I smell something fishy with Threatfire

Discussion in 'other anti-malware software' started by nomarjr3, Apr 7, 2008.

Thread Status:
Not open for further replies.
  1. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Threatfire was not able to detect a trojan file, C:\WINDOWS/_MS(?).
    Sorry, I wasn't able to save a log file for that specific trojan since it immediately got toasted by Avast when I did a scan.


    To solcroft,

    Don't you have anything else to do, than spew out rude words and mock someone else?
    Didn't your parents teach you to be polite?? :rolleyes:
     
  2. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    504
    So the trojan was present on your pc before you've installed threat fire,and you are bothered on threat fire on demand detection,or you've got infected while using threat fire &avast?
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,929
    Location:
    SW. Oklahoma
    .....
     

    Attached Files:

  4. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    604
    Location:
    Wallachia
    You may be right Kaspersky its extremelly agressive with Threat Fire and the PC Tools Firewall.It was squeling like a pig when i installed those :))
     
  5. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    virtumonde,

    I was using Threatfire as on-access protection and Avast as on-demand scanner.
    I wanted to test Threatfire's ability to eliminate ALL types of malware (or so it claims) so I installed it on my 'dummy' PC w/o any other security app except Avast for on-demand and Acronis True Image as back-up.
    The trojan was not there, since I have a clean 'image' of my drive which is malware-free.
    After a while things started to become fishy.
    A notepad file and an autorun.inf file appeared on my C drive which replicates itself even if I delete them.
    So I started a scan using Avast, and it was able to find a hidden trojan in C:\WINDOWS folder. It was _MS(something).o_O
    Sorry, Avast displays encrypted names on infected files therefore when Avast toasted the file, I had no chance to save a log file.
     
  6. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi, Boys and girls:

    I think I have sensed something here, perhaps I can jump in, getting my keystrokes wet. :-*
    I would assume that after Avast's white Knight style rescue, your box returns to normal state ? So you think that weird behaviours of notepad file and autorun.inf file are caused by that Trojan ? Then I sense that TF may have failed here.

    You may know that on demand scanner can pick up any sleep cell of trojan file, but behaviour blocker such as TF can not detect it unless trojan wakes up and acts.

    I think your remarks may have somewhat merits here, please do not drag me into the tongue war, I already have had plenty of it at work.:doubt:

    Take care.
     
  7. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Well, Perman,

    Avast was able to remove the trojan (C\:WINDOWS/MS(?)) but of course it didn't remove the autorun.inf and notepad files.
    I had to manually do the usual command prompt operations to remove the autorun.inf and notepad traces left by the trojan.

    What's fishy (IMO) is Threatfire's deceptive marketing.
    If it can't detect trojans on a zero-day basis, they should at least remove that from the marketing catchphrase on their website.
     
  8. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi, Normarjr3:

    I have been in your shoe before, and numerous times as well.

    But you know, today's softwares, especially security apparatuses are not rolled out as solid as they should be, although they are meant to perform that way.

    Therefore, is it fair to call TF is ineffective in this regard ? fishy in Marketing deploy ? more or less. But to label TF as a "rogue" software,perhaps, IMO, a bit strong statement. Mind you, TF is supporting general PC users in a free-way, to be perfect even every now and then is practically impossible.

    Hoping TF folks who happened to stumble with this thread can at least bring it up to the MANAGEMENT, and act/react accordingly, after all, PC TOOLS is a reputable corporate citizen ;)
     
  9. Cyberhawk Support

    Cyberhawk Support Registered Member

    Joined:
    Oct 26, 2006
    Posts:
    140
    Location:
    Boulder, CO
    I am reading the thread. Each to their own I guess. I don't think we are "fishy" :ninja: . We never pretend to be "perfect".
    We are trying to create the best product out there, the competition is tough. (so SAS stop making your product ok? ) :D <-- I hope you know I am joking here!

    About the sample that we apparently missed, I can't comment, because I don't have it.
     
  10. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    If I recall correctly (I have never used it, and I presume it would clash with my Counterspy), the downside of Threatfire is that you can only choose between 'allow', and 'block', without a 'deny' ?

    It was mentioned somewhere as an important issue, I'm not quite sure why.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    It's only important for the ones using custom rules (i.e. those using Threatfire to behave more akin to a classical HIPS). It isn't relevant for detection and removal of malware and prevention of FPs.
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,349
    Location:
    Hawaii
    I heartily agree. TF is a superb behavior blocker.

    OP's remarks clearly demonstrate that he has near-zero competence to assess HIPS. However, anyone who correctly points out that fact is regarded by OP as "rude." Ergo, I concur with post #28 --- ***Do not feed the troll ***
     
    Last edited: Apr 8, 2008
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    ThreatFire detected one suspicious activity until now : "C:\$ISR\0\ISRCOPYXP.EXE"
    Experienced FDISR-users will recognize this as a non-suspicious activity. ;)
    I got this warning while I was creating my freeze storage.
     
    Last edited: Apr 8, 2008
  14. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    I look upon TF as a perfect combo together with a good AV/FW/Suite...as such it definitely fills it´s purpose.Simple and effecient. Period !
     
  15. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    It's as simple as that -
    Don't feed the troll!
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Then it,s the exact beahvior of a pig, not a scecuriuty software.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    For most of my friends for whom I install a free AV, I try to add TF alongwith it. Very powerful combo IMO.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    U can get a copy of this trojan fropm Avast chest( Quarantione) and send it to me( upload and PM me the link), I will be interested to see it.

    BTW don,t expect that TF will detect absolutel all malware, it,s simple impossible. But I am sure it will detect this trojan, I think it sure gives pop ups if any malicious or unknown program tries to add an executable file in windows directory. There may be something wrong with ur observation.
     
  19. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree I see nothing fishy about threatfire,If one likes it use it if not then don't and as far as the competion is tough, simple solution, buy em out.ps just joking:D
     
  20. l0_0l

    l0_0l Registered Member

    Joined:
    Mar 29, 2008
    Posts:
    18
    @Cyberhawk Support
    I agree. ThreatFire (TF) is an awesome tool (being for FREE :thumb:). TF might not be as effective as so-called classical HIPS (PS, EQS, etc..) TF is merely a behavior blocker based on community signature and heuristics. Even though I am not a fan of community-powered products, I think that it has room to grow into something more useful into the future.

    @nomarjr3
    I also get the feeling that TF is a rogue software because it completes its scanning also too quickly. I think it is best to use dedicated scanning software for the purpose (Gmer for anti-rootkits, KAV for anti-virus, etc.) TF blacklisting feature is a nice protection for beginners who download freeware (only works if there is signature for the in the database or the heuristics catch them). I recommend that you try EQS (extremely configurable and very effective w/ Alcyon's Ruleset ;)) and in my opinion it provides a much superior protection than TF.
     
  21. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    For all of you who suspect ThreatFire to be fishy based on the fast scanning time - what about apps like Prevx CSI? :D

    The scanning times come down to which directories are scanned (whole disk, critical areas etc.), and of course how much junk you got on your computer. A scan on a fresh install will of course be faster because of fewer files.

    TF is a nice program because it can be used by inexperienced users, unlike classical HIPS (requires more technical understanding). Of course there are competitors on the market, like Norton Antibot and EMSI Mamutu, but they cost $$$.
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I don't expect you'll get it. The OP's knowledge and competence is plain for all to see.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Hi Solcroft, be soft to him. He will learn with time.
     
  24. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    I once had a fish I named Threat Fire that smelled fishy. It was still a fish and usually did what a fish does. ThreatFire is a "Behavior" Blocker, and from all reports it almost always does what any good behavior blocker does. "Blocks" threats. I'm not sure what exactly happened here, but I have used TF and have received support from their forum guy, and have never personally smelled, or thought, anything fishy was going on. I did however, lie about having a fish named Threat Fire. He was actually named Mamutu. LOL.
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Except when you want to create your own rules in ThreatFire :

     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.