Is NOD and Threatfire sufficient?

Discussion in 'other anti-malware software' started by sflorack, May 16, 2008.

Thread Status:
Not open for further replies.
  1. sflorack

    sflorack Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    45
    I have been using NOD 2.7 and Threatfire for a while now without issue. I also use on-demand applications like SAS and SpywareBlaster, and use a hardware firewall/NAT router.

    I'm not totally sure what Threatfire can be classified as (ie HIPS protection, firewall, registry blocker, virus, etc) so I'm not sure what holes exist in my security setup.

    Do I have a need to use a program like DefenseWall and/or RegDefend, or do I have all my bases covered?

    Thanks in advance for answering my noobish question! :D
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
  3. sflorack

    sflorack Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    45
    Sure, but couldn't a firewall, virus scanner, HIPS, and spyware programs all be considered a "malicious behavior blocker"?

    I understand the concept; that it provides protection based on behavior rather than relying on signatures. Yet at what level does it provide that protection, and will it protect the registry, etc.

    Ultimately I just was curious if I needed to worry about using a registry defender or not..
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    True, but one might re-word it a bit to...

    Threatfire is a blocker of malicious behavior.

    Or maybe...

    Threatfire is a blocker of suspicious behavior.

    Meanwhile, back on-point: NOD is a very good antivirus. TF is a very good HIPS.

    You ask if they are *Sufficient* --- Sufficient for what? It depends. If you visit blackhat forums and flame people there, or if you download cracks, or if you hang out at porno sites, then NOD+TF might need a bit of help. But for most uses, NOD+TF should protect you very nicely indeed.

    The actual malware that might try to screw your registry SHOULD be blocked by NOD+TF. However, if you want to SPECIFICALLY block potentially dangerous attempts to modify your registry, you can readily do that with TF's advanced rules, or else run freebie MJRegWatcher.

    Now, concerning your question as to whether you should "WORRY about using a registry defender" -- IMO, one should always worry. That's what keeps the post count going here at Wilders. And never but NEVER look back (someone might be gaining on you). :argh: :D :cool: :D
     
    Last edited: May 16, 2008
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    On an XP box I only run ThreatFire and DefenseWall (behind a router with NAT/SPI firewall)

    DefenseWall:
    This will contain all internet facing aps in a limited user rights environment without. It is basically a policy enforcement HIPS which does not pop-up, ask you difficult questions.The charme of DW is that when you download a file, this file is also contained in the limited user rights environment. Version 2.4 has total untrusted file control (needs no user interferece, just works) and improved resource protection (meaning untrusted programs files are limited to acces a few unharmfull parts of the OS, files and registry)

    ThreatFire
    Basically is a behavior blocker. When something 'strange' happens on your PC (called an intrusion) it first check in the AntiVirus data base whether it is a known criminal. If so you are alerted like any other Antivirus. When not: it starts to track the behavior, when it succeeds a limit (that is the build intelligence), it will warn you. TF is also very quiet.

    Your defense
    First level should be a firewall (at least the default inbound firewall of Windows or Vista or better a FW build in a router or modem.

    Second level is DefenseWall, it mitigates all threat gate programs

    Third level is ThreatFire, acting both as an behavior blocker with ease of checking of its blacklist data base (the fingerprints of malware)

    Should be very secure setup like this, easy to use (no pop-ups), although it is hard to believe but you do not need an additional Antivirus. If you have already purchased a lisence of NOD, that s fine keep using it. When you were considering the purchase (and are going to use ThreatFire) a policy HIPS like DefenseWall (or GeSWall) would be a better investment regarding security.

    Regards Kees
     
  6. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    A few others you may want to consider, Sandboxie and Returnil.I believe with your current apps with added sandboxie,You would have nothing to worry about or at least not much.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I concur.
    @sflorack,
    Returnil will keep your system partition unchanged, like it was installed in the very beginning.
    Unchanged = no malware and you don't need good changes either, because your system partition is already working properly.

    The rest is a matter of stopping the execution of malware with tools like Sandboxie, Anti-Executable, HIPS, ... to save the period between two reboots.
    After reboot all changes are removed by Returnil anyway, even when your security softwares failed.

    If you combine ThreatFire with Returnil and ThreatFire warns you for something : your answer is always DENY, never ALLOW.
    If you combine Anti-Executable with Returnil, AE will always DENY for you, because there is no ALLOW in AE. :)
     
    Last edited: May 16, 2008
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    May I ask why? Wouldn't this concept pretty much put an end to whatever it is that I am trying to do at the time that TF pops a warning? Or are you saying that TF's warning is 100% accurate in telling me (in effect) "DON'T do that!" o_O
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I like threatfire its Intended purpose seems ok,However there are times when it will produce warnings of valid apps or should say FP's. I installed Drweb Web after ThreatFire and ThreatFire flaged DrWeb as a potential bad guy,which leaves still the end user guessing,Is it bad or not,should I allow or Deny?.I allow because (A)I know I am on the offical site and (B)I believe there product was not compromissed In any way.
     
  10. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    Absolutely agree and same setup on my XP machine. :thumb: Keep it simple, enjoy the internet.
     
  11. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Djohn, you should let the pctools forum know and one of the developers might fix this through the daily updates.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Assuming I would use ThreatFire in a system partition, FROZEN by Returnil.
    Any object, reported by ThreatFire would get only one answer from me : DENY, because I don't need them.
    A bad change might even look like a good change and that's why I deny them all, just to be sure.
    I don't need good or bad changes, because my frozen system partition is already working fine.

    Give me ONE example, why I would allow a change in a system partition, that contains nothing but a configured Windows and Applications and is working properly from the beginning and day in, day out after that.
    I'm doing this already so many months, I lost count, not with Returnil, but that doesn't make any difference, ISR is ISR, only the software has a different name.

    When you don't have a frozen, but normal system partition, everything changes of course, because you don't have a 100% removal tool anymore.
    So any malware that bypasses your security becomes resident malware and won't be removed during reboot, because there is no Returnil to do this for you.
    It's no secret, that security fails alot more than recovery (ISR+IB). :)
     
    Last edited: May 17, 2008
  13. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I will do that,I figured It was just a isloated incident since it has not done this with other AV I have tried.
     
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    It sounds like a good strategy. Not my cup of tea, but good nonetheless.
     
  15. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Perhaps to un/install some new s/wo_O TF notifies of the changes, and if you caused the changes then "allow" to continue with un/install. This happened also when opening Dr.WebCureIt or uninstalling some app that wanted to save the configs for re-installing...
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Not in my case. However, I consider it in theory as possible that sometimes good changes are necessary in a frozen system partition. It depends on which software you use in your frozen system.
    This is not a problem, because you can exclude these objects in your frozen system.
    Returnil is very good at this, much better than FDISR, because these excluded objects are protected all the time, until you commit the change. That's what Coldmoon told me.
     
    Last edited: May 18, 2008
  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    YEs, unless you explicity commit changes on the selected folders, returnil will undo them.

    But back on topic, I think if the OP is a safe surfer, he'll be fine with this combo...I'd add a sandbox or a boot-to-restore solution just to be sure.
     
Thread Status:
Not open for further replies.