TFSERVICE.EXE was flagged by other....

Discussion in 'other anti-malware software' started by Perman, Oct 30, 2007.

Thread Status:
Not open for further replies.
  1. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: ThreatFire's TFservice.exe was flagged by two other behavior blockers; Sunbelt kerio firewall's and PRSC. It was picked up by Kerio as soon as it was installed. Whereas in PRSC' case, it was just picked up today after both live together for almost over one month. To avoid any further embarrassment, I excluded it from Kerio's list, and gave green light to PRSC. I know whatever TFservice.exe was intending to do is within a good reason, but why would other two suspect its activity, especially for PRSC awaiting over one month, did it notice something out of ordinary just now. Someone has insight of this? Thanks.
     
  2. dogma

    dogma Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    138
    Behaviour blockers will always report sensitive activity as suspicious, regardless of whether it's by a legit program or not. It's then up to you (the user) to decide whether you want to block such activity. Never tried PRSC but maybe it has recently tightened it's rules via a recent update, hence the alert.

    Is PRSC Primary Response Safe Connect by SANA? if so, may I ask why your running both this and Threatfire at the same time?
     
    Last edited: Oct 30, 2007
  3. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Dogma:

    Thanks for asking. I have PRSC first(paid), then TF came along, hoping both can compliment each other, although one member has advised the danger of running two behavior blockers. So far I have not noticed any conflict yet, I know what to do when I see one. PRSC and TF are regarded as a major crime unit, IMO. They only act on major, major misfortunes, but the question is this: will it be too late then ? Have not experienced any yet, I do hope that will never occur. :)
     
  4. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Really hard to comment without knowing what the alerts said.
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    False Positives are normal for any blacklisting technology.
     
  6. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, solcroft:

    Thanks for your asking.
    In Sunbelt Kerio FWs case, FW keeps popping up alerts despite my green light- perhaps on its fault. I sought advice at Kerio's forum and got it solved--exclude TF. Today's PRSC case, if I still remember clearly, it seems that PRSC alerted TF as an unknown program, seeking my deposition, allow or quarantine. I gave it a green light. This phenomenon has puzzled me; TF and PRSC have stayed together for over one month, I would assume PRSC has since learned TF's habits and behaviors, why would all of a sudden suspect it ? unless something is out of ordinary or just a FP ? Your comments are welcome. Take care.
    P.S. just read Ilya's feedback, is it not behavior blocker a blacklisting app, is it ?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    What Kerio complained about TF service? As I know Kerio has no behav blocker, only simple application execution control and FW.
     
  8. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,aigle:

    Thanks for your interest.
    I can not recall what the alert has said. As to Sunbelt kerio FW, 4.5.916 , it does have an option under intrusion, application behavior blocking. Take care.
     
  9. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    PRSC is a blacklisting HIPS. So, it is a FP for it.

    Kerio is a classical HIPS, this class of protections is just asking you about potential dangerous behaviour without any additional analysis. So, it flags "as is".
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It has been a long time when I used Kerio- 2 years approx. Seems a new addition to it.

    Thanks
     
  11. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Ilya:

    Thanks for the info. I revisit SANA's web site, it appears to me that they have claimed PRSC is using so-called advanced behavior detection technology, and have positioned it as a such, different from blacklisting AVs. Would you mind sharing your insight know-how as to your conclusion? As per your observation, is there any REAL behavior blocker on the market at this moment ? Thanks. and Take care.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    PRSC is basically not a blacklisting HIPS. It,s a behav blocker, though it does use a smart black list.
    Its alerts can tel u whether the detection is behav based or signature based.
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Blacklisting includes:
    - Signatures (reactive protection).
    - Heuristics, both static (code analysis) and dynamic (emulation) heuristics (proactive protection).
    - Behaviour analysis (proactive, non-signature, protection).
    Also, you have classical HIPS (it asks about all behaviours), sandbox HIPS (limiting rights) and whitelisting (database of known good objects)
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That seems more of a philosohpical statement. When we talk of blacklisting in general, we mean signatures/ databsed detection.
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Different people classify the things diffrently.
    When we talk of a HIPS, nobody evers thinks of a blacklisting appliaction. That,s the whole point.
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I disagree. "Traditional" blacklisting (classical AV) consists of file scanning (on-access, on-execution, on-write, on-demand) using pattern matching and "basic" code (static heuristics) and behaviour (dynamic heuristics/emulation) analysis.
    "Smart" blacklisting doesn't do file scanning. It doesn't do emulation/code analysis/signature matching. It watches all the processes running on a system and look for malware behaviour (mass mailing, launch of hidden window, code injection, etc) using a complex ruleset/algorithm. That's why "smart" blacklisting produces few FPs.
    After all, the term HIPS can be used for any software used to prevent intrusions on a host. However, the "convention" is to use it for non-signature software. So:
    - Blacklisting = Catching the bad with file scanning (AVs) or tracking behaviour in memory (behaviour blocker)
    - Whitelisting = Allowing only the good.
    - Classical HIPS = Pop-up heaven :D
    - Sandbox HIPS = Limiting rights of threat-gate applications.
    Applications belonging to only one category are rare (SSM and Anti-Executable for instance)
     
    Last edited: Oct 30, 2007
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It depends on what do you mean under "behavioural blocker" term.
     
  19. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Ilya:

    Good morning here in North America !
    I would rather use your "expert discretion" for it. As for me, I may term PRSC and Threat Fire as behavioural blockers. Have a nice day.
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, I'm not sure if I can do any statements as:
    1. I just have no time to check out other HIPS'es.
    2. I have my own "behavioural blocker".
     
  21. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Ilya:

    I got your message, clearly. Now just one question:
    Does your own behaviour blocker(without naming the name) work thru same approach as PRSC and TF ?
    I also use DeepFreeze, I am looking for one app which could protect me while in DF's thawed mode. Can yours work with the other two w/o conflicts ? Take care.
     
  22. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    No, it is a perimeter defense (sandbox). And, as I know, it has no conflicts with the security staff you named.
     
Thread Status:
Not open for further replies.