Discussion in 'other anti-malware software' started by smith2006, May 9, 2008.
It gets a rating of 4.5/5 in this recent review.
Yep it is great.
I run it without another AV or blacklist program.
Level 1: Comodo (https://www.wilderssecurity.com/showthread.php?t=207773)
Level 2: DefenseWall (https://www.wilderssecurity.com/showpost.php?p=1237542&postcount=9)
Level 3: ThreatFire standard, no custom rules
Opera opens first time within < 2 secs first time, cached opens < 1 sec. Opening of IE7 takes > 5 secs. Seems that the combo is real hard on IE in XP.
Not a big fan of their reviews, but I give TF !!
Two products in one----behavior based HIPS and an on demand AV scanner!!
I concur your comments, and am using it too, but.....
recent incidents regarding its driver(s)--two so far, as I have come across.
its hidden(un clear) status concerns me.
The deeper TF gets into my box, the more nervous I have become.
If a driver is left behind after reboot, and if user dares to remove it, system will blow up, rendering it useless(keyboard), it reminds me of road side cyberbomb, lethal, indeed.
did anyone test the on-demand AV scanner in ThreatFire Free 3.5?
Or are there actual any tests by magazines or AV testers available for 3.5.
Because the pcmag author only wrote "On-demand scanner is not as accurate as that of signature-based products."
Seems a good product. But after installing it, I had a serious slowdown with the Opera browser. It was practically unusable when it came to reopen the previuous tabs.
Firefox was not happy too: usable, but slower.
I uninstalled it ( in normal mode) and everything worked like before.
I give it a try by the next release/update.
ThreatFire is the best prog that PC Tools has (or acquired, if you will), IMHO. I run it with APSS 8 and feel very well protected. I consider this program spot on for today's malware aggravations.
When using TF on a clean system, the AV scanner is a no-brainer. The real advantage of the on-access AV data base is when TF finds an intrusion, it first checks whether it is known malware. This on-demand is so effective, because you now do not need a realtime AV anymore.
What if the malware is unknown or brand new or has a new form of intrusion or known but without signature ?
How are you going to remove these, you can't keep them as resident malware, unless you don't care ?
The teaming of TF with PCT's AV (a VirusBuster clone) is the same concept as the teaming-up of Winpooch and Clam AV. Unfortunately, PCT's AV & Clam AV are 2nd tier, at best.
It's as if Madonna were to be cast in the diva's role in Madam Butterfly. Brilliant concept. Inept execution.
That may be true, but . . .
TF checks the blacklist data base after an intrusion is detected. It is for the users comfort to tell them that they found a known malware. Point is TF still finds the intrusion. It is just for user reassurance and clearity to deal with the intrusion.
Anyway I am only using TF, no more realtime AV (only a 2nd opnion scan before monthly image backup).
With Returnil on-board and TF, with advanced rules and raised security protecting between re-boots, my AV has been relegated to on-demand and right-click scans only.
Will Threatfire run with NOD32 & Sygate. My last few attempts at installing this product have met with system lockups. I finally gave up & quit using it. What Av will run iwht this product?
Have used it with so many security software without problems. Antivir, Avast, CFP, SSM, NG, etc .Try posting on their forums. May sygate is the issue but not sure.
The combination of Returnil and TF is a good one, not because you have TF, but because you have Returnil.
The trouble with TF is that TF asks you what to do and when you answer wrong, Returnil gives you the opportunity to correct your mistake.
If I had Returnil and TF on board, I would always say NO to TF, because there is no reason to say YES.
TF asks first then shoots, while AE always shoots without questions.
If you combine AE with TF, TF is as good as unemployed, because lots of malware are executables and AE has a detection rate of 100%, TF not.
......and the best part of the shoot first is, you can add an exe you determine is safe to it's WHITELIST! Everything else not listed is toast again.
As far ThreatFire, i still can't bring myself to it's way of handling risks and the heavy impact it makes on my setup. I've talked till i'm blue in the face about why it employs 4 drivers and couple of running processes to do the same job i get from EQS which is a classical HIPS, and you have to answer it's alerts too.
At least with AE combined with anything, AE will slap an executable down in a moment without hesitation not in it's WHITELIST!
My verdict on TF is neutral, i neither am interestd in it for the reasons stated by experience but i don't discount it's usefulness either.
I use TF for it's advanced-ruleset and FW-capabilities, and like it for it's ask first way of doing things. I always say "yes" to TF's pop-ups, (which increase as I raise it's security level) and if it was a wrong decision, I just need to re-boot. Lesson learned and thankfully not the hard way, like was always my way in the past. LOL I turn off Returnil for 1 hour each day for up-dates and to incorporate the "denied-list" in TF, so after a few days it goes quiet again. It's advanced rules make it more like a classical-HIPS in that the rules need to be dictated by the user, and the pop-ups are my educational-tool to learn HIPS. I've tried others (PG, SSM, etc) and they are like firewall-rules to me. I HAVE NO CLUE AND BY THE TIME I LOOK UP THE DEFINITIONS I FORGOT WHAT I READ. In the natural evolution of things, I will eventually become an AE-user. It took me long enough to grasp Returnil. I struggled for months to figure it out. LOL I follow a lot of AE threads and will eventually get the nerve (and time) to take it on. Then TF is GONE. For now I will keep on learning...
AE borders on ridiculously simple because it doesn't flood a customer with way too many settings to struggle with, and right out of the box after it SCANS your "clean" system, it Whitelists them all so that if ANY executable not indexed and databased by it becomes a moving target to stop cold on-the-spot. And i think thats why you'll really admire it once you test it for yourself.
The other easy part is IF you have an executable that you know is safe that it flags, like a newly downloaded or copied files, it's as easy as entering your password to temporarily stop AE altogether and then run that app. After so engage AE to ON again, and it adds it to the Whitelist.
Faronic's really has a winner with this program as well as in my case, Deep Freeze which LOCKS the partition so tight, i can't even get it to do business with another HD.
Now i call that really STRICT safety protection.
ErikAlbert can fill you in with even better details about AE then myself.
I liked Erik's approach to re4matting. Early next year when I re4mat again, (and after I replace my cd-burner) I plan on doing it similar to the way he did. (minus the phone call to M$ ) I'm 99.9% sure of Returnil (I'll need to renew my license by then) and AE. The imaging software is the only missing piece to the puzzle but I have months to figure that one out...
Then the behavior blocker will kick in.
Then you are hanging out to dry. Same applies to your setup.
What when a new form of executable is found (think about WMF exploits, for instance in data files), this leaves anti executable hanging out to dry to.
Then the behavior blocker will kick in.
For 2, the theoretical unknown, there is a simple solution.
Data backup every month, Image backup every two months. I keep six image backups. After making a new one, I set back the latest - 1 (previous version), update an on demand AV scanner (Avira) and perform a scan. This means the AV on demand scanner has a two month time advantage on any zero day threats. I think the risk is close to zero for not finding a two month old zero day threat. When that scan is okay, I delete my oldest image and set back my latests one as actual.
Thats what i done.
I got hold of a used HD and wiped the devil out of it with D-Ban & WhiteCanyon's Wipe Drive Pro to make darn sure the metal was ready.
I installed, get this, Deep Freeze w/ AntiExecutable and this single drive is Rock Solid. I might add i also threw in EQS just to watch over matters because it covers darn near everything humanly and machine possible with NT Systems.
That unit is more or less my Fort Knox because it's so tightly sealed from any forced intrusions.
Only when AE knows the executable format (1) AND when AE is active (2).
I think drive by infections are the main concern, followed by new forms of code in data files (1) and malware trying to kick in on log-on or system shut down (2).
This means that AE is also lickely going be to defeated, because it relies on execution code recognition. You can also not guarantee that AE is the first to be on duty and the last to go asleep.
Hope this feeds your security concern
Forgot to tell you that I backup on a external harddrive. I would not count on a backup as long as it is connected, there is always a possibilty that . . .
Think this feeds some disconcern to
Please don't tell me that my use of TF (advanced rules & raised security levels) has actually made it less effective. I finally got it working (peacefully) with Returnil & AntiVir. It has already been a long week, and it's only Monday (or Tuesday) LOL
I also back up my drives/partitions as a regular routine but i either got some guts or am overconfident in the confidence i've experienced with DeepFreeze & AE combo because i don't feel the need to image it at all. Plus not a lot of apps on it of any real concern of loss, like i said it's my Fort Knox unit and is tight as they get.
One reboot and you're safely back again at the starting line. LoL
Separate names with a comma.