ThreatFire : Difference between "Profiles" & "Rules"?

Discussion in 'other anti-malware software' started by b4b4b4, Nov 28, 2011.

Thread Status:
Not open for further replies.
  1. b4b4b4

    b4b4b4 Registered Member

    Joined:
    Dec 21, 2010
    Posts:
    3
    Good evening everybody,​

    I'm asking about "ThreatFire" (The well-known behavior-blocker by PCTOOLS)

    In fact, the forum support @ PCTOOLS is the worst support I've ever seen.:eek:

    The slowest @ all.

    Nobody answered to my question @ their forum .

    i thought maybe you could help me find an answer to my simple question::-*

    1- What's meant by "Profiles" in "ThreatFire"?o_O
    2- What's meant by "Rules" in "ThreatFire" ?o_O
    3- What's the difference between "Rules" & "Profiles" in "ThreatFire"? o_O

    =====================================================

    Awaiting your responses impatiently !!

    Best Regards,

    Bayan (\sophos)
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    I suspect a profile is a collection of rules detecting certain malware like behaviour
    see
    http://www.threatfire.com/updates/

    a rule sounds like is a simple action allowing or disallowing certain activity start/don't start block etc
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    They say perhaps about "Sensivity level" - it means how sensitive is behavioral detection...notice about this you find in tab "Settings/General/Sensitivity Level".
    Rules...you can find it in tab "Advanced Tools/Advanced Rule Settings/Custom Rule Settings button - preconfigured and own users rules for aplications.
     
    Last edited: Nov 28, 2011
  4. b4b4b4

    b4b4b4 Registered Member

    Joined:
    Dec 21, 2010
    Posts:
    3
    Oh; thank you very much for your post.
    I must have missed this link.
    ok. Now we know what they mean by profiles.

    ====================================

    Do you, sir, have another link that gives us an idea about what they mean by "rules"?

    =====================================
     
  5. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
  6. b4b4b4

    b4b4b4 Registered Member

    Joined:
    Dec 21, 2010
    Posts:
    3
    Thank you very much for your help; you're so kind.
    Unfortunately, the Online Help didn't explain much about what [rules] mean and how they differ from [profiles]!!
    We still need to know what's meant by [rules] in [ThreatFire].
     
  7. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Ii my modest opinion there are no co-relations between "sensivity levels" and "advanced rules". When you read about users own TF-settings you can find sometimes completely differ settings...some ones have first level and own rules for choosen aplications...some ones fifth level without advanced aplications rules...some ones trust/allow listed aplications, but some ones don't do that. Sometimes users build more rules than you can see...for example registry protection, users folders protection, port listening. There are many options and all depends of users knowledge, skills, experience and what he expect from protection.
    I think you will probably never known about "how and why is it?" works mehanism of TF...such information are rather confidential :) Each security program has own mehanism/technology and you can see that in results of AV tests. When some program/developer try to "borrow" something from other we can have affair like in the past IObit v. MBAM :)
     
  8. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    First, Welcome to Wilders Security Forums b4b4b4

    In regards to security, an 'Rule' is an authorative arrangement of instructions explicit to the event of one entity.
    Allowing or Disallowing that spacific event of that entity to proceed or stop.

    Example: (this.exe) is allowed access to Port 445, and, (this.exe) is denied access to port 80


    In regards to security, an 'Profile' is an authorative arrangement of instructions implicit to the event of several
    entities existing like or similar actions.
    Allowing or Disallowing those spacific events of those entities to proceed or stop.

    Example: any (.exe) attempting access to Port 80 and is not an Browser is denied access to Port 80, but, any (.exe)
    is permitted access to Port 445, only if, any (.exe) is Digitally Signed


    EDIT: clarity


    HKEY1952
     
    Last edited: Nov 29, 2011
  9. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    No need to yell. A rule is a rule. ThreatFire will block or allow (depending on the rule) any behavior you set it to block/allow. As clear as that.
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Maybe this about "levels" can be helpful
    https://www.wilderssecurity.com/showthread.php?t=304986
    In TF we haven't some list of monitored actions...such list is e.g. in Mamutu (or in more or less similar SS) where we can manage by disabling/enabling what action will be detected...but Mamutu have not some defined 'security levels".
    Becouse the levels in TF are based on 5 levels of heuristic sensivity - it does not have a simple and direct relationship with rules which are our decisions to real detected by TF action.
    Hmmm...except for one things:
    - lower level - more processes are automaticaly allowed - less alerts about suspicious actions - less processes are listed as allowed/denied - less apps rules
    - higher level - less processes are automaticaly allowed - more alerts about suspicious actions - more processes are listed as allowed/denied - more apps rules
     
    Last edited: Nov 30, 2011
Loading...
Thread Status:
Not open for further replies.