DriveSentry and Threatfire

Would running DriveSentry and Threatfire together be an overkill? Do some of their features overlap?

 

They are both behaviour blockers so yer

 

I have not tried them together. GES/POR is right in they sense that they have simular protection mechanismes: behavioral blocking, black and white list data base, community warning.

These are the differences:
Behavioral blocking: TF focussed on covering the vulnabilities running as admin, while DS focusses on User Mode protection (excellent registry protection out of the box)

Blacklisting: TF checks its data base after an intrusion occurs, DS when writing files

White listing: TF focusses on system processes (to not quarantaine them), while DS focusses on user applications

Community protection: TF to learn and improve behavioral part, DS to protect as fast as possible with central server blacklist. In simple terms, with DS only the first person gets busted, next all others are protected (When chased by a lion you do need to run faster than the lion, only to run faster than one of teh other people chased by the lion).

So in theory (although GES/POR is right on overlapping defense mechanismes) they could complement each other nicely (needing no more AV or AS or HIPS protection with those two).

Cheers Kees

 

Thank you for the thorough explanation! Awesome!

 

there would be some overlap, ud probably be better off using one or the other alongside maybe an AV or something. try both see which you like but i like drivesentry, wonderful program.

 

Actually id run DS standalone, Threatfire is best used alongside an av

 

you could run it stand-alone, but its signature database probably isnt as large and developed as a regular AV program is, so ud probly have better protection with both.

 

AV of ThreatFire is VirusBuster

AV of DS is problably a good 'in the wild' AV blacklist

Having both is plenty of AV

 

So far, so good - using both DS and TF - no problems yet, CPU usage also in normal margins. I will post some more info if I notice any problems.

EDIT: My initial impressions are like this (but please bear in mind, that these are my subjective opinions after a short period of using DS and TF combo, together with Avira and BO Clean and other stuff):
- did not feel any significant system slowdown, DS seems to be quite light on resources (CurrentWorkingSet=10,256 K, for comparison: BOC427.exe 22,274 K yet avguard.exe and TFService.exe have generally smaller by a half memory footprints, but I assume that this is not a problem)

- no noticeable anomalous interaction between DS and TF yet (to be honest, TF has been so quiet for the last few weeks that I started wondering if it's actually working). And, by the way - I have TF Protection Level set to 4.

- DS and D+ from CPF (please notice that I use CPF, not CIS, because of the Safe Mode behavior od D+ in CIS) tend to overlap, maybe a good idea would be to turn off in D+ Settings -> Objects To Monitor Against Direct Access -> Disks (?) ... on the other hand it would be quite an interesting thing to test, which one (standalone DS/DS-TF or DS-CPF/CIS/Whatever combo) would offer the best protection against Direct Disk (RAW/sending IDE/S-ATA commands directly to disk/MMIO PoC's and malware) Access Attacks, especially in the light of the fact that DS is said to be a "disk firewall".

- DS Tweaks: Kees1958 stated that it offers "excellent registry protection out of the box". So, I wonder if I can tweak DS configuration to make it even better. To be precise I mean manually tweaking and configuring "Protection" and "Access" menus and Standard/Advanced/Trusted List tabs. This could be interesting, especially in the context of time spent configuring it vs performance/usability gains.

- last, but not least: for some time I've been planning to run test with AV/IPS combos (and I mean by "IPS" especially behavioral blockers like TF) against filesystem I/O intensive and diversed workloads (and by this I don't mean surfing on the dark side of the Internet with NoScript'ed and Sandbox'ed FF, but, for example: playing Crysis with Foobar2000 in background playing FLAC files with resource-consuming VST plugin like Ozone, editing HDV, working under Eclipse IDE etc). It would be interesting to see the number of AV/IDS/Anti-whatever_is_badWare installed and residently active in the system versus performance impact. Maybe the time and my innate laziness will allow for that in the following week

Best Regards and I hope I did't went too much beyond the scope of the discussion here

 

does CIS(with all its features active) and Threatfire work well together?

 

There will be no conflicts, But if you have Defense+ in Proactive Configuration Mode, i.e - Full Defense+ with everything checked, By default D+ lays of in places, Then you won't need ThreatFire when you use Defense+ the right way.