so there's really no need to further tweak TF's registry protection.

Solcroft,

I understand why you do not need additional registry protection with the virtualisation progs you use. So that is no discussion.

I know CB did protect against the run**** startup entries (shown italic below), the ones you can see with msconfig. When I tested CB Pro (over a year ago). It for sure did not protect against the majority of Toni Klein's startup entries (the ones used by worms and trojans). I am a little surprised TF does now, which is quite good actually.

Funny that I did not notice. This might be because TF checks its internal rules before the custom rules. Would also explain why the Toni Klein set plus except when a system process is so quiet.

How did you check that TF protects against the other entries/values?

Values
HKCU\Control Panel\Desktop\ScreenSaveActive
HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions
HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecute
HKLM\SYSTEM\ControlSet002\Control\Session Manager\BootExecute
HKLM\SYSTEM\ControlSet003\Control\Session Manager\BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path

And registry entries
HKCR\Folder\shellex\ColumnHandlers\
HKCR\ftp\shell\open\command\
HKCR\*\shellex\ContextMenuHandlers\
HKCR\PROTOCOLS\Filter\
HKCU\Software\Microsoft\Command Processor\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\
HKLM\SOFTWARE\Classes\batfile\shell\open\command\
HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\
HKLM\SOFTWARE\Classes\comfile\shell\open\command\
HKLM\SOFTWARE\Classes\exefile\shell\open\command\
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command\
HKLM\SOFTWARE\Classes\piffile\shell\open\command\
HKLM\SOFTWARE\Classes\ShellScrap\shell\open\command\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
HKLM\SOFTWARE\Microsoft\Command Processor\
HKLM\SOFTWARE\Microsoft\Ole\
HKLM\SOFTWARE\Microsoft\Ras\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
HKLM\SOFTWARE\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\
HKLM\SYSTEM\CurrentControlSet\Control\WOW\
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\

Regards Kees

-{ Quote: "Solcroft,

I understand why you do not need additional registry protection with the virtualisation progs you use. So that is no discussion.

I know CB did protect against the run**** startup entries (shown italic below), the ones you can see with msconfig. When I tested CB Pro (over a year ago). It for sure did not protect against the majority of Toni Klein's startup entries (the ones used by worms and trojans). I am a little surprised TF does now, which is quite good actually.

Funny that I did not notice. This might be because TF checks its internal rules before the custom rules. Would also explain why the Toni Klein set plus except when a system process is so quiet.

How did you check that TF protects against the other entries/values?" }-
To answer your last question first: by trial and error. I test TF rigorously against malware almost on a daily basis, and whenever TF warns and quarantines a malware, you can check the logs and the quarantine area for the very detailed logs on the actions the malware took and what was quarantined. Over time, you slowly learn what TF watches for and what triggers its alerts.

Another thing is that a big portion (almost 50%) of the reg entries you posted are actually not autostart entries at all. They are values that are often attacked by malware and can adversely affect your system security if changed; for instance, malware can alter HKLM\SOFTWARE\Microsoft\Security Center\* to disable Security Center warnings, change HKLM\SOFTWARE\Classes\*\shell\open\command\ to change what programs are used to launch a file (typically this means the malware tries to point file associations to itself), or delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ to render the user unable to boot into Safe Mode.

Last but not least, not having to use custom rules is not a question of what other programs I'm using, but the strong protection TF already provides. What many people do not realize is that TF monitors all actions processes perform, and once TF flags a malware, EVERY change the malware has written to the filesystem and registry is quarantined and reversed. This means that even if there is no specific rule watching for a specific action, it will still be rolled back as long as it was performed by the flagged malware. This is why TF doesn't need a rigorous set of rules watching every possible vulnerable registry and filesystem location and therefore produce a bunch of useless alerts on legit processes, the way a "dumb" HIPS does. A process can write to multiple locations not monitored by TF all it wants, but as soon as it performs a dangerous action that identifies it as malware, it will be terminated and quarantined, along with all those registry changes it had performed.

-{ Quote: "
Another thing is that a big portion (almost 50%) of the reg entries you posted are actually not autostart entries at all. " }-

First credit is to Toni Klein. Second startup entries in this context is not limited to autostart, but the softspots which worms and trojans attack, so that is a correct observation of you.

Although it is a subject of discussion I prefer the combo of a Soft/Policy Sandbox with a behavioral blocker over a classical HIPS. It requires low user interaction and a high level of protection. On vista 64 we use Haute Secure plus PRSC (to go back on topic).

Only Online Armor is a bit of an exception due to its white and blacklist and included firewall. Also the (future) option to allow unknow programs without user pop up running with limited rights is also a very user friendly solution. After all running as admin causes 95 percent of the problems.

Regards Kees

-{ Quote: "once TF flags a malware, EVERY change the malware has written to the filesystem and registry is quarantined and reversed. This means that even if there is no specific rule watching for a specific action, it will still be rolled back as long as it was performed by the flagged malware. This is why TF doesn't need a rigorous set of rules watching every possible vulnerable registry and filesystem location" }-
Good observation Solcroft.:thumb:

Aigle, Solcroft

Just because one part of the statement is true not every thing is true.

Without this custum rule

When any non-interactive process
creates 1|TriggerCount network connections
except when the source process is in the system process list
or the source process is in the trusted process list

ThreatFire flunks against the Trojan Demo of Bufferzone, with the extra custom rule it pops up a warning. In the past I challenged CyberHawk Free against a lot of tests. The outcomes of these tests made me buy Cyberhawk Pro just for the custom rules.

I have not done all the tests again, just copied them into TF Pro. I won't discuss Solcroft's claim that they are useless, because he test malware all the time. To his credit I removed a few custom rules and TF indeed did protect against it in another way. Although Solcroft did not back up his statement with facts, I am open to other suggestions. TopperID and Toni Klein have helped with knowledge on the XP registry, I am not an expert but the extra rules do not produce pop-ups in regular use (as long as you add the exception of system process and trusted processes).

The test above proves at least that it is a wrong conclusion when stating that TF rolls back the changes you do not need extra custom rules.

Regards Kees

Hi, folks: I am using PRSC, and eagerly to learn more from members; each time I noticed a fresh posting in this threat, I rushed to click and found NOTHING;NADA; related to it, again, the TF talks. I just wonder can you guys open a new battle field for that matter somewhere out there, your dialogue are informative, but in the wrong channel, I suppose. :P

-{ Quote: "ThreatFire flunks against the Trojan Demo of Bufferzone" }-
TF is essentially anti-malware. It works using the same operating principles as a "dumb" HIPS does, but was further designed to flag only malicious software. Flagging a harmless test file is essentially a false positive for TF.

The problem with these kind of test programs that people inevitably use them beyond their intended purpose and pitch them against antivirus, intelligent behavior blockers and other things that are designed to detect only malware. Unfortunately, this then colors their perception of the software, and vendors are forced to add detection for absolutely useless crap like these to avoid complaints from people who don't know better, or live with the public perception that their software is somehow "flawed". In fact, TF does produce an alert on this harmless demo, as shown below. If PRSC managed to restrain itself, then it shows sophisticated rules to avoid FPs on their part, and its silence is actually not a downside at all.

Solcroft,

Look at the attched image. I have a C partition with Programs and a D partition with Data. User documents are moved to D:\ So a diiferent result of version of Trojan.

I would not consider sending a text file with your directories a harmless FP. But be free to think so.

-{ Quote: "I would not consider sending a text file with your directories a harmless FP. But be free to think so." }-
Well, if that is the case... to reiterate an earlier point, perhaps your expectations would be better served by a "dumb" HIPS that blocks every individual action, including ones performed by these test programs that use sensationalist terms to describe the situation when they do manage to simulate an attack, instead of intelligent behavior blockers that analyze a process to determine if it's actually malware.

Solcroft,

Thanks for the advice, but I am quite happy with the Behavioral Blocker + Soft/policty sandbox on every machine. I am not attcking TF I am also happy with it (as with PRSC and A2 IDS).

Regards Kees

-{ Quote: "Hi, folks: I am using PRSC, and eagerly to learn more from members; each time I noticed a fresh posting in this threat, I rushed to click and found NOTHING;NADA; related to it, again, the TF talks. I just wonder can you guys open a new battle field for that matter somewhere out there, your dialogue are informative, but in the wrong channel, I suppose. :P" }-

Point taken.

Hi, folks: Now I have felt the intensive heat generated by the conflict between HIPS and behavior blocker; not by you guys' debates, but rather by my own making. I have sunbelt kerio firewall 4.5.916 and TH installed on one pc. The HIPS feature of Kerio keeps popping up alerts re TH's intrusions, in spite of my repeated green lights, alerts are still continuing, off and on again. One quick question though, why would Kerio's HIPS be so sensitive to TH's behavior, but not to another app; PRSC, a behavior blocker incidentally. Is TH more deeper in hooking or some ?