ThreatFire 3.0.13.11 released

Hi,

No, there is no known issues with DF now.

 

Actually u can never avoid false poitives with such behav blockers, so DENY option is a must IMO.

 

Ok, been running this on my machine since release, although not long, it's usually long enough to detect some issues with Threatfire (Cyberhawk).

The Good
Faster shut down
Variable protection levels, or should I say annoyance levels. (Preconfigured Outbound Control on setting Level 4 )

Tha Bad
Still no DENY option.

Best release thus far. Good work PCTools Team!

 

I'm still trying to understand why this request is so popular; unless you people all use Advanced Rules, I see no real reason for it to be needed.

... Anyone care to explain this to me?

 

I explained it already. At the end it seems a matter of personal liking/ preference as well.
Also it,s must for advanced rules( examle: network access).

 

Think about it. In the classic HIPS mode, we get lots of prompts that we are not so sure of. In threatfire Sure we can quartatine, but usually we do that only when we are sure we have a baddie and it *feels* like you are committing to a major decision, so we prefer not to do that.

Deny seems to be "pass for now" option and feels less scary because you are not committed as much.

 

i have sometimes freezes for a second with tfservice.exe while scrolling webpages with many stuff in it. it happens allways right after the webpage is loaded, after that i can scroll without problems. other than that everything works fine but this is a real showstopper for me.
ps. these freezes occur only with opera, with firefox i have high cpu but no freezes

 

Since you've mentioned that UltraExplorer was the only program you found to behave that way with ThreatFire's quarantine, that alone certainly doesn't explain why everyone is clamoring for this feature. I guess Advanced Rules are more popular than I thought they were.

 

The problem with a Deny option is that it also gives the user a much bigger opportunity to punch a hole in their own defenses. With Quarantine, the malware is gone, traces and all; ThreatFire sweeps them up and cleans them away. With Deny, whatever chokehold the malware managed to get on your system before ThreatFire stepped in remains that way, and the possible consequences will vary. And like it or not, ThreatFire isn't a classical HIPS, neither in ideal nor design.

Personally I too think that replacing Quarantine with Deny is a good idea for when ThreatFire triggers on an Advanced Rule. Adding Deny to EVERY prompt, however, is a much bigger decision for the Novatix team than I think most people realize, and I'm not too sure I like it either yet.

 

This was the only program I found. There may be other too.

I did not use advanced rules BTW.

 

I´ve played a bit with TF and I also don´t like the absence of the "deny" option. Sometimes you just want to deny certain behavior from "half-trusted" apps. But I did get to see the rollback feature in action, looks nice, but it should work more smoothly (lower CPU usage).

Another thing, I´ve tested a couple of viruses who overwrite .exe files, and TF could not stop them on time. And when I quarantined the offender, it also got rid of the 12 files that were already "infected". But overall I still prefer the "dumb" HIPS approach, even when I put TF in "level 5 mode", I didn´t always get to see an expected alert, and it makes you wonder if it would warn you in a "real life" malware attack.

 

Rasheed187 I´ve played a bit with TF and I also don´t like the absence of the "deny" option. Sometimes you just want to deny certain behavior from "half-trusted" apps. But I did get to see the rollback feature in action, looks nice, but it should work more smoothly (lower CPU usage).

Another thing, I´ve tested a couple of viruses who overwrite .exe files, and TF could not stop them on time. And when I quarantined the offender, it also got rid of the 12 files that were already "infected". But overall I still prefer the "dumb" HIPS approach, even when I put TF in "level 5 mode", I didn´t always get to see an expected alert, and it makes you wonder if it would warn you in a "real life" malware attack.

LOL at that last statement, no offense but you honestly think the creators of ThreatFire (CyberHawk)
have not already tested their software against "live malware". LOL

 

Good point. And why not just use the quoting system?

 

Why should I if I'm right behind you posting? Actually I think I like the RED

 

Because it´s more clear with the quoting system. And besides, you took the time to copy the whole text, didn´t you? Anyway, eventhough it was a good point, I´m still not convinced about TF, or is it designed to stay quite even when in "level 5" mode?

 

No 1 click and its done called programmable hot keys. I'm also not liking reaction factor to certain malware tests of ThreatFire which is why I took it off my box.

 

Yes the last Version of Threatfire is buggy, that's my opion, too. And at step 5 the CPU spikes are very high, first the broken Update and then these quickly repaired Version, I think something gets wrong. But what is the better freeware alternative, maybe DSA ?
There is no other Freeware working like Threatfire on the market.

 

My experience with ThreatFire is limited as in the past it caused a comotion on 2 installation attempts and was 'escorted from the premises' both times.

Where does Threatfire fit in? I thought Norton AntiBot was it's competitor but since I've had NAB installed I've hardly heard a peep out of it. Two (2) warning in a couple of weeks and they were for serious things not what's talked about above which is reminiscent of SSM, PS ComodoHips etc.

So what are some similar HiPS to TF?

 

Norton AntiBot/PRSC and ThreatFire are competitors. NAB is quieter since it has a higher detection threshold before prompting. Threatfire is more sensitive, at the cost of more pop-uos, FPs, but higher detection of malware.

 

Hi,

TF and PRSC are not only competitors but also companions; except

TF at level 3(default) will alert user PRSC's key-logging activity.

 

What's the purpose of having two real-time apps which do the same thing?

 

Hi

I know. Both are classified as behaviour blockers. But...

I have PRSC as paid ware--22 months remaining, while...

TF comes along as an excellent freeware, moreover..

No significant conflicts between them, no extra burden on resources, therefore...

I just keep both.

 

Fair enough. But, having TF and PRSC running together won't give you extra protection and even you may be loosing protection.
If I was you, I'd choose one of those and add a sandbox (optional) and a boot-to-restore (Deep Freeze, Returnil, etc) application (optional)

 

Hi, thanks for your advice.

I am using Defensewall and Deep Freeze now.

As to the the protection coverage of TF and PRSC, I have no detailed information, if may, can you elaborate such info a bit ?

 

Well, you don't need more security software. DW + TF or PRSC and DF is more than enough.

Both are behav. blockers. Think of behav. blockers as heuristics on steroids, because they aren't constrained by resources and don't need to emulate anything. They see the real system and therefore can apply a complex ruleset to catch malware. That's why behav. blockers are called smart HIPS or blacklist-based HIPS, they only detect malware (excepting the occasional FP) like a blacklist scanner but they don't use signatures (for the most part)