TFSERVICE.EXE was flagged by other....

Hi, folks: ThreatFire's TFservice.exe was flagged by two other behavior blockers; Sunbelt kerio firewall's and PRSC. It was picked up by Kerio as soon as it was installed. Whereas in PRSC' case, it was just picked up today after both live together for almost over one month. To avoid any further embarrassment, I excluded it from Kerio's list, and gave green light to PRSC. I know whatever TFservice.exe was intending to do is within a good reason, but why would other two suspect its activity, especially for PRSC awaiting over one month, did it notice something out of ordinary just now. Someone has insight of this? Thanks.

 

Behaviour blockers will always report sensitive activity as suspicious, regardless of whether it's by a legit program or not. It's then up to you (the user) to decide whether you want to block such activity. Never tried PRSC but maybe it has recently tightened it's rules via a recent update, hence the alert.

Is PRSC Primary Response Safe Connect by SANA? if so, may I ask why your running both this and Threatfire at the same time?

 

Hi, Dogma:

Thanks for asking. I have PRSC first(paid), then TF came along, hoping both can compliment each other, although one member has advised the danger of running two behavior blockers. So far I have not noticed any conflict yet, I know what to do when I see one. PRSC and TF are regarded as a major crime unit, IMO. They only act on major, major misfortunes, but the question is this: will it be too late then ? Have not experienced any yet, I do hope that will never occur.

 

Really hard to comment without knowing what the alerts said.

 

False Positives are normal for any blacklisting technology.

 

Hi, solcroft:

Thanks for your asking.
In Sunbelt Kerio FWs case, FW keeps popping up alerts despite my green light- perhaps on its fault. I sought advice at Kerio's forum and got it solved--exclude TF. Today's PRSC case, if I still remember clearly, it seems that PRSC alerted TF as an unknown program, seeking my deposition, allow or quarantine. I gave it a green light. This phenomenon has puzzled me; TF and PRSC have stayed together for over one month, I would assume PRSC has since learned TF's habits and behaviors, why would all of a sudden suspect it ? unless something is out of ordinary or just a FP ? Your comments are welcome. Take care.
P.S. just read Ilya's feedback, is it not behavior blocker a blacklisting app, is it ?

 

What Kerio complained about TF service? As I know Kerio has no behav blocker, only simple application execution control and FW.

 

Hi,aigle:

Thanks for your interest.
I can not recall what the alert has said. As to Sunbelt kerio FW, 4.5.916 , it does have an option under intrusion, application behavior blocking. Take care.

 

PRSC is a blacklisting HIPS. So, it is a FP for it.

Kerio is a classical HIPS, this class of protections is just asking you about potential dangerous behaviour without any additional analysis. So, it flags "as is".

 

It has been a long time when I used Kerio- 2 years approx. Seems a new addition to it.

Thanks

 

Hi, Ilya:

Thanks for the info. I revisit SANA's web site, it appears to me that they have claimed PRSC is using so-called advanced behavior detection technology, and have positioned it as a such, different from blacklisting AVs. Would you mind sharing your insight know-how as to your conclusion? As per your observation, is there any REAL behavior blocker on the market at this moment ? Thanks. and Take care.

 

PRSC is basically not a blacklisting HIPS. It,s a behav blocker, though it does use a smart black list.
Its alerts can tel u whether the detection is behav based or signature based.

 

Blacklisting includes:
- Signatures (reactive protection).
- Heuristics, both static (code analysis) and dynamic (emulation) heuristics (proactive protection).
- Behaviour analysis (proactive, non-signature, protection).
Also, you have classical HIPS (it asks about all behaviours), sandbox HIPS (limiting rights) and whitelisting (database of known good objects)

 

That seems more of a philosohpical statement. When we talk of blacklisting in general, we mean signatures/ databsed detection.

 

That's how Ilya classifies HIPS and I tend to agree with him

 

Different people classify the things diffrently.
When we talk of a HIPS, nobody evers thinks of a blacklisting appliaction. That,s the whole point.

 

I disagree. "Traditional" blacklisting (classical AV) consists of file scanning (on-access, on-execution, on-write, on-demand) using pattern matching and "basic" code (static heuristics) and behaviour (dynamic heuristics/emulation) analysis.
"Smart" blacklisting doesn't do file scanning. It doesn't do emulation/code analysis/signature matching. It watches all the processes running on a system and look for malware behaviour (mass mailing, launch of hidden window, code injection, etc) using a complex ruleset/algorithm. That's why "smart" blacklisting produces few FPs.
After all, the term HIPS can be used for any software used to prevent intrusions on a host. However, the "convention" is to use it for non-signature software. So:
- Blacklisting = Catching the bad with file scanning (AVs) or tracking behaviour in memory (behaviour blocker)
- Whitelisting = Allowing only the good.
- Classical HIPS = Pop-up heaven
- Sandbox HIPS = Limiting rights of threat-gate applications.
Applications belonging to only one category are rare (SSM and Anti-Executable for instance)

 

It depends on what do you mean under "behavioural blocker" term.

 

Hi, Ilya:

Good morning here in North America !
I would rather use your "expert discretion" for it. As for me, I may term PRSC and Threat Fire as behavioural blockers. Have a nice day.

 

Well, I'm not sure if I can do any statements as:
1. I just have no time to check out other HIPS'es.
2. I have my own "behavioural blocker".

 

Hi, Ilya:

I got your message, clearly. Now just one question:
Does your own behaviour blocker(without naming the name) work thru same approach as PRSC and TF ?
I also use DeepFreeze, I am looking for one app which could protect me while in DF's thawed mode. Can yours work with the other two w/o conflicts ? Take care.

 

No, it is a perimeter defense (sandbox). And, as I know, it has no conflicts with the security staff you named.