threatFire 4.0.0.6 just released

I had the exact thing happen. This was on my XP2 pro (sp3) machine. I also had Avast Home on and was using the windows firewall.

Ice

 

Interesting.

At least some effort is finally gone into prepping TF and not just ignoring the obvious like before. I'm going to give it try myself and i really applaud the return of the Custom Rules even in the free version.

UPDATE:
Can some of you "test" this TF v4 with any ole DLL injector and report your results. Because i can successfully inject any dll into any running process and this version TF doesn't so much as raise a stink = silent.
Important because even old Cyberhawk version 1.1.1.3 trips an immediate alert the very moment it detects ANY dll injections.

 

O.k, I decided to do a quick test of TF and installed accordingly. But at the end of the installation when WinPatrol noted the TF presence, the system suddenly froze. I couldn´t capture any screen pictures since everything stopped working. I had to shut down the "brutal" way, and restarted again into my admin account. Same behavior as before, everything was frozen and I couldn´t do anything. I restarted once more into safe mode and now I had control over the system. But since the system apparantly became very unstable by this installation, I reverted back to my previous state using an image.

The security applications I´m currently (latest versions) testing/using on my Win XP SP3 system are:

DEP - "AlwaysOn"
Spyberus
Sandboxie
MBAM
SuRun
KeyScrambler
Avast
Windows Defender
Comodo Memory Firewall
WinPatrol

I suspect that the cause for this conflict is DEP using the "AlwaysOn" switch which can be "rough" against some applications. I never changed to "OptOut" in safe mode which could have straightened out if it was DEP that was the cause, since I don´t have the time right now to go further into this.

EDIT: There´s another potential reason to my system freeze when I tried to install TF, which could be Spyberus. It´s still in Beta and I´ve had an issue between Spyberus and RootRepeal which also resulted in a total freeze of my system. I´ve also had a minor problem with MBAM. So if it´s Spyberus that is the cause, whose main task is to monitor files and registry keys on new installations, then that could be a possible explanation to the above installation issue with TF. I think Kees is also testing Spyberus together with TF, so if he could drop by and remark regarding this combination...

/C.

 

Thanks for running a preliminary with this freshest version. It's obvious for you there exists some definite conflict and perhaps your conclusions are accurate.

I have to say i'm running TF 4 with both MBAM & SAS plus Real-Time Defender (HIPS) along with SandboxIE on this system right now and theres been no total feeze as yours, however after setting up Custom Rules for "My Documents" folder, then attempting to run an executable after checking all 4 boxes, TF 4 froze the system for a second or two before the alert prompt came up for first explorer.exe (Proceed) then my executable which i denied. That was just to ensure the Custom Rules was working as expected.



Thanks EASTER

 

I'm surprised you made it to your desktop with that battery of programs. Whenever I test a new security software, I disable any similar type of software (drivers too).

 

It took a few rounds for this TF 4 to get used to my system i guess.

I ran a battery of DLL Injection tests at it right after install & reboot.

At first it wouldn't alert to them.

After a few more tries it began to pick up VERY NICELY "all" the injection tests i run at it including leaktests like Jumper.exe and so TF boldly stepped in and aborted them promptly.

It's definitely the kind of improvement many have long waited for, looks like. I just hope it doesn't start on showing FP's like is plagued this app so many times before, but so far so good here.

I don't mind the minor inconvenience of a short delay in it's operation as long as it functions like it's doing now, since my system doesn't carry the most advanced of memory found on most of today's systems.

More testing coming up.............

 

Well it looks worse than it really is .

As I mentioned in my above post I only wanted to make a quick stress test, and that includes running with several other security applications simultaneously. As you can see among my applications the only ones that in some degree monitors the same key areas as TF, and therefore could potentially interfere, would be WinPatrol and Windows Defender (HIPS part activated). But since neither conflicts with TF regarding its hookers (earlier test with TF 3.5 using hooking detection tools) it wouldn´t be any problem. TF could also potentially interfere with both Avast, Windows Defender and MBAM, if a malicious binary is executed (the AV part of TF), but I never came so far this time .

But you are right of course, normally one should terminate other security applications/drivers for avoiding conflicts while installing. On the other hand, how many users under normal circumstances shuts down their security applications while installing?

/C.

 

it is PCTOOLS antivirus signatures

 

yes it is and its engine it is from virus buster

 

Hi Folks
I have installed Threatfire 3.5, with many custom rules set-up...
What happens to custom rules if i update to v4?

(update) ok, i just uninstalled 3.5, deleted everything remained & just checking version 4.
It seems light (compared to 3.5), i like the "working now" update (with auto disabled) & the pre-defined custom rules look enough
I disabled all threatfire's internet connectivity through the firewall, except TFUN.exe

 

There´s another potential reason to my system freeze when I tried to install TF, which could be Spyberus. It´s still in Beta and I´ve had an issue between Spyberus and RootRepeal which also resulted in a total freeze of my system. I´ve also had a minor problem with MBAM. So if it´s Spyberus that is the cause, whose main task is to monitor files and registry keys on new installations, then that could be a possible explanation to the above installation issue with TF. I think Kees is also testing Spyberus together with TF, so if he could drop by and remark regarding this combination...

I´ve edited my earlier post regarding this issue.

/C.

 

Yep,

I noticed that some applications like Startup Control Panel and TF (after a quarantaine undoing registry/file changes) sometimes corrupt Spyberus internal data base. They seem to use a mechanism which is detected by Spyberus, but can't always be handled in the correct way.

MBAM initiates software updates from the TEMP directory (not data base updates), which in itself is suspicious behaviour. It would be better when MBAM would use the their own application data section in the documents and settings directory of the user to avoid conflicts with other security programs (or offer an option which temp directories to use like Avira has).

It is a really a pity because I like the rest-over (clutter) removal feature of Spyberus. I removed SPyberus from my setup, because I could not resist trying latest TF release against POC's and malware.

QUESTION: it seems that TF now only used one third of the CPU time (V4 versus V3.5), TF seems as light as A2 (paid) now. Did anyone else measure system load of TF?

Regards Kees

 

The temptation is too much to resist for me also because we're grossly limited when it comes to pure Behavioral Blockers as opposed to HIPS.

I like it now and it works as expected but theres still some "kinks" in the programming code that definitely need attention and to resolve IMO. It's not as "snappy" as MAMUTU on alerting for one. That delay is obvious but not a deal breaker by any stretch, but would be of benefit for them to trim the code to make it quicker in response IMO. Or it might just be my machine. At any rate MAMUTU is "immediate" whereas this TF4 is delayed if only by a few seconds on my machine.

The Custom Rules seem to be working much better as expected. Something i haven't experienced since Novatix's Cyberhawk.

 

Easter,

It looks like TF did a redesign on the registration part and the analysis part of the code. The registration part (the information you get when a intervention is performed by TF) now seems to act like the virtualisation mechanisme of Spyberus. TF checks at an intrusion whether it is known malware, when not it starts registration mode (like Spyberus), a different code seems to interpretate the changes made and throws a pop-up when it encounters actions which can't be reversed or a suspicious behaviour pattern is recognised. You always complained that TF consisted of to many software modules. I think they use it to their advantage now.

This delay seems to be in fact a very smart solution to improve performance and use the power of multi core CPU's.

My guess is that it is not a glitch but a very very smart way of combining some sort of virtualisation (like SPyberus) with behaviour pattern analysis (like PRSC). This smart feature definitely reduces the chance of False Positives.

Regards Kees

 

I wish they could have added some custom rules to kae it a complete HIPS for those who wanted like:

1- Direct disk access
2- Driver/ service install, loading
3- Direct keyboard access
4- Outbound FW( by giving a just DENY option on pop ups( custom network access rule)
5- System Shutdown try

It would had made it a complete HIPS. No. 1 and 4 are most important IMO. I read long ago they are going to implement an outbound control somehow but did not see it in this version also.

 

I agree with aigle.

I was just thinking this same thing while testing it today and thought "if only TF could alert to Physical Memory access that would be a great bonus. I can live without the outbound part, but i certainly welcome it should they decide to add that in also.

This TF 4 is just those "points of concern" aigle posted from becoming a full-blown HIPS as i see it.

 

I think it might be intercepting Phusical memory acess as part of its behav filters but will not alert you unless something really malicious is there. Just my guess. I did not test it specifically.

 

Thanks for this confirmation Kees. I will uninstall Spyberus as well and soon undertake the installation of TF. However, I really like Spyberus because I regard it as some sort of replacement for the long missing InCtrl5. So I will contact Robot Genius regarding these issues it has with certain types of applications.


EDIT: Since I uninstalled Spyberus, manually cleaned the registry for leftovers and made a cold reboot, there were no more issues with the installation of TF. Everything ran perfectly . So I withdraw my earlier suspicion regarding DEP using the "AlwaysOn" switch.

/C.

 

Prior versions were slow, and I used install this software on many systems just to learn it didn't stop behavior virus or spy ware just still the pest still get on users systems. It still doesn't work on OS Web Server, it tries to work but still doesn't do it. I have to go into safe mode to remove it. OS Web Server loads normal again. PC Tools free software seems to be headed to adware to get a free registered version of their Anti-Virus program.

The starter editions for Spyware Doctor with Anti-Virus are still freeware.
You get full version PCTAV and only File Protection with SD part more than you need. Still would have to install the slow none effective TF. I still say that RegProt does a better job though.

 

This TF 4 is unequivically ON-TRACK "BUT", i notice it suffers from some slowness/delay on alerting and that's a valid concern.

Now if only they can juice it up in the programming code to more instantly pop up i'll be thoroughly convinced TF is on the same level as a MAMUTU. Theres a definite delay that is a bit annoying for me personally, but then again i suspect that delay has to do with the ONLINE community protection connection that places extra demand/time to filter thru it's online database.

If it were me, i would propose some way to download those community protections locally rather then depend on the internet and that might eliminate it's delay.

All in all i am VERY THOROUGHLY IMPRESSED with this newest TF 4 release, however they absolutely need to speed it up IMO.

EASTER

 

Yeah but Mamutu doesnt have a rollback function like ThreatFire does. Thats why it takes longer to popup. It records everything the malware does and rolls it back to the previous system state. A big + over Mamutu. I tested TF4 with malware and thought wow TF is sleeping, but no, the popup came after a few seconds and there was a lot in the log. Of course TF reverted all back and MBAM and SAS didnt find anything after that .

 

Rolarocka,

I agree fully, see my post #40, https://www.wilderssecurity.com/showpost.php?p=1336619&postcount=40. It is not a malfunctioning but a big plus over the competition. It is like having the benefits of Spyberus (roll back) and PRSC (practically zero FP's) plus a filter of known badguys (not execution of A2 malware, but on exception check with VirusBuster data base) when intrusion occurs in 1 application.

So guys stop complaining the delay comes with the benefits of practically zero false positives AND performance increase.

Regards Kees

 

I wonder if this version of TF would get along with and benefit NIS2009? I've read that NIS2009 includes Norton Antibot technology so perhaps these programs would step on each other?

 

Thanks for that confirmation on the delay.

That in no way deters me to look at TF 4 any differently, it definitely is been vastly improved and i am quite encouraged now that they finally sharpened up this Behavioral Blocker as everyone is been expecting for a very long time.

My single only desire is that they add a DENY feature too along with Quarantine. For many like me, that would round out this very well improved security app greatly.

Pleased w/ Threatfire 4 for the very first time ever.