How effective is ThreatFire?

Discussion in 'other anti-malware software' started by rpk2006, Dec 29, 2010.

Thread Status:
Not open for further replies.
  1. rpk2006

    rpk2006 Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    35
    Location:
    India
    I've been using this tool since last few months in the hope that it will show something that my installed anti-virus software is not showing. I tested it on a few infected machines, but it didn't raise any buzz.

    Today I tested it on a PC with a variant of Conficker on it, still this tool didn't recognize. I want to know what is the actual purpose of this tool? How is your experience with this tool?
     
  2. carat

    carat Guest

    It's bloatware and not really effective :doubt:
     
  3. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Works well only on clean computers during infection, not after infection.
     
  5. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I agree it's bloatware on certain systems but to it's defense, it's very effective if setup properly with some custom rules. Kees1958 has a couple of threads here at Wilders with detailed info on custom rules. His tutorials on the app will give you enough knowledge to make it strong using his rules in addition to making it as powerful as you want it.
     
  6. rpk2006

    rpk2006 Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    35
    Location:
    India
    I am not sure but is it from the same company: PC Tools?
     
  7. ALookingInView

    ALookingInView Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    365
    Very effective at annoying me and flagging just about everything that's not malware.
    It's a dumb behavior blocker. Used to be a valuable addition, but there are many smarter options available nowadays. YOMV.

    Yes.
     
  8. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Small refresh the theme in relation to this thread
    http://www.kernelmode.info/forum/viewtopic.php?f=11&t=586&p=5128&hilit=threatfire#p5128
    Some examples
    "ThreatFire is perfect example of FakeHIPS. And not only."

    "Guys spend so many time on this hooking nightmare, honestly I don't understand purpose of this idiocy. All this can be easily bypassed from user mode and with current ThreatFire model it can do nothing with that."

    "This is not behavior-based detection system, this is badly written user mode rootkit with no future."
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Oh boy,

    EP_XOFF is a big name. For people knowing soccer he is sort of Lionel Messi of the hackers/security researchers. Now he says ThreatFire sucks.

    When one analyses and reverse engineeres programming there are allways ways to find holes in something. But after having read the post and having looked at the sample code, I would like to say something to the defense of ThreatFire

    First the back bone of protection is regsitry (HKLM) and file protection (Windows and C:\Programs Files). Most virtualisation solutions depend on file and registry virtualisation. Even Windows own policy scheme is developed around it.So TF choosing this defense scheme is not something a bunch of lunitics have invented

    At the time TF was developed, most people ran XP as an admin, meaning their admin space (Registry HKLM and Windows/Program FIles) were wide open for abuse. (softely asking to malware, come intrude me).

    So the idea to develop a kernel mode part which defends registry and file access (TFsysMon to block malicious access) and an analyser part which identified suspicious processes (TfWah.dll which operates in user land), was a smart thing at the time.

    The user mode hooking is nessecary to determine malicious actions, so his claim it is not a behavioral blocker is a bit pretentious. When you do not hook things, you don't know what is happening on certaing critical events. Because of the high reputation EP_XOFF has no one dares to say, well EP_XOFF you are right about the weakness of killing of ThreatFire's protection and maybe there are more elegant ways to gather intelligence of processes, but now you are exaggerating

    In layman's term, when the observer (analyser in User Land) is killed the sniper (blocker in kernel mode) is lame and blind.

    The original team which developed CyberHawk was a team with some very talented security specialists. When a company is taken over (twice) I can imagine the resource manager of the products earning cash, says look: " product X generates cash, product Y only publicity, so let's move the best developers to product X team.

    Regards
     
    Last edited: Apr 24, 2011
  10. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    Indeed. I'm not a fan of ThreatFire or PC Tools, and I'm aware of EP_XOFF's reputation and status but I concur. Maybe all this has gotten to EP_XOFF's head and now he thinks his writings are God's word or something.

    He should concetrate more on constructive criticism instead of mindless bashing. He should also work on his English because it's really bad. Sometimes I have to read a sentence multiple times before I get an idea of what he actually wants to say. Maybe in Soviet Russia language speaks you? :D
    While he is just bashing and not explaining it in a more grammatically correct language I just can't take him really seriously.
     
  11. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    well would it be any easier for u to understand if he wrote it in his native language? google translate isnt going to help very much since it never does very good translations with long paragraphs

    i dont think his bad english is a good reason to 'not take him seriously'.

    besides TF's development is essentially dead, it moves at a snails pace so id say constructive criticism is a lost cause for it.
     
  12. carat

    carat Guest

    :D Well done firzen :thumb:
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    It may be necessary but when you overdo the hooking, you just get conflicts, slowdown and general trouble. Have observed this a lot with TF.

    Whatever, this tool was pretty much killed by Symantec, so... meh. Not much point arguing about the review.
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As I said, the most talented developers were problably put on other products (CyberHawk to PC Tools, PC Tools to Symantec), adding more of the same is not really innovative.

    I once had gotten a Cyberhawk Pro lisence for giving feedback. At the time it was really innovative. Now behavioral blocking is becoming mainstream as part of AV's. The original development team does not deserve that this once innovative product is left out hang to dry.
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Perhaps yes. I am quite fluent in Klingon. :)

    But seriously -- Threatfire is BTN, beyond doubt!
     
  16. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    Frankly, it just might have been easier if he wrote in his native language. Google Translate is not all that great but actually I don't think I would be worse off with it instead of EP_XOFF doing his own translation. In fact, Google's translation just might turn out to be more understandable, provided the original text in russian is written correctly.

    It may not be the biggest reason but it is a reason. The main reason is/was the bashing thing.
    Still, in all fairness, the language one uses does make an impression. Let's take yours for example - substituting "you" with "u", not using punctuation much, etc. It just makes me not take you as seriously as I would've if you had written it appropriately. Such things mean something to me. Then again maybe it's just me, I don't know.
    I know we are talking about slightly different things here but it's still presentation of information that is read by others, so it's bound to make different impressions on different people.

    I don't think the development pace of a product justifies bashing. Especially since the development pace doesn't necessarily mean inferior quality.
    In fact, just bashing something should not be a typical behaviour of any professional, to which group EP_XOFF supposedly belongs.
     
  17. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    well if development is dead, how does constructive criticism benefit it? and ok lets say he was a little "blunt" with his wording, does that make it any less valid? the content of it is still accurate.

    and i think substance is more important than presentation. especially in a situation where the person is trying to reach the largest audience by writing it in english when its not even his native language.

    and about google translate, it doesnt really translate grammar properly, it can translate words, but struggles with grammar due to the different conventions between languages. so no, google translating it from russian to english would not make it any easier to understand, it would be individual russian words strung together that would not make sense in sentence form.
     
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I don't see anything constructive in EP_X0FF's bashing.
     
  19. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    i didnt say it was, im just saying constructive criticism doesnt really benefit TF since its essentially a dead product and after all this time, i highly doubt anything that EP_X0FF is saying is something that the people at PC Tools don't already know. i feel that EP's post is good for informing the users that TF is outdated and no longer has a good approach to what it is doing.
     
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  21. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Would you take Mamutu over ThreatFire?

    Both seem to do the same thing and both seem to be updated daily.
     
  22. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    snails pace might be a better word than outright "dead". but it is essentially "dead" and not really actively developed.

    threatfire is rarely updated, bug fixes typically take ages.
     
  23. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    If the develepoment of a product is over, then neither bashing, nor criticism would bring anything to the table. On the other hand, if a program is alive, then constructive criticism could be helpful, whereas bashing remains useless.
    In other words: bashing is never useful, whereas constructive criticism could be beneficial. That was my point. And considering that ThreatFire isn't actually dead yet, I believe my point remains valid. Examples of dead programs: Ghost Security Suite, ProcessGuard, System Safety Monitor, AntiHook, ProSecurity, BOClean, etc. ThreatFire may be developed very slowly but I don't think it falls in the "dead" category just yet.

    Still, what you are saying is that it is OK to be obnoxious and arrogant as long as you're right. Well, being right and being constructive are not mutually exclusive. One can be both right and constructive at the same time. That's what professionals try to do. Bashing is done usually by the average Joe.
     
  24. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    By updates I mean Signature updates, it downloads new ones at least once daily in my experience.
     
  25. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Thank you all for your posts...especially Kees1958, because he showed that the TF is still a good and worthwhile program and the fact that I still really like the TF is not so stupid :) TF is first standalone soft like HIPS/monitor/blocker which I installed on my computer and learned a bit of a simple reason - he is in my native language and is not English...the same was with SSM. For these reasons, I sometimes recommend both programs to users in the Polish forums or portals to be able to learn how such programs work, what they can learn alerts and how their system works.
    I understand that you EP_X0FF is a controversial person and his words are absolutely not an oracle in the subject ... in that case I not change my opinion about the TF :)
    Kees you were born in 1958? In that case, I am not so much younger than you :cool:
     
Loading...
Thread Status:
Not open for further replies.