DriveSentry and Threatfire

Discussion in 'other anti-malware software' started by koliko, Dec 13, 2008.

Thread Status:
Not open for further replies.
  1. koliko

    koliko Registered Member

    Joined:
    Dec 13, 2006
    Posts:
    101
    Would running DriveSentry and Threatfire together be an overkill? Do some of their features overlap?
     
  2. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    They are both behaviour blockers so yer
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have not tried them together. GES/POR is right in they sense that they have simular protection mechanismes: behavioral blocking, black and white list data base, community warning.

    These are the differences:
    Behavioral blocking: TF focussed on covering the vulnabilities running as admin, while DS focusses on User Mode protection (excellent registry protection out of the box)

    Blacklisting: TF checks its data base after an intrusion occurs, DS when writing files

    White listing: TF focusses on system processes (to not quarantaine them), while DS focusses on user applications

    Community protection: TF to learn and improve behavioral part, DS to protect as fast as possible with central server blacklist. In simple terms, with DS only the first person gets busted, next all others are protected (When chased by a lion you do need to run faster than the lion, only to run faster than one of teh other people chased by the lion).

    So in theory (although GES/POR is right on overlapping defense mechanismes) they could complement each other nicely (needing no more AV or AS or HIPS protection with those two).

    Cheers Kees
     
    Last edited: Dec 14, 2008
  4. koliko

    koliko Registered Member

    Joined:
    Dec 13, 2006
    Posts:
    101
    Thank you for the thorough explanation! Awesome! :)
     
  5. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    there would be some overlap, ud probably be better off using one or the other alongside maybe an AV or something. try both see which you like but i like drivesentry, wonderful program.
     
  6. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Actually id run DS standalone, Threatfire is best used alongside an av
     
  7. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    you could run it stand-alone, but its signature database probably isnt as large and developed as a regular AV program is, so ud probly have better protection with both.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    AV of ThreatFire is VirusBuster

    AV of DS is problably a good 'in the wild' AV blacklist

    Having both is plenty of AV
     
  9. Swordfish_

    Swordfish_ Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    63
    So far, so good - using both DS and TF - no problems yet, CPU usage also in normal margins. I will post some more info if I notice any problems.

    EDIT: My initial impressions are like this (but please bear in mind, that these are my subjective opinions after a short period of using DS and TF combo, together with Avira and BO Clean and other stuff):
    - did not feel any significant system slowdown, DS seems to be quite light on resources (CurrentWorkingSet=10,256 K, for comparison: BOC427.exe 22,274 K yet avguard.exe and TFService.exe have generally smaller by a half memory footprints, but I assume that this is not a problem)

    - no noticeable anomalous interaction between DS and TF yet (to be honest, TF has been so quiet for the last few weeks that I started wondering if it's actually working). And, by the way - I have TF Protection Level set to 4.

    - DS and D+ from CPF (please notice that I use CPF, not CIS, because of the Safe Mode behavior od D+ in CIS) tend to overlap, maybe a good idea would be to turn off in D+ Settings -> Objects To Monitor Against Direct Access -> Disks (?) ... on the other hand it would be quite an interesting thing to test, which one (standalone DS/DS-TF or DS-CPF/CIS/Whatever combo) would offer the best protection against Direct Disk (RAW/sending IDE/S-ATA commands directly to disk/MMIO PoC's and malware) Access Attacks, especially in the light of the fact that DS is said to be a "disk firewall".

    - DS Tweaks: Kees1958 stated that it offers "excellent registry protection out of the box". So, I wonder if I can tweak DS configuration to make it even better. To be precise I mean manually tweaking and configuring "Protection" and "Access" menus and Standard/Advanced/Trusted List tabs. This could be interesting, especially in the context of time spent configuring it vs performance/usability gains.

    - last, but not least: for some time I've been planning to run test with AV/IPS combos (and I mean by "IPS" especially behavioral blockers like TF) against filesystem I/O intensive and diversed workloads (and by this I don't mean surfing on the dark side of the Internet with NoScript'ed and Sandbox'ed FF, but, for example: playing Crysis with Foobar2000 in background playing FLAC files with resource-consuming VST plugin like Ozone, editing HDV, working under Eclipse IDE etc). It would be interesting to see the number of AV/IDS/Anti-whatever_is_badWare installed and residently active in the system versus performance impact. Maybe the time and my innate laziness will allow for that in the following week ;)

    Best Regards and I hope I did't went too much beyond the scope of the discussion here :)
     
    Last edited: Dec 15, 2008
  10. luanme

    luanme Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    29
    does CIS(with all its features active) and Threatfire work well together?
     
  11. 3xist

    3xist Guest

    There will be no conflicts, But if you have Defense+ in Proactive Configuration Mode, i.e - Full Defense+ with everything checked, By default D+ lays of in places, Then you won't need ThreatFire when you use Defense+ the right way.
     
Thread Status:
Not open for further replies.