Threatfire's near-fatal flaw

That is the problem with TF's custom rules. The lack of a deny option is the equivalent of a FP. Choose Quarantaine when IEframe gets hooked, and you are really hooked with TF. So they must choose a market positioning for TF, being either a "no configuration needed behavior blocker" or a swiss army knife boasted with intelligence and traditional HIPS features.

 

I'd agree. I haven't touched it it all, except for some testing purposes. Setting it any lower reduces the protection capabilities, any higher and it loses its design purpose of an intelligent behavior blocker.

How's Mamutu lately. I haven't been keeping up with it all that much thanks to a whole load of FPs when I last tried it. If it really does behave like TF level 4, I'd say a2 has yet to fix this issue...

 

Deselect the protect Internet Explorer settings option when deselecting the Intelligent False Positive Reduction. This brings Mamuto on Par with TF on level 4. TF Level 3 lets the TrojDemo pass, TF on level 4 not. In terms of CPU cycles needed the TF developers can learn something of the Mamuto guys.

This may be exemplary: Internet for 1 hour browsing Wilders forum:
- TF Service used 18 seconds CPU time
- same with Mamuto used only 1 second!

K

 

Is there a way to configure Mamutu so that it behaves equivalently to TF level 3?

Level 4 is still a mishmash of FPs, a.k.a. no good.

Thanks.

 

Sorry may be this is more clear

Protection level strength of TF on 4 with FP on Level 3: For the protection you need to deselect the Intellgent FP reduction of Mamuto, to reduce FP to Level 3 of TF, you need to deleselect the protect internet explorer settings in the IDS of Mamuto.

 

Wouldn't that just eliminate the FPs (and protection!!! ) for IE alone, while retaining the FPs for other programs?

 

That's why i ve been asking for months for the ability to deactivate TF's Net Module.

 

Agree 100%. Haven't touched them (Advanced Rules) and probably never will. TF works great as is.

 

Interesting reading throughout this entire thread!

My opinion is that while it would be nice to have a Deny option for Advanced Rule creation, I would NOT like to see TF turned into a more mainstream HIPS.

I've been running TF for a few weeks as a test to replace BOClean (which I feel may have outlived it's usefulness. Not to mention the somewhat painful FPs it has about every 2 months or so.) So far I've been pleased. With the exceptions of when I purposely tried to trigger an alarm, TF has been blissfully silent. With the knowledge that I am looking for something that can (with minimal help from me) be ran by users who have NO clue about PC security, the current version of TF seems to be what I've been looking for. (It even runs under a Limited User account!)

I understand that no one product can be all things to all users. IMO, the current version of TF fills an important role... as is.

 

I´m uncertain if TF will suite novices since you have to do a choice: allow/quarantine (+ remember).

/C.

 

Your point is well taken. That's where the "help from me" comes in. They are to check with me on alerts. (Surprisingly, they do quite well in this regard. Typically, I only have a couple of "rogues" I have to deal with.) In this regard, my feelings are that I'll have it easier than when I had to deal with a BOC FP, which affected everyone...

 

By that extension, any antivirus product that prompts the user whenever it detects a virus is also unsuitable for novices.

Perhaps we should let novices run naked with no security at all.

 

I side wholeheartily with LUSHER on this, HIPS when well coded covers "signals","commands", originating from a source file, and passes that important data to the user at the screen FIRST!

That makes all the difference in the world. I just don't subscribe, in all honesty, to lazy manners that HIPS are too complicated and make too much noise, thats nothing but pure irresponsibility if you care enough to learn at least a little of what is going on behind your back in the system.

For those users, theres AV's, resident AS's, and Prevx + ThreatFire apps that they have to GAMBLE on their results. Not to take anything at all away from their useful purpose, but their percentages are not even close to the level of a true, user interactive HIPS in my opinion. It either is or isn't, theres no middle ground for FP's or blind trust in True HIPS, and why i take great stock in their development, because there are no comparisons in the real results of best protections. Plus no conflicts, issues, or unexpected surprises like we read about all the time with these other apps.

After you taKe the patience and forethought to fine-tune = LEARN to make rules, you've jumped eons ahead of old technology and better secured both your conscience & data from forced mistreatment.

 

EASTER, you never fail to crack me up.

 

I'll save another one just for your amusement as soon as you can latch on on and share the latest EQSecure HIPS, provided they have another one waiting in the wings. LoL

 

Skinning functions have been added. Users will be able to design and submit their own custom skins for EQSecure. By default EQSecure will come with 3 skins: WinXP, MacOS and Vista.

And oh, OLE and interprocess messages control are expected to be included in the next release.

 

Thanks for that heads up what to expect. I'm completely sold on EQS, in spite of Online Armor + SSM no matter their own useful improvements. I've taken an uncanny loyalty to EQS bar none for many reasons but most of all because it's a proven performer for me.

 

On topic: it´s perhaps not a flaw, but absence of the deny option makes TF useless to me.

You know, I don´t get it, so now we have this "Levels" feature, where you will be warned about stuff only when in a certain level, shouldn´t HIPS always warn you when it thinks something fishy is going on? @ Kees1958, it´s Mamutu not Mamuto, yeah there was some discussion going on about the name, but I kind of like it. And I´m sure it´s the number one selling tool on the African markets.

 

As a reply to solcroft's earlier post #37:

The source:

My reply:

solcroft's reply:

My reply to HAN was based on two things: security applications that prompts you for an answer and the knowledge of skill of the target group. In my reply I´m not claiming that we should let novices "run naked with no security at all", I´m more questioning the suitability of using that category of applications that force novices to make a decision, where they in most cases don´t know which alternative to choose.

What kind of users then do this group of "novices" consist of? I would like to simply classify them as:

My assumption was that the target group HAN mentioned belonged to category 2.

Then one may ask what are the alternatives of security applications for novices belonging to category 2?

If they are lucky enough to have someone that can help them with the preconfiguration and installation, then IMO using the inbuilt/free tools of Windows as for example LUA, SRP, FW, DEP, SteadyState and other way of harden the system would be a convenient way for this group of users. The alternatives of third part security applications would be Returnil, ShadowUser, Anti-Executable etc.

The deny-by-default approach is what I therefore refer to as a suitable way for novices belonging to category 2 for avoiding the necessity to choose when prompted.

Thankfully enough there´s a setting among most AV's (I think), that doesn´t prompts the user about an eventual detection. It simply automatically carry outs what you have preconfigured it to do.

For example, my parents definitely belongs to group 2, and the only way in how they use their computer is to check their mail and browsing after news, the weather etc. They are not interested in getting prompts that they do not know how to answer. So accordingly to their skill and habits, I´ve harden their system and also added Anti-Executable and Avast Home where I´ve checked the silent setting, deny-by-default.

Sorry for this long-winded answer.

/C.

 

It depends if you have enabled/disabled the specific monitoring features in the application. I havn´t yet tested Mephisto but I look forward to compare it with TF.

/C.

 

Malware/Rootkit and even proof-of-concept developers tap into undocumented grounds of windows O/S, and so IMO, HIPS developers are equal to their tasks & ideas.

The more a true HIPS code specialist maps, the less chance for surprise compromise that those malware authors have to work with, and that spells more wasted time & effort for them, not us. Only complete results/confidence on our end and happily, only disappointment for them. A noble goal.

EASTER

 

Here's a reply from djames in the PC Tools Threatfire Forum to my question about Quarantine. It should give some TF users more confidence in using it. http://www.pctools.com/forum/showthread.php?t=50121

 

Cerxes,

In effect the solutions you suggest are an improvement over TF only in the sense that the answer is always "no". Regardless of whether it's the correct answer or not, that's what you're going to get every time.

I don't see how this is necessarily better, for newbies and/or otherwise. In fact, it's worse. Benign programs will fail with no indication or error messages whatsoever. In contrast, TF provides a clear explanation that whatever is causing the popup is likely to be dangerous, and should be blocked unless the user is absolutely certain.

I'm not saying LUA, SRP etc is ineffective or a bad idea. Far from it. However, saying that a solution that says "no" to everything is better than a solution that allows benign behavior and notifies one only on malware-like behavior is not necessarily true.

 

This is the exact seem reason why I like Prevx running In ABC mode. The application/process is either good, bad or unknown. If it is bad, Prevx quarantines the application/process so the it can no longer harm the system and gives you the option to clean up the infection right a way or later. if is unknown, then Prevx watches it like a hawk and if it determines what it is doing is bad and locks it down. Don't get me wrong threatfire is a great appliction but in my mind it is not suited well for novice computer users.

 

For that matter neither is a HIPS. They require some fine tuning to settings for maximum coverage + protection.

You make a very valid point, i just finished cleaning some client computers (i'm freelance btw), they offer me money but i suggest computer components in return when possible if available because i pride myself on restoring many such items to a working condition again as backup components i keep when they might be needed.

Thr majority of users, specifically XP mostly, blindly trust Nortons etc. and although relatively useful, they just remain in no way adequate enough for safest protections against severe interruptions to their good machnes.

These are smply just not enough to maintain the freedom a user expects.

Novice users are vulnerable no matter what license they hold and from my experience they still continue to suffer interruptions if not worse distortions which vandalize their internet service investments.