Wow! I can't believe how light ThreatFire is.

[ratchet]

It's basically like it isn't even there. I only surf sandboxed and have several other applications monitoring things, so I'm not even sure I need this, however, had I known how quite it was I'd have installed it back in the CyberHawk days. I was under the impression that hips drove one nuts!

[Cerxes]

If you want to become mental I recommend you trying some of the classical HIPS.

/C.

[Rasheed187]

Actually, most HIPS are light on resources, so that´s nothing special. But to me ThreatFire is not an option because I need to have more control. That´s why I use Neoava Guard, it offers about the same protection and can be less "noisy" if configured in a certain way. Of course ThreatFire does have a couple of interesting features like buffer overflow protection and a rollback option (according to Solcroft).

ThreatFire is light and gives a nice protection, IMO.

Surprisingly its quite light, last time I tried CH, wasn't impressed but now with TF, it has improved a lot, a good low resource addition to Avira Premium.

[Fuzzfas]

I guess light is something subjective. In my PC TFservice is 3rd in CPU Time, only after to System idle (thank God) and to System (00.14.14)... It beats even Opera by a little.

Classical HIPS, like PG or SSM, are WAY lighter in this sector that TF. They are like 00.00.02 or less CPU Time, compared to 00.08.13 which i have right now. The advantage of TF being that you don't have to click on everything.

[Diver]

My tests done on a with and without basis show that with Threatfire, Super Pi (4M calculation) takes about 6% more time. That would be two instances on a dual core machine. However, the machine does not feel like it has any less snap.

[Vettetech]

I personally dont see the point with Threat Fire. I use OA for my firewall and NOD32 3.0 for my av. I do a spyware scan once a week with SAS and Ashampoo Antispyware.

[TerryWood]

Hi All

Threatfire might be light but it does not stop the Keyloggertest referred to in another thread on this forum. What I do'nt understand is why all the euphoria about this and other security products which signally fail to stop keyloggers which have the potential for devastating consequences.

Terry

[Pedro]

Quote:

Originally Posted by TerryWood

Threatfire might be light but it does not stop the Keyloggertest referred to in another thread on this forum. What I do'nt understand is why all the euphoria about this and other security products which signally fail to stop keyloggers which have the potential for devastating consequences.

If it alerts to a test, it's probably a false positive. TF is meant to detect real malicious behavior, not tests. The test would have to do a bit more than record keystrokes.

[aigle]

No, No, No
TF must alert as it,s a behav blocker( unless test is white listed in its data base).TF is poor in keylogging behavior detection.

[aigle]

Quote:

Originally Posted by TerryWood

Hi All

Threatfire might be light but it does not stop the Keyloggertest referred to in another thread on this forum. What I do'nt understand is why all the euphoria about this and other security products which signally fail to stop keyloggers which have the potential for devastating consequences.

Terry

TF is poor in keyloggers detection. A while ago, they had actually removed the keylogging detection due to so many false positives.

[TerryWood]

Hi & thanks to Aigle

I had not realised that T/F was no protection for keyloggers.

T/F is not what I thought it was. Not a very good advert. Half a prgram?

Terry

[aigle]

I also wonder when I see TF failing even against simple keyboard hooking. Very strange indeed. Why they can,t add it like lot of other HIPS? I guess may be they are afraid of false positives as legit keyboard hooks are very comon as well.

[Cerxes]

With those features removed, one could wonder over TF's practical value...

Btw, TF have a high I/O dataflow value, so I can´t agree that TF runs "light", even if this should not cause any performance problem with a fast machine.

/C.

[Dogbiscuit]

It normally takes a second or less to log out of a user account on my system. It takes at least 4-5 seconds with Threatfire - though, I haven't come across anything else that noticeable.

[solcroft]

Quote:

Originally Posted by aigle

No, No, No
TF must alert as it,s a behav blocker( unless test is white listed in its data base).TF is poor in keylogging behavior detection.

No, no, no.

Why "must" TF flag it if it's a test and does nothing really malicious? Like you mentioned, TF is a behavior blocker; you're right about that, but do you know what that means?

It means that TF doesn't popup alerts on singular actions, unlike a "dumb" HIPS who cannot determine whether a process is malicious and hence needs to alert on EVERY action and leave the decision to the user. Against some processes TF will wait to analyze a series of actions the process takes so as to determine whether it's a malicious program. I'll be worried when I see TF fail against a real keylogger trojan; getting worked up over sensationalist but harmless tests like these is a waste of time and effort.

[lucas1985]

Like an AV, a behav. blocker/analyzer must be tested with real malware, not PoC/leaktests

[bellgamin]

Quote:

Originally Posted by lucas1985

Like an AV, a behav. blocker/analyzer must be tested with real malware, not PoC/leaktests

"The tests are not meaninful" -- for a long time that SORT of statement was the rejoinder used by Prevx when they failed various tests. In udder words (said the cow)...

*If you can't raise the bridge, lower the water.
**If you can't disprove the message, then SHOOT the messenger.
***If you can't defend your client, defend the flag.

Actually I think TF is a good bit of security software, but responding to a negative comment by using unsupported assertions doesn't truly satisfy.

[solcroft]

Quote:

Originally Posted by bellgamin

"The tests are not meaninful" -- for a long time that SORT of statement was the rejoinder used by Prevx when they failed various tests. In udder words (said the cow)...

*If you can't raise the bridge, lower the water.
**If you can't disprove the message, then SHOOT the messenger.
***If you can't defend your client, defend the flag.

Actually I think TF is a good bit of security software, but responding to a negative comment by using unsupported assertions doesn't truly satisfy.

If Prevx advertised itself by saying "we detect test programs!", then your statements might be meaningful.

I can remember the scores of people who used SpyCar or Scoundrel Simulator against antivirus software, and used these as evidence to cry that their antivirus programs were not effective.

It's a very interesting situation with test programs. On one hand, you have vendors who create test programs for their own marketing benefit, knowing full well their own products pass their own tests, and use sensationalist terms to describe the consequences of failing their test, which are often only half-true at best IF the tests are used against the proper type of security software. On one hand, you have people who've armed themselves with all sorts of security programs but have never seen any malware in all their lives, and get all terribly excited like a child on Christmas morning whenever any of their programs alert on something and anything. Altogether, watching how the newbies react makes for a very amusing scenario.

[bellgamin]

Quote:

Originally Posted by TerryWood

Threatfire might be light but it does not stop the Keyloggertest referred to in another thread on this forum.

Could you provide a link, please? I searched but couldn't find the comment you referred to.
~~~~~~~~~~~
I'm not out to yank anybody's chain. Instead, I'm trying to get hard facts about TF's ability to deal with keyloggers. The idea of a keylogger ever being able to successfully hide itself within my system alarms me more than any other type of infection I can think of.

I want to use TF. I like it a lot. However, now that the fickle finger of FUD has been hoisted, I have to have factual information about its ability to spot/block keyloggers. Otherwise, I can't use it as of now.

TF is so dadummed good (and so nicely FREE) that it *deserves* to be tested in a valid manner. I have ZERO expertise for doing such a test. Hopefully someone else does have the time and know-how to do it. I sincerely hope so.

[aigle]

Quote:

Originally Posted by solcroft

No, no, no.

Why "must" TF flag it if it's a test and does nothing really malicious? Like you mentioned, TF is a behavior blocker; you're right about that, but do you know what that means?

It means that TF doesn't popup alerts on singular actions, unlike a "dumb" HIPS who cannot determine whether a process is malicious and hence needs to alert on EVERY action and leave the decision to the user. Against some processes TF will wait to analyze a series of actions the process takes so as to determine whether it's a malicious program. I'll be worried when I see TF fail against a real keylogger trojan; getting worked up over sensationalist but harmless tests like these is a waste of time and effort.

What series of actions you expect from a real keylogger? It will mainly record the keystrokes, may be one, two, three or ..... hundreds, thousands..... ( plus logging and/ or sending data outside)

TF will not alert you for keylogging no matter one key is logged or hundreds of keys are logged( it does detect few keyloggings methods but not most of them).

You must remember that it was announced by CH people that they have removed keylogger detection for the time being and i did not see any further announcement by them that they have added it again( they probably removed it due to many false alarms with few versions).

I tried some hook based ketloggers with an older version of CH in the past and they were detected on the besis of behavior. Now if I run those keyloggers, most of them are detected mainly by signatures( indicating that they increased signatures for keyloggers as they know CH/ TF is weak in this regard).

I think there are two extreme opinions. Some say POC/ tests are useless and others say they are as goos as real malware to test an application. Actually I think POCs/ tests are usefull unless you find a flaw in the POC/ test itself.

Quote:

TF doesn't popup alerts on singular actions

I think TF does alert on singular actions. Many examples:

1- Creating execuatble in root of C drive( single action)- u might remember ur testing with UltreExplorer
2- Adding a strat up reg entery
3- Installing a driver
4- Creating remote thread

There are many examples. Infact it is PRSC that triggers on multiple suspicious actions not TF. TF does trigger even on a single suspicious action. It,s my understanding. I can,t claim to be exactly right though. If you have evidence against it, share with us.

[sick0]

Quote:

Originally Posted by bellgamin

Could you provide a link, please? I searched but couldn't find the comment you referred to.

i think this is the thread TerryWood refers to about keylogger test...

http://www.wilderssecurity.com/showthread.php?t=193247

[solcroft]

Quote:

Originally Posted by aigle

What series of actions you expect from a real keylogger? It will mainly record the keystrokes, may be one, two, three or ..... hundreds, thousands..... ( plus logging and/ or sending data outside)

First I will expect it to install on my computer somehow without my knowledge. This involves attack of system/browser vulnerabilities for a remote installation, but not always, and will almost always involve creation of autostart entries. I expect it to have some basic capability of capturing only keystrokes from specific windows by via some actions at the application level. I expect it to connect to the internet, or manipulate other processes or attack the OS kernel to hide itself while doing this. Last but not least, I also expect it to be a windowless process, i.e. there will not be a window or taskbar icon sitting there and very helpfully informing me "HEY LOOK, I'M HERE LOGGING YOUR KEYSTROKES!"

Quote:

Originally Posted by aigle

You must remember that it was announced by CH people that they have removed keylogger detection for the time being and i did not see any further announcement by them that they have added it again( they probably removed it due to many false alarms with few versions).

I most certainly do not! I remember them saying they IMPROVED keylogger detection (which is a big difference from removing it). You might care to provide us with the version of CH that had keylogger detection removed from it, and proof of the Novatix team saying so. In fact, keylogger detection is certainly still there - assuming you don't have the samples to verify that yourself, check this thread.

Quote:

Originally Posted by aigle

I tried some hook based ketloggers with an older version of CH in the past and they were detected on the besis of behavior. Now if I run those keyloggers, most of them are detected mainly by signatures( indicating that they increased signatures for keyloggers as they know CH/ TF is weak in this regard).

If I run older worms and trojans, they will be detected as known malware as well. The fact is ThreatFire updates its databases of known good/bad files all the time. If you pay attention to the names it uses to report malware you'll see evidence that TF shares malware databases with Grisoft, McAfee and Trend Micro, among others. If your malware samples are especially old, then I'd be even less surprised they're detected as known malware; and no, this is not "proof" that TF is weak at keylogger detection.

Quote:

Originally Posted by aigle

I think there are two extreme opinions. Some say POC/ tests are useless and others say they are as goos as real malware to test an application. Actually I think POCs/ tests are usefull unless you find a flaw in the POC/ test itself.

I disagree. In the case of programs like TF and Prevx that are designed to detect malware, it's simply absurd to test them with anything else and expect the test to give credible results. Keylogger tests are useful to against HIPS. Why? Because a HIPS program is designed to alert on everything whether it's malicious or not, as long as it performs a specific, single action. Not TF!

Quote:

Originally Posted by aigle

I think TF does alert on singular actions. Many examples:

1- Creating execuatble in root of C drive( single action)- u might remember ur testing with UltreExplorer
2- Adding a strat up reg entery
3- Installing a driver
4- Creating remote thread

There are many examples. Infact it is PRSC that triggers on multiple suspicious actions not TF. TF does trigger even on a single suspicious action. It,s my understanding. I can,t claim to be exactly right though. If you have evidence against it, share with us.

1 is understandable, since that single action alone is dangerous enough to classify a process as malicious, and hence you don't need to monitor everything else (also, please note that it's COPYING an executable, not creating; there's a difference). As for the others, I've run plenty of programs that perform those actions, and TF remained silent. In fact, I daresay adding autostart entries and installing drivers are very common actions, and people perform them all the time! Don't you expect forums to be flooded about complaints of FPs by now, if that was indeed the case?

[Pedro]

aigle, think of it this way: what's the difference between this and notepad?