Threatfire 4.1.0.9 BETA

Discussion in 'other anti-malware software' started by firzen771, Jan 20, 2009.

Thread Status:
Not open for further replies.
  1. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    Threatfire's new beta now supports 64-bit!

    Key new features:

    * Smarter Alerts, Less Questions – patent-pending technology
    * Support for Windows Vista 64-bit
    * Updated threat detection technology


    "PC Tools has recognized that traditional scanning techniques are becoming a secondary defense to sophisticated malware techniques. User feedback has also indicated that most users install ThreatFire as an added layer of protection in additional traditional anti-virus scanning software. As a result ThreatFire 4.1 no longer includes an anti-virus scanner. Users requiring an anti-virus solution should download PC Tools AntiVirus, a free solution for Windows"

    "One of the changes we made, is that TF now does cloud lookup for the black and white lists as well as using the default black and white lists on your system. Basically you could delete the dbs on your system, and still not lose the benefit of black and white lists.

    Let us know what you think."


    - those are some quotes from the mods over at pc tools beta forum.
     
  2. rolarocka

    rolarocka Guest

    Nice nice. So the new TF Beta should be lighter on system ressources right?
     
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    I think this is the right direction for TF development - very welcome!
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    this is like the old cyberhawk is coming back to life;)
     
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    I just installed TF 4.1.0.9 on Vista 32 bit and so far it's working fine. One thing I notice is they are still not offering a "deny" option for detected problems. I had a problem recently where TF detected a number of critical system files as infected, such as explorer.exe. I allowed TF to quarantine the files since PC Tools claims that system files will not actually be quarantined, just killed in memory and restarted, but it did in fact remove explorer.exe. I had to boot from a rescue CD to restore the file to the Windows directory. I cannot recommend TF to customers for this reason, and I use it with caution on my own PC. They really need to address this.
     
  6. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    It's not that I don't believe you, but they seem to not - so show them literally by capturing it. It's been brought up many times even if I've not experienced it personally, I know. What makes it trigger on explorer.exe or another critical system file in the first place? Apparently, they've not experienced this either - e.g. quarantining a completely legit and safe explorer.exe - or they would certainly do something about it.
     
  7. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    I have tried the PC tools AV in the past which slowed my PC to a crawl, so I would not install PC tools AV again at all.
    Regarding TF without AV, fair enough.

    Gordon
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    As I stated over in thier forum, I can perform a fresh install of xp pro, install TF, and every like clockwork, the first time I use explorer.exe and hit the search button, TF pops up and asks to quarantine, with only kill process or quarantine. It never repeats itself in this procedure once this happens, unless a fresh format. It might do it in a new user profile, I have not tried. I use cyberhawk, with a simple allow/deny feature so needed in TF.

    Sul.
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    does it have an option to white list files?black and white list?
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it would be a good idea to be able to white list critical system files as explorer.exe to avoid these type os situation,i hope they do some thing about cause security software is suppose to protects computers not destroy them:D
     
  11. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Let me guess... this has something to do with the sensitivity level, right?

    I'm always running TF at its default level "3" setting - as it seems balanced by being non-intrusive, but very effective.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i agree with you when tf is at default level all it is ok but if you put the level to high 4 to 5 then you are in trouble:cool:
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    Yes, I understand the problem. In my case I was working on a customer's computer and after I hit "quarantine" the PC locked up solid. Too bad I didn't think to take a screenshot with my cell phone. When I rebooted all of the system files had been restored except for explorer.exe which was no longer in the Windows directory. I guess it's possible that the file was not a valid system file, but malware with the same name. In that case it seems that TF needs to be able to copy a legit version from a backup location to the Windows directory so the PC can boot (perhaps TF should backup these files when first installed so it can use them when necessary?). Otherwise the average user has a broken PC.

    I've read the thread in the PC Tools forum and I know the developers are skeptical about this behavior, but I and the others who have experienced it have no reason to make it up. There is something going on that isn't understood yet.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Don't know. I just format fresh, install XP, put on TF, start explorer, hit the search button, TF pops up and says something very bad is about to occur and I should either kill explorer or quarantine it. I know it has to do with some things that are changed when this first occurs, probably something to do with search assistant or cryptography or fast indexing. Don't know and don't really care. I was just pointing out (to PCT forum) that they are full of crap if they think TF does not find a standard explorer.exe as a 'bad thing' some times. And I don't mind if it does find things like this. My argument was that it should have an allow/deny option, just for cases like that. They seem to have this attitude that experienced users like to report things just because, and take no ones word. Oh well, maybe TF without AV will prove a better product.

    Sul.
     
  15. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Yeah, that's one thing, but it's still completely wrong that it would quarantine completely legit, safe and critical system files and other critical parts of the system. Increasing sensitivity should only mean more prompts on actions - not not giving a damn about the safety of the OS operation and the software's own safety precautions.
     
  16. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    Where can I download it?
     
  17. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    in the public threatfire forum they only say that there is a beta and dont post a download link, so im not sure if they want the beta to be released publicly or only to people part of their beta program, someone let me know if im wrong.
     
  18. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    some added info for some questions people asked:

    1. The av db was used as an extended black list.
    2. The rootkit scanner is in place, but is only a rootkit, and does not use the dbs. So there is no AV/Spyware scanner in TF.
    3. TF is definitely not less effective. The whole idea of these changes is to improve TF's effectiveness.
    4. The duty of the local db's is to allow users to have dbs even if there is not connectivity to the net, or for some reason connectivity with TF servers are impeded (firewall, user choice etc...)
    5. The overall footprint has not changed, however without the AV engine should improve TF's stability and usability.


    "We did extensive analysis and found that ThreatFire was not really gaining anything from checking the AV db at the time of an alert. The vast majority of times when we were able to identify a known threat at the time of an alert it was due to information contained in TF's own blacklist, not the AV db.

    Because of this, and because of additional stability issues, we made the decision to remove the AV scanner. This also allows users to run TF alongside whichever on-demand scanner they choose"
     
  19. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    well that was a unfortunate beta test, i decided to give the TF beta a shot, installation went fine, but after threatfire initialized my comp crashed, i restarted and got up to the vista loading screen, then my system auto rebooted, this process repeated over and over until i just decided to go back to the snapshot i made with Rollback Rx before i installed theatfire.

    hope the guys at PC Tools can fix this prob.
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    The 32 bit and 64 bit versions of 4.1.0.9 can be downloaded from this page. If this page is not available you might need to join the forum first.

    http://www.pctools.com/forum/showthread.php?t=55895
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    This is critical flaw they know full well that should have already added. TF "Lies", it says it doesn't quarantine system files but take a comparison test with MAMUTU for an example.

    Simply manually run a script that adds a new RUN entry in the registry or even maually do it on your own. TF offers no option to block this behavior but rather gives you the option of letting it force a RUN entry or else it quarantines as the SUSPECT file "REGEDIT". Ridiculous IMO.

    On the other hand MAMUTU aborts either the behavior or if you run a script simply shuts it down.

    My old Cyberhawk 1.1.1.3 simply jumps up with a DENY/ALLOW option and if you choose DENY it doesn't carry off REGEDIT to the capture bin but instead completely & effectively TERMINATES regedit if you try to add it manually, or if an app or script, TERMINATES it nicely.

    That's why i always called CyberHawk a "TERMINATOR" as well as a smart interceptor/behavior blocker.

    EASTER
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Hmm. I use Cyberhawk 1113 on my computer for some time now. I made an icon on the desktop to toggle the service and tray on/off. Pretty quiet, but when it speaks I pay attention. Not the be all/end all, but good at what it does. And as you say Easter, Allow/Deny. I consider it a good lightweight tool for those who don't want a full-blown hips type app.

    Sul.
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Guys,

    You realise thet CyberHawk 1.1.1.3 does not protect against direct disk access for instance
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Yes, and do you also know TF doesn't know how to alert on what it should be alerting to?

    At least even with that limitation, Cyberhawk (old) is much more aggressive and responsive on what it does alert to, and it does alert plus offer you an option to TERMINATE! the offending app and not a system critical file or files.

    If they don't get TF back on track soon, it's gonna do more than just fall out of favor.
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes I know this. Thanks for the heads up though.

    You know what I wish for is an app that is more 'basic' like CH, but on the lines of TF with a better method of allow/deny. I have used other tools, starting with Process Guard. Tweaked them etc. But I don't ever stay put once I arrive at a certain place program wise. I am constantly re-installing my OS, trying some new trick or learning how to break something so I can see how to fix it. Stupid stuff. This is just a nagging thing now to have to keep up with a firewall or hips constantly. I like to do that stuff, but have other things to focus on right now than that. That is why I use CH right now. It offers some limited protection that I feel I can use, without going to the point of spending hours researching how to tweak it for my setup that will change probably this weekend. Throw on sandboxe and vmWare, with a little imaging software, and for me I can test and play without much in way of 'nagging' from other tools.

    Sul.
     
Loading...
Thread Status:
Not open for further replies.