How to make ThreatFire block /+ remember.

Discussion in 'other anti-malware software' started by Rivalen, Nov 18, 2008.

Thread Status:
Not open for further replies.
  1. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    I managed to set TF up so that it warns about programs wanting outbound connection - but I cant block them only allow or kill. I dont like to kill.

    I dont expect outbound to be as good as say Outpost but maybe better than nothing - so how do I block?

    Best Regards
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You problably increased the sensivity level.

    Best way is to go to open TF console, choose Settings, check whether Sensivity level is set to 3, when not click and set to 3 again.


    Next choose Quarantaine tab and select "Set System Restore Point", just to be safe from accidental parent process destructions (currently the only flaw in TF, that it does not protect the user).

    NExt click advanced tools, click custom rule settinsg, select "Process creating network connection" choose apply.

    Next

    Your done
     
  3. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Thanks
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This is the downfall of TF. There 'was' a debate over wether or not TF should include an Allow/Deny feature. The very issue you state is one that is a good example. TF includes a feature to create a custom rule set to watch for outbound connections. However, the prompt is not allowing or denying only killing or quaranting, with sometimes denying.

    However from the pctools forums it would appear the debate is over, and TF will not be given the allow/deny option. Reasons stated are sound reasons, but IMHO leave a certain sector of users who could do much with that inclusion to look elsewhere.

    Sul.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    This is what just kills me over this app going all the way back to Cyberhawk. They finally get it almost at the very best it can be but then stumble right over or ignore the very most important critera for an app of this nature that everyone is been expecting forever.

    I know it will be argued that any remaining highly appealed after features will be forthcoming at some point, but then Novatix said said the same thing back with Cyberhawk then out of the blue one day passed the Hot Potatoe over to PCTools.

    I finally recently gave up and am staying strickly with MAMUTU! A Behavioral Blocker that offers customers a real choice between needed options and not just the Kill & Quarantine or Run only plus stable as a rock.

    If PCTools ever gets the rest of the TF features users have beat 'em over the head with for months and makes rules export/import able, then i might have another go at it again. But i don't look for that for a long time. Even the Custom Rules are screwballing and in some cases refuse to react at all irregardless of the slider which i even placed on highest level but no response.

    EASTER
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    That is why I advise a restore point before quarantaine.

    The real problem is in the fact that with serious malware, the parent process is taken down also (so you end up with your browser being quarantained or your media player when picking up a nice staged bad guy).

    I used TF with a XP Pro Power USer setting and when doing some testing it took IE7 down also, so my conclusions:

    1. The average user will not test malware, so the chance of having his setup damaged are minimal (still I can not understand why the set restore point before quarantaine is off by default).

    2. Security enthousiasts, should only use TF as a second layer (e.g. behind a virtualisation or policy sandbox). In configurations like this, TF has not brought my system down for over a year of testing behind DefenseWall (so Rivalen you are covered)

    3.Security enthousiasts testing TF as a first line of defense, better have image backups ready, because TF is bound to quarantaine a parent process some time.

    Currently I have given my Mom of 75 DefenseWall on her PC (she went nuts of teh A2 false positives of new Ikarus engine on her memory games), so I run TF after GeSWall Pro again. So far it is running nice and light (as long as you do not try to break your own 'windows' to much :D)

    Cheers Kees
     
    Last edited: Nov 19, 2008
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    You're to be warmly commended Kees1958 because i for one have followed your enthusiasm and expressing the absolute Logic in what TF should (could) do to make it 21st Century innovative, and i will say your registry keys did work perfect in TF only that it took out Regedit too :D , but thats the exact issue they need to work on as well as others such as a BROWSE feature for one.

    Also other apps such as BB's & HIPS make it a point to go after the source offending executables and registry keys specifically and not their system launcher (DUH!). At least they afford the chance to shutdown the launchers and not quarantine them only to make you have to chase after them to restore their rightful positions again in TF. LoL

    I was sorely frustrated at first but then realized they probably don't have the sharpest pencils in their drawing room just yet. They should hire you Kees1958 to guide them along, then i bet the store it would be the absolute king of behavioral blockers. LoL
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well I would not mind changing Dutch climate for Australia, doing some sales and marketing advise based on my usability testing/software design experience (= way back when I was young) and sales, marketing, branding (last 18 years).

    Cheers
     
  9. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    I am not savvy enough to understand it all, but I allow outbound with or without remember ticked. If I ever should see something I dont like :cool: going outbound I would allow it once and probably install good old Outpost back on and see what gives.

    Cause I dont think TF will see a malware hiking/using (uboat under commercial vessel hiking through uboat nets) - youve seen the movie - using iexplore for outbound, but such a leak might be discovered by OP?

    So I made my choise OP out WinFW in and have less popups - see all ADs I didnt see with OP - and a little less defense, but not too bad.

    Idont have to much to protect, but still dont want the front door to be wide open:D

    Dont understand TF on this one - do they have this feature on payed version?

    Best Regards
     
  10. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    ...
    IMO, this flaw is indeed very serious since the basic requirement of an security tool is to help you as an user to protect your system against suspicious malware activities, and not break your legitimate applications as in this case where the parent process gets quarantined as well. Therefore I can´t recommend this product to novices (even if that´s the target group PC Tools/Symantec wants to reach as well with TF), since they will only experience that their browser "suddenly doesn´t work" any longer, and forcing them to know how to use the Windows inbuilt system restore tool to undo the quarantine action by TF. Not a well designed and solid security solution I´m afraid...

    /C.
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have made this change in the past, but did not like it. My thought is that I do want to know what is going out, but I don't really want to have to make rules. I either trust an app or I don't, yet I need to know if something unexpected is attempting to go out.

    I thought TF could be used for this, a simple application monitor for network with no real rules to be made. Because of the limitations of TF this is not possible. So since you are an OP user, you have an easy alternative. Just open your preset.lst file, and delete everything in it. I have only one rule in mine now, a preset for svchost.exe. Otherwise, when OP is in Rules Wizard mode, and a program prompt pops up, I either allow/block ONCE to see what it does if I am not familiar with it, or just use Allows Trust or Always Block if I know what I want to do. You can still use the 'other' option to make a custom rule as well. This leaves me with a very easy decision, basically Allow or Deny. You can then disable or remove plugins you don't use. For me all I use is Attack Detection. My ads are handled by the Proxomitron.

    TF would have been a great alternative to this because you could still use WinFW as you say, but also have the option of by .exe allow/deny. My advice is then to put OP back on as I have described, and use TF/CH or DW or whatever your choise is with no network functions. Seems to work well enough.

    I would agree partially to that. As a power user it is indeed a shame to be so limited. On the other hand, I do see a lot of strength in the premise that most users are 'very basic' and thus the target audience would not need the features you or I would want. I have TF installed on many friends/family machines, with minimal issues. Only the ones who are the learning types, who poke around, who know just enough to be dangerous have had any issues, and I don't consider those issues because they are interested enough to understand if you explain it to them. Then they become self sufficient at least in respect to being able to 'un-quarantine' or answer the prompt correctly.

    I know many who just don't want to learn enough to be advanced users. I think it is for these (probably the majority) who TF is target for. And for them, it does work ok. That is, until they do come across an issue. Then it will be very obvious to users of TF that will have no option but to learn at that point.

    Sul.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    This TF is grossly inadequate unfortunately because in reality it could offer amazing protection if properly programmed which PCTools doesn't seem to be in any hurry to fashion as it should/could really become.

    MAMUTU blows it way!!
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    From DJames of PCTools

    I was informed that system processes and trusted processes will never be quarantained, in stead a denied will show in the TF warning.

    I have requested to apply a do not quarantaine of parent process of vulnarable processes like P2P, Webbrowser, E/mail, Chat programs.

    Cheers Kees
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Thanks Kees1958

    It's extremely needed.
     
  15. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I´ve read your thread back at PC Tools Kees, and djames´s answer as "...still being discussed on how to implement this feature correctly..." isn´t appeasing to the above issue. Btw, I regard your thoughts on how to solve this to be adequate, but since they for the present time don´t want to expand their internal whitelist to include certain third-part application processes, my hesitation regarding TF´s - "shoot all, including the good guys, and save them later" - design remains.

    /C.
     
  16. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The attitude of the developers of TF toward this issue is one of lofty arrogance. It's a bloody shame because -- other than this glaring flaw -- TF is a passably adequate behavior blocker. Not in Mamutu's league, but not bad for a freebie.
     
  17. BrysonB

    BrysonB Registered Member

    Joined:
    May 18, 2006
    Posts:
    56
    Location:
    South Carolina
    This thread has really alarmed me about Threatfire. :doubt: I'm seriously thinking about ditching it and using something else. Which free programs, in your opinion, would offer more solid protection? I don't mind trying several out, I just need some guidance to those the Wilder community thinks are solid products. Thanks in advance for any help!
     
  18. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Threatfire (TF) is a type of HIPS known as a behavior blocker (BB). AFAIK TF is the only free *full-scope* BB.

    Non-free BB's include Mamutu, Prevx, & Primary Response Safe Connect.

    For non-free, I recommend Mamutu. There's a 20% discount at RegNow (very reputable outfit).

    For a freebie, I recommend Dynamic Security Agent (DSA). DSA is a *hybrid HIPS* -- that is, DSA has some attributes of a BB, & some attributes of a classical HIPS. DSA doesn't cover as broad a spectrum of behaviors as does TF, but DSA also covers NON-typical behaviors -- based on DSA's observations of how YOU actually use your computer -- plus DSA has added security coverage as an SPI-capable firewall.

    DSA will bug you with quite a few pop-ups during the first week of use, but it should settle down after that and afford very adequate protection.

    Or else -- just stay with TF, and include the precautionary settings suggested by Kees.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    This news of complaints and downsided frustrations has no choice but to gonna quickly drive interest in TF into the same dumper as Novatix did when it passed off later CyberHawk to PCTools after they got avalanched with consistent complaints = ALL VALID!

    However it's as close to be the best it's ever been since it's first inception as Cyberhawk and only needs some serious attention and especially listen and follow thru with many user's suggestions who are better able to make just the right distinctions to drive this app to the forefront a class act.

    In the meantine, MAMUTU is showing very strong high returns and results and is leading the way in this specialty field ATM.
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Quite simply, the draw of TF is that it is free and it is quiet. Anyone who wants great protection will invest time into a paid product that needs to be trained. Whether it be DW,Mamatu or a host of other options. With TF, for me, the excitement lies in the quiet nature.

    I think TF is still a good app, although there are bound to be issues at some point. Consider the everyday user, who does the same things over and over. They surf, burn, type and transfer. Pics, music, video. I think TF is fine for them. It is fine for my wife. Fine for my kids. Fine for my mom. Fine for many peeps I know.

    However, it is not fine for me. Nor would I doubt it is fine for many here. Primarily because we do things most 'normal' users don't. And what few issues TF brings to the table can pretty much be summed up by 'let us customize and have the allow/deny option'.

    So on the one hand I like the quiet nature, on the other I don't want it completely leaving me in the dark. I have said before, I would pay for a pro version that has 'advanced' capabilities that the normal user would not really want or need.

    I really feel if TF could find an answer to thier performance/resource concerns, and implement a Pro/Advanced version, they would find those 5% of us 'geeks' could influence a high percentage of those 'users' with a better TF experience. Especially if there were an export/import feature.

    I know right now that I could sell a couple dozen copies. As long as I could import my rules into thiers. How nice it would be, if you were repairing computers for a living, to have your customers buy TF and then use your custom rules. How many troubleshooting issues could you eliminate because you know what NOT to look for. Just a thought I think of as I support friends and family myself.

    Sul.
     
  21. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    TF is free, but I feel they have drawn some benefit during development from the Wilder community and therefor should be inclined to listen to the 5% of their users that can truly contribute to the development of TF.

    My defense is lean now as you see from my sig. Maybe its enough but if I let something through where DW trusts whats happening I would like another layer for 0-day threats.

    So I ask for advice; i dont want OP back on, simply want to try something else to improve my allround protection and a watchdog for outbound illegal activity. .

    Mamutu, or DSA or what should i go for? Not PrexXEdge - doesnt like DW.

    Pls also advice on a fast AD blocker for IE6.

    Remember I am not savvy, but I dont mind initial popups to set up protection or learn my user behavior. The 20-30 USD is not aproblem if the benefit is worth the money.

    Best Regards
     
    Last edited: Nov 22, 2008
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Rivalen,

    With Antivir + DefenseWall you are really okay, no need to worry.

    Defensewall will have outbound protection in 2.50, so with windows firewall or router with hardware firewall you are okay.

    As for browsers, give Chrome a chance, It is one of the fastest browsers around. Also the sandboxed rendering engine will deal with 70% of the browser vulnabilities (proven by research of Stanford, see https://www.wilderssecurity.com/showpost.php?p=1341118&postcount=29).

    Or this text from http://www.technologyreview.com/web/21325/page2/
    Another benefit of running browser tabs separately, Google says, is increased security. Usually, when hackers try to install malware on a computer via the browser, they look for bugs in a component called the rendering engine. Chrome runs separate rendering engines and segregates each one with another layer of protection. "It's an extra level of security," says Fisher. This means a hacker would need to find not only a bug in the rendering engine but one in the protection layer in order for the malware to make its way out of the browser and into a computer.

    SO you are really wel protected
    A) Chrome's sandboxed rendering engine
    B) DefenseWall's policy layer
    C) Avira's 99% succes rate on existing threats and over 70% rates on heuristics for zero day threats

    Wait until chorme facilitates plug-ins and I will bet the FF add block plug in will be available soon.

    It is wiser to invest in an image backup/external harddask for off line protection of data. Really I have an unused lisence of Mamutu (and A2). Behind DW they only kick in for false positives (and I did quite some malware testing).
    I dare say that you can even set Avira to check at writes only (no execution and read access check of teh AV data base), to increas ethe overal agility of your system (when on dual core this is not nessecary, because the gain is not noticeable).

    When OA, TF and DW developers have included safety and usability features in their products on my request, I like to think I am not a security freak, but keep a reasonable balance between risk & useable security. So I hope this answer gives you some directions in making up your mind.

    Cheers Kees
     
    Last edited: Nov 22, 2008
  23. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Thanks Kees - Ill run Chrome inside DW.

    OK I am fairly well protected, but its fun to find something new or another type of layer:D.

    Best Regards
     
  24. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Kees - I installed Chrome as trusted by DW. Its fast.

    First it seems it didnt handle flash player. One of my most visited sites needs flash and it didnt install and Chrome isnt mentioned in Adobe Flashs list of browsers.

    Which files should I add to DW untrusted.

    Best Regards

    Edit: DW seems not to allow Chrome to work even as trusted, but I will continue this discussion over att DW supportforum so that this thread can keep on track or die in peace.
     
    Last edited: Nov 22, 2008
  25. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Really? I guess not.

    Anyway, the debate clearly goes nowhere with TF developers, they sound like a scratched record and I got annoyed enough to uninstall the thing completely from the boxes that have been running it. :thumbd:
     
Loading...
Thread Status:
Not open for further replies.