Is NOD and Threatfire sufficient?

I have been using NOD 2.7 and Threatfire for a while now without issue. I also use on-demand applications like SAS and SpywareBlaster, and use a hardware firewall/NAT router.

I'm not totally sure what Threatfire can be classified as (ie HIPS protection, firewall, registry blocker, virus, etc) so I'm not sure what holes exist in my security setup.

Do I have a need to use a program like DefenseWall and/or RegDefend, or do I have all my bases covered?

Thanks in advance for answering my noobish question!

 

ThreatFire is a malicious behavior blocker. Read this :
http://www.threatfire.com/about/

 

Sure, but couldn't a firewall, virus scanner, HIPS, and spyware programs all be considered a "malicious behavior blocker"?

I understand the concept; that it provides protection based on behavior rather than relying on signatures. Yet at what level does it provide that protection, and will it protect the registry, etc.

Ultimately I just was curious if I needed to worry about using a registry defender or not..

 

True, but one might re-word it a bit to...

Threatfire is a blocker of malicious behavior.

Or maybe...

Threatfire is a blocker of suspicious behavior.

Meanwhile, back on-point: NOD is a very good antivirus. TF is a very good HIPS.

You ask if they are *Sufficient* --- Sufficient for what? It depends. If you visit blackhat forums and flame people there, or if you download cracks, or if you hang out at porno sites, then NOD+TF might need a bit of help. But for most uses, NOD+TF should protect you very nicely indeed.

The actual malware that might try to screw your registry SHOULD be blocked by NOD+TF. However, if you want to SPECIFICALLY block potentially dangerous attempts to modify your registry, you can readily do that with TF's advanced rules, or else run freebie MJRegWatcher.

Now, concerning your question as to whether you should "WORRY about using a registry defender" -- IMO, one should always worry. That's what keeps the post count going here at Wilders. And never but NEVER look back (someone might be gaining on you).

 

On an XP box I only run ThreatFire and DefenseWall (behind a router with NAT/SPI firewall)

DefenseWall:
This will contain all internet facing aps in a limited user rights environment without. It is basically a policy enforcement HIPS which does not pop-up, ask you difficult questions.The charme of DW is that when you download a file, this file is also contained in the limited user rights environment. Version 2.4 has total untrusted file control (needs no user interferece, just works) and improved resource protection (meaning untrusted programs files are limited to acces a few unharmfull parts of the OS, files and registry)

ThreatFire
Basically is a behavior blocker. When something 'strange' happens on your PC (called an intrusion) it first check in the AntiVirus data base whether it is a known criminal. If so you are alerted like any other Antivirus. When not: it starts to track the behavior, when it succeeds a limit (that is the build intelligence), it will warn you. TF is also very quiet.

Your defense
First level should be a firewall (at least the default inbound firewall of Windows or Vista or better a FW build in a router or modem.

Second level is DefenseWall, it mitigates all threat gate programs

Third level is ThreatFire, acting both as an behavior blocker with ease of checking of its blacklist data base (the fingerprints of malware)

Should be very secure setup like this, easy to use (no pop-ups), although it is hard to believe but you do not need an additional Antivirus. If you have already purchased a lisence of NOD, that s fine keep using it. When you were considering the purchase (and are going to use ThreatFire) a policy HIPS like DefenseWall (or GeSWall) would be a better investment regarding security.

Regards Kees

 

A few others you may want to consider, Sandboxie and Returnil.I believe with your current apps with added sandboxie,You would have nothing to worry about or at least not much.

 

I concur.
@sflorack,
Returnil will keep your system partition unchanged, like it was installed in the very beginning.
Unchanged = no malware and you don't need good changes either, because your system partition is already working properly.

The rest is a matter of stopping the execution of malware with tools like Sandboxie, Anti-Executable, HIPS, ... to save the period between two reboots.
After reboot all changes are removed by Returnil anyway, even when your security softwares failed.

If you combine ThreatFire with Returnil and ThreatFire warns you for something : your answer is always DENY, never ALLOW.
If you combine Anti-Executable with Returnil, AE will always DENY for you, because there is no ALLOW in AE.

 

May I ask why? Wouldn't this concept pretty much put an end to whatever it is that I am trying to do at the time that TF pops a warning? Or are you saying that TF's warning is 100% accurate in telling me (in effect) "DON'T do that!"

 

I like threatfire its Intended purpose seems ok,However there are times when it will produce warnings of valid apps or should say FP's. I installed Drweb Web after ThreatFire and ThreatFire flaged DrWeb as a potential bad guy,which leaves still the end user guessing,Is it bad or not,should I allow or Deny?.I allow because (A)I know I am on the offical site and (B)I believe there product was not compromissed In any way.

 

Absolutely agree and same setup on my XP machine. Keep it simple, enjoy the internet.

 

Djohn, you should let the pctools forum know and one of the developers might fix this through the daily updates.

 

Assuming I would use ThreatFire in a system partition, FROZEN by Returnil.
Any object, reported by ThreatFire would get only one answer from me : DENY, because I don't need them.
A bad change might even look like a good change and that's why I deny them all, just to be sure.
I don't need good or bad changes, because my frozen system partition is already working fine.

Give me ONE example, why I would allow a change in a system partition, that contains nothing but a configured Windows and Applications and is working properly from the beginning and day in, day out after that.
I'm doing this already so many months, I lost count, not with Returnil, but that doesn't make any difference, ISR is ISR, only the software has a different name.

When you don't have a frozen, but normal system partition, everything changes of course, because you don't have a 100% removal tool anymore.
So any malware that bypasses your security becomes resident malware and won't be removed during reboot, because there is no Returnil to do this for you.
It's no secret, that security fails alot more than recovery (ISR+IB).

 

I will do that,I figured It was just a isloated incident since it has not done this with other AV I have tried.

 

It sounds like a good strategy. Not my cup of tea, but good nonetheless.

 

Perhaps to un/install some new s/w TF notifies of the changes, and if you caused the changes then "allow" to continue with un/install. This happened also when opening Dr.WebCureIt or uninstalling some app that wanted to save the configs for re-installing...

 

Not in my case. However, I consider it in theory as possible that sometimes good changes are necessary in a frozen system partition. It depends on which software you use in your frozen system.
This is not a problem, because you can exclude these objects in your frozen system.
Returnil is very good at this, much better than FDISR, because these excluded objects are protected all the time, until you commit the change. That's what Coldmoon told me.

 

YEs, unless you explicity commit changes on the selected folders, returnil will undo them.

But back on topic, I think if the OP is a safe surfer, he'll be fine with this combo...I'd add a sandbox or a boot-to-restore solution just to be sure.