What's Wrong with Threatfire?

[dw426]

Why, when it supposedly "detects a threat", does it NOT tell you what that threat is? Also, why don't files that you ask it to kill and quarantine NEVER show up in the detected threats NOR the quarantine list? Does it just not like my system or what the heck is wrong with this supposed "great security addition"? What good is a security app that just kills/deletes/quarantines whatever it pleases and then doesn't even bother to tell you why it did it?

I'm not especially good with trying to figure what's bad and what's good, but I also don't want some program deciding for me and not at least give me a general idea of what the problem is. This is at least the 4th time I've tried this program out, maybe it's good, I don't know, all I do know is when it's installed, my system noticeably slows and the program just does whatever the heck it wants to. I posted this mostly as a rant but also in the hopes maybe someone could give an idea of why it acts like it's keeping national security secrets every time it detects something.

Edit: Well, I found out why it did it, though only by starting up Internet Explorer afterward. After removing what was deemed to be a safe program by Avira, SAS Pro and checking the EULA against EULA Analyzer, I found that the program damn near destroyed Internet Explorer. Luckily the files remained in the Recycle Bin and since restoring them it SEEMS to be working fine again. I still stand by my rant though, Threatfire could have told me a hell of a lot more than just "detected malicious behavior, allow/quarantine".

[Escalader]

Hello:

TF didn't sit well with my set up either, as to why that is for their guru's to explain. PC tools has a forum that may shed light on it's functions or lack of.

See this thread for more discussion on alternatives

http://www.wilderssecurity.com/showp...52&postcount=1

[ErikAlbert]

I didn't have any problems with ThreatFire, I just don't like the blacklist part.
Does Mamutu also have a blacklist part ? I need a behavior blocker without AV and without questions, if possible.

[dw426]

Quote:

Originally Posted by ErikAlbert

I didn't have any problems with ThreatFire, I just don't like the blacklist part.
Does Mamutu also have a blacklist part ? I need a behavior blocker without AV and without questions, if possible.

If you find one, let me know please. I'm perfectly fine with HIPS as a concept and as a good tool to use, but it's still just too difficult for me to figure out what all the pop-ups mean when HIPS does tell me what went wrong, and I'm completely stupid when it comes to figuring out what to do when HIPS doesn't give enough information

[Someone]

Quote:

Originally Posted by ErikAlbert

I didn't have any problems with ThreatFire, I just don't like the blacklist part.
Does Mamutu also have a blacklist part ? I need a behavior blocker without AV and without questions, if possible.

Hi

I think PRSC/NAB and Mamuto both do not use signature scanning.

[ola nordmann]

Quote:

Originally Posted by ErikAlbert

I didn't have any problems with ThreatFire, I just don't like the blacklist part.
Does Mamutu also have a blacklist part ? I need a behavior blocker without AV and without questions, if possible.

I like ThreatFire, and considering the price tag it's a real bargain of an "intelligent" HIPS

The AV is on-demand only, so you don't have to use it unless you really want.

(There are probably better AV scanners out there anyway ; )

[Someone]

Quote:

Originally Posted by ola nordmann

I like ThreatFire, and considering the price tag it's a real bargain of an "intelligent" HIPS

The AV is on-demand only, so you don't have to use it unless you really want.

(There are probably better AV scanners out there anyway ; )

Hi

The av also scans files that the behavourial blocker found suspicious before it alerts you.

[aigle]

Quote:

Originally Posted by Someone

Hi

I think PRSC/NAB and Mamuto both do not use signature scanning.

PRSC/ NAB has a small black list too.

[ErikAlbert]

OK Guys, thanks alot for your input. I will dream about it first and then decide what to do. A behavior blocker would be my 4th security software.

[ErikAlbert]

Quote:

Originally Posted by dw426

If you find one, let me know please. I'm perfectly fine with HIPS as a concept and as a good tool to use, but it's still just too difficult for me to figure out what all the pop-ups mean when HIPS does tell me what went wrong, and I'm completely stupid when it comes to figuring out what to do when HIPS doesn't give enough information

That makes two of us. Maybe we are too smart to use HIPS.

[dw426]

Quote:

Originally Posted by ErikAlbert

That makes two of us. Maybe we are too smart to use HIPS.

Could be I'm afraid the real answer in my case though is that, at least right now, HIPS might as well be quantum physics to me, lol.

[simmikie]

Quote:

Originally Posted by ErikAlbert

I didn't have any problems with ThreatFire, I just don't like the blacklist part.
Does Mamutu also have a blacklist part ? I need a behavior blocker without AV and without questions, if possible.

while it is completely your business, i am more than a little curious as to why (and i realise this is a character flaw, but i prefer a rational over emotional reason..please) you dislike blacklisting.

i personally like whitelist and blacklist apps like Prevx2 (damn i used the P word) as i believe they reduce potential FP's and pop-ups. but as i am not technically strong, i very well could be missing something. do you what you do well Eric, enlighten me.


Mike

[EASTER]

After doing a little research into Cyberhawk (early versions) and then my short trials of TF where i ran into the same issues as most others, i might be wrong but going back to later Cyberhawk versions where they went from (3) drivers over to (4) i think that's where the most trouble lies. In Cyberhawk (3) driver apps, the program performs exceptional for me. If i install an early version beyond that with the (4) drivers, thats where my system begins to experience chokes & issues. I seen the same (4) drivers are also implimented into TF, and combine that with the extras they've added, i been reading more disappointments and concerns on an ever growing basis and some users dumping it altogether.

I'm no programmer, but it doesn't take one to make an inventory of what an app uses to carry out it's designed purposes, and for better or worse, right or wrong, i've settled on that conclusion because with the CH (3) driver implimentation, i get instant results, immediate termination of the source offending file (usually dll injections), and complete stability with absolutely no slow downs or burps whatsoever.

I would say it's time for them to trim the fat a bit, and take some stock from early CyberHawk versions to better TF and reduce it's load and issues.

EASTER

[Kees1958]

Quote:

Originally Posted by dw426

I also don't want some program deciding for me and not at least give me a general idea of what the problem is.

True,

I complained at PC Tools that the way TF works, a restore point should made before quarantaining to correct errors (1st / top image setting). See pic, after this change, you can set TF to decide more for you (2nd / bottom image settings)

[dw426]

Quote:

Originally Posted by Kees1958

True,

I complained at PC Tools that the way TF works, a restore point should made before quarantaining to correct errors (1st / top image setting). See pic, after this change, you can set TF to decide more for you (2nd / bottom image settings)

Thanks for that tip Kees, I appreciate it

[Kees1958]

Quote:

Originally Posted by dw426

Thanks for that tip Kees, I appreciate it

You can also press the "learn more from this threat" link in the pop-up. It will generate a Google search. (Note I have set protection level to 4, this seems to generate a warning sooner, and drags less correction with it, causing less damagae to existing programs: in simple terms, you reduce the risk of quarantaining your browser when a malware is targetting it, but could faced some/little more pop-ups). Because TF fires earlier, less has to be corrected, level four also seems to have a positive effect on CPU usage (I have not encountered the down side of generating more FP's at level 4)

[GES/POR]

Your posts Kees should be made a sticky! Excellent tweak!

[dw426]

Quote:

Originally Posted by Kees1958

You can also press the "learn more from this threat" link in the pop-up. It will generate a Google search. (Note I have set protection level to 4, this seems to generate a warning sooner, and drags less correction with it, causing less damagae to existing programs: in simple terms, you reduce the risk of quarantaining your browser when a malware is targetting it, but could faced some/little more pop-ups). Because TF fires earlier, less has to be corrected, level four also seems to have a positive effect on CPU usage (I have not encountered the down side of generating more FP's at level 4)

Hi there Kees, yes, I knew about the "Learn more" option, but more often than not the threat Threatfire would report was labeled "Unknown" which made a Google search pretty hard to do

[dw426]

Well Kees1958, I appreciate all the help you gave me regarding Rising and such, but my system just hates HIPS it seems. After running Rising overnight, it started giving me reboots (much like DriveSentry still does). I just can't keep messing around with this stuff and crashing the system over and over again. So, here is what I have done;

1. Took out GesWall and put SBIE back on.

2. Added Threatfire and set it to Level 4 along with changing the default actions per your post earlier in this thread. I do notice much less slowdown now.

3. Took out Rising and put Avast Home back on. What can I say, AV Comparatives aside, I like this AV. It's easy on the system and covers web scanning and P2P, the two areas I consider very important these days.

I decided to leave Returnil off since, if I read correctly one of your posts, two virtualizations are not necessary. I'm going to be adding Opera today so my browser safety is in check I believe. I'm not sure what the deal is, but it seems like the more "hardcore" security I put on this thing, the more troubles I have. My current set up buzzes right along. I'm always open to more advice, but like I said, the more protection I seem to add the worse things perform. I don't know, what do you think of the set up I have now?

[Kees1958]

Quote:

Originally Posted by dw426

My current set up buzzes right along. I'm always open to more advice, but like I said, the more protection I seem to add the worse things perform. I don't know, what do you think of the set up I have now?

Avast + ThreatFire + SBIE = near digital fort Knox, so you are okay do not worry

[dw426]

Quote:

Originally Posted by Kees1958

Avast + ThreatFire + SBIE = near digital fort Knox, so you are okay do not worry

That's good to hear, thank you Now maybe I can sleep better tonight instead of being in bed worrying about settings, which I did, lol.

[EASTER]

I'm trying my best to cozy up to TF, and some of you seem to express complete confidence in it so i'm asking for some of your opinions.

Aside from incompatibility issues with a few apps, do you find it effective? I mean have you tested it locally on your system with both leaktest samples and/or real malware? And are you pleased with it's results.

Also, theres been mentioned CPU taxing with TF, is this a sporatic random experience or do you notice any over strain on the CPU while it's engaged?

One more question. Can you verify TF uses (4) drivers to accomplish it's purpose or (3)?

Thanks EASTER

[Firebytes]

@Easter

I have TF on two systems and I haven't noticed the slowdown that some users report on either of my systems. I have never had it interfere with any programs on my computers either with the exception of one. The only program I have had it interfere with is LockNote and it only does it on one of my systems for some reason. I have to suspend TF when I want to use LN on that system.

Also, TF does use four drivers.

[Fuzzfas]

My main issue with Threatfire , is that i hate the network module. I can feel it adding lag time to browsing. I hate it, i hate it, i hate it. And if you disable it, you get repeated errors in the XP Event Viewer. I wish they would simply make it possible to disable the damn module in options.

Otherwise Threatfire isn't particularly CPU hungry.

Yes threatfire slows down my system a bit but i do have an old athlon xp 3200 so i notice every minimal slowdown caused by software. I dont think you will notice any slowdowns at all with an quad core. I have seen threatfire doing a better job than traditional AV's. Threatfire was allways a few hours and sometimes a few days ahead of those AV's and their signatures.