Threatfire 4.1.0.9 BETA

Threatfire's new beta now supports 64-bit!

Key new features:

* Smarter Alerts, Less Questions – patent-pending technology
* Support for Windows Vista 64-bit
* Updated threat detection technology


"PC Tools has recognized that traditional scanning techniques are becoming a secondary defense to sophisticated malware techniques. User feedback has also indicated that most users install ThreatFire as an added layer of protection in additional traditional anti-virus scanning software. As a result ThreatFire 4.1 no longer includes an anti-virus scanner. Users requiring an anti-virus solution should download PC Tools AntiVirus, a free solution for Windows"

"One of the changes we made, is that TF now does cloud lookup for the black and white lists as well as using the default black and white lists on your system. Basically you could delete the dbs on your system, and still not lose the benefit of black and white lists.

Let us know what you think."


- those are some quotes from the mods over at pc tools beta forum.

 

Nice nice. So the new TF Beta should be lighter on system ressources right?

 

I think this is the right direction for TF development - very welcome!

 

this is like the old cyberhawk is coming back to life

 

I just installed TF 4.1.0.9 on Vista 32 bit and so far it's working fine. One thing I notice is they are still not offering a "deny" option for detected problems. I had a problem recently where TF detected a number of critical system files as infected, such as explorer.exe. I allowed TF to quarantine the files since PC Tools claims that system files will not actually be quarantined, just killed in memory and restarted, but it did in fact remove explorer.exe. I had to boot from a rescue CD to restore the file to the Windows directory. I cannot recommend TF to customers for this reason, and I use it with caution on my own PC. They really need to address this.

 

It's not that I don't believe you, but they seem to not - so show them literally by capturing it. It's been brought up many times even if I've not experienced it personally, I know. What makes it trigger on explorer.exe or another critical system file in the first place? Apparently, they've not experienced this either - e.g. quarantining a completely legit and safe explorer.exe - or they would certainly do something about it.

 

I have tried the PC tools AV in the past which slowed my PC to a crawl, so I would not install PC tools AV again at all.
Regarding TF without AV, fair enough.

Gordon

 

As I stated over in thier forum, I can perform a fresh install of xp pro, install TF, and every like clockwork, the first time I use explorer.exe and hit the search button, TF pops up and asks to quarantine, with only kill process or quarantine. It never repeats itself in this procedure once this happens, unless a fresh format. It might do it in a new user profile, I have not tried. I use cyberhawk, with a simple allow/deny feature so needed in TF.

Sul.

 

does it have an option to white list files?black and white list?

 

it would be a good idea to be able to white list critical system files as explorer.exe to avoid these type os situation,i hope they do some thing about cause security software is suppose to protects computers not destroy them

 

Let me guess... this has something to do with the sensitivity level, right?

I'm always running TF at its default level "3" setting - as it seems balanced by being non-intrusive, but very effective.

 

i agree with you when tf is at default level all it is ok but if you put the level to high 4 to 5 then you are in trouble

 

Yes, I understand the problem. In my case I was working on a customer's computer and after I hit "quarantine" the PC locked up solid. Too bad I didn't think to take a screenshot with my cell phone. When I rebooted all of the system files had been restored except for explorer.exe which was no longer in the Windows directory. I guess it's possible that the file was not a valid system file, but malware with the same name. In that case it seems that TF needs to be able to copy a legit version from a backup location to the Windows directory so the PC can boot (perhaps TF should backup these files when first installed so it can use them when necessary?). Otherwise the average user has a broken PC.

I've read the thread in the PC Tools forum and I know the developers are skeptical about this behavior, but I and the others who have experienced it have no reason to make it up. There is something going on that isn't understood yet.

 

Don't know. I just format fresh, install XP, put on TF, start explorer, hit the search button, TF pops up and says something very bad is about to occur and I should either kill explorer or quarantine it. I know it has to do with some things that are changed when this first occurs, probably something to do with search assistant or cryptography or fast indexing. Don't know and don't really care. I was just pointing out (to PCT forum) that they are full of crap if they think TF does not find a standard explorer.exe as a 'bad thing' some times. And I don't mind if it does find things like this. My argument was that it should have an allow/deny option, just for cases like that. They seem to have this attitude that experienced users like to report things just because, and take no ones word. Oh well, maybe TF without AV will prove a better product.

Sul.

 

Yeah, that's one thing, but it's still completely wrong that it would quarantine completely legit, safe and critical system files and other critical parts of the system. Increasing sensitivity should only mean more prompts on actions - not not giving a damn about the safety of the OS operation and the software's own safety precautions.

 

Where can I download it?

 

in the public threatfire forum they only say that there is a beta and dont post a download link, so im not sure if they want the beta to be released publicly or only to people part of their beta program, someone let me know if im wrong.

 

some added info for some questions people asked:

1. The av db was used as an extended black list.
2. The rootkit scanner is in place, but is only a rootkit, and does not use the dbs. So there is no AV/Spyware scanner in TF.
3. TF is definitely not less effective. The whole idea of these changes is to improve TF's effectiveness.
4. The duty of the local db's is to allow users to have dbs even if there is not connectivity to the net, or for some reason connectivity with TF servers are impeded (firewall, user choice etc...)
5. The overall footprint has not changed, however without the AV engine should improve TF's stability and usability.


"We did extensive analysis and found that ThreatFire was not really gaining anything from checking the AV db at the time of an alert. The vast majority of times when we were able to identify a known threat at the time of an alert it was due to information contained in TF's own blacklist, not the AV db.

Because of this, and because of additional stability issues, we made the decision to remove the AV scanner. This also allows users to run TF alongside whichever on-demand scanner they choose"

 

well that was a unfortunate beta test, i decided to give the TF beta a shot, installation went fine, but after threatfire initialized my comp crashed, i restarted and got up to the vista loading screen, then my system auto rebooted, this process repeated over and over until i just decided to go back to the snapshot i made with Rollback Rx before i installed theatfire.

hope the guys at PC Tools can fix this prob.

 

The 32 bit and 64 bit versions of 4.1.0.9 can be downloaded from this page. If this page is not available you might need to join the forum first.

http://www.pctools.com/forum/showthread.php?t=55895

 

This is critical flaw they know full well that should have already added. TF "Lies", it says it doesn't quarantine system files but take a comparison test with MAMUTU for an example.

Simply manually run a script that adds a new RUN entry in the registry or even maually do it on your own. TF offers no option to block this behavior but rather gives you the option of letting it force a RUN entry or else it quarantines as the SUSPECT file "REGEDIT". Ridiculous IMO.

On the other hand MAMUTU aborts either the behavior or if you run a script simply shuts it down.

My old Cyberhawk 1.1.1.3 simply jumps up with a DENY/ALLOW option and if you choose DENY it doesn't carry off REGEDIT to the capture bin but instead completely & effectively TERMINATES regedit if you try to add it manually, or if an app or script, TERMINATES it nicely.

That's why i always called CyberHawk a "TERMINATOR" as well as a smart interceptor/behavior blocker.

EASTER

 

Hmm. I use Cyberhawk 1113 on my computer for some time now. I made an icon on the desktop to toggle the service and tray on/off. Pretty quiet, but when it speaks I pay attention. Not the be all/end all, but good at what it does. And as you say Easter, Allow/Deny. I consider it a good lightweight tool for those who don't want a full-blown hips type app.

Sul.

 

Guys,

You realise thet CyberHawk 1.1.1.3 does not protect against direct disk access for instance

 

Yes, and do you also know TF doesn't know how to alert on what it should be alerting to?

At least even with that limitation, Cyberhawk (old) is much more aggressive and responsive on what it does alert to, and it does alert plus offer you an option to TERMINATE! the offending app and not a system critical file or files.

If they don't get TF back on track soon, it's gonna do more than just fall out of favor.

 

Yes I know this. Thanks for the heads up though.

You know what I wish for is an app that is more 'basic' like CH, but on the lines of TF with a better method of allow/deny. I have used other tools, starting with Process Guard. Tweaked them etc. But I don't ever stay put once I arrive at a certain place program wise. I am constantly re-installing my OS, trying some new trick or learning how to break something so I can see how to fix it. Stupid stuff. This is just a nagging thing now to have to keep up with a firewall or hips constantly. I like to do that stuff, but have other things to focus on right now than that. That is why I use CH right now. It offers some limited protection that I feel I can use, without going to the point of spending hours researching how to tweak it for my setup that will change probably this weekend. Throw on sandboxe and vmWare, with a little imaging software, and for me I can test and play without much in way of 'nagging' from other tools.

Sul.