Rating ThreatFire's rootkit scanner

I'm interested in any opinions of ThreatFire's rootkit scanning capabilities?

Is it by any chance ranked up there with the 5-star programs like GMER, IceSword or RootkitRevealer? My guess is it is more along the lines of ARKs like AVG, F-Secure Blacklight & Panda.

I don't see it rated here. Maybe it hasn't been around long enough?

Has anyone seen any TF rootkit tests done by members, like anything from fcukdat or any of the other knowledgable members?

 

Nobody?

 

Probably it's because Threatfire is a HIPS and not a standalone rootkit scanner.

 

That site doesnt show ThreatFire but if you scroll down and look under Rootkit Prevention Software you will see Cyberhawk, the name before it was changed to TF

 

I wouldn't put much stock in ThreatFire's ARK success to any degree because EP_X0FF is already shown many times over how just a simple POC can walk right past them, in effect making them blind to discovery.

I would instead rely on actual and specialized ARKD's like Sophos and the like for more accurate results, but even it can be side tracked into total blindness from what i hear.

 

This is a test from a forum:

In this test Threatfire Pro came out in 6th place among other paid AV:s
ThreatFire Pro- 88.69%

 

Do you have a link to that test result? Looks interesting.

 

It´s a serious test but on a warez forum...therefor not suitable for wilder´s...nevertheless a serious test with interesting results...PM sent...

 

Not too hard to find the source of the test, but unfortunately I can't view it. Nor anything else there. Apparently somebody in my IP range has given this forum some kind of grief in the past, and I'm blocked.
Not interested in warez at all, but was interested to see the other five. And the five after that. 88.69% is quite impressive, especially if we're talking real world exploits.

 

I don't understand how TF Pro got better results than PCTools Free AV, as TF Pro uses PCTools AV engine (unless the free version of PCTools AV has less detection rates than the paid one).
Anyway I don't see how the test is related to the rootkit scanner.

 

I must ask, are you saying EP_XOFF specifically tested ThreatFire's ARK scanner?

I have seen a long list of ARKs that EP_XOFF said were either partially or fully bypassed with user land/user mode rootkit, the best result seeming to be from SnS rootkit detector, which detected but couldn't identify his rootkit process and couldn't terminate it. (Anyone know where to get SnS?)

I think it's safe to say that if one is prepared to believe EP_X0FF's verdicts, then there is no ARK product which can be fully trusted. Where some might say there is a list of products which do their jobs quite well, EP_X0FF would probably say that they do their jobs not quite as bad as the rest. Does that sound right to you?

 

I agree.

As someone who is been totally up front and more importantly, also backed up his claims/findings with proof as well as shared the same with the general public in some cases in this particular field, if nothing else is given all of us a measuring stick of sorts from which to draw a fairly accurate conclusion regarding Anti-Rootkit Detectors from various vendors not the least of which originate from commercial vendors.

I haven't seen anyone else, or group for that matter, more intensely focused in this one area of Windows exploits as EP_X0FF and have even taken to task many of those findings myself, so IMO, commercial vendors although they finally did get around to taking this issue up as they should have all along, but didn't really bother at all untill developers like EP_X0FF brought the seriousness of this to the world stage with Proof by comparisons.