ThreatFire: Test not so promising

Discussion in 'other anti-malware software' started by ncage1974, Dec 16, 2009.

Thread Status:
Not open for further replies.
  1. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Well i like to do testing on security software just for the fun of it. So i set up a fully unpatched XP machine. I installed Threatfire. I then updated to the latest version and rebooted. I then went to try to infect the machine through IE. Well after about 15 minutes my first trojan warnings started coming up through threatfire. I told threatfire to block them. I did this for about 20 minutes and then i rebooted (i think sometimes threatfire needs this to fully remove). Immediately the machine started acting flakey. The threatfire service kept on spitting out errors. I downloaded the always great malwarebytes and scanned the system. It found about 7 files (trojans). They trojans were even able to infect /system32/. Unfortunately i can't remember which trojan it was.+1 for malware -1 for Threatfire.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yeah i heard ya,i also tested threatfire before and fails me,also mamutu but mamutu did way better:)
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    as we speak i am testig winpatrol plus and i say a big woooooo how winpatrol plus blocks rouges malware and trojans;)winpatrol is very quiete but when testing is very chatty
    winpatrol block a malware rouge called GuardPcs that prevx missed :)
     
  4. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I bought Winpatrol Plus too. A great program! And what a nice doggy that Scotty ;)
     
  5. Martijn2

    Martijn2 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    321
    Location:
    The Netherlands
    Which settings did you use?
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Two things:

    1- A behav blocker like TF is a good add on to your a AV. Ofcourse it can,t detect and block ALL the malware, esp alone.

    2- WinPatrol is like a classical HIPS. You can,t compare it to a behav blocker. WinPatrol will give alert on all changes, whether legit or malicious. User will decide ultimately.

    For example whene ever a new service will be added, whether it,s by a legit software or by a malware, WinPatrol will alert while TF is supposed to alert ONLY if it,s by a malware.
     
  7. simisg

    simisg Registered Member

    Joined:
    Nov 6, 2008
    Posts:
    410
    Location:
    Greece
    i must say that threatfire in my tests 2 months before was the only one completely protect my machine from all malwares!!
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool;) what about adding a hips and a bahabiour blocker:D
     
  9. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Ok for all of you that say that threatfire blocks everything ...umm your not testing hard enough. I seen two reviews a guy (matt on youtube) who test lots of security software who liked it and i also think PCMag gave it an excellent review. It almost makes me wonder how legit some of these reviews are. Ok i seen problems in my earlier review so i decided to retest. According to threatfires' system requirements it should at least have SP1 on xp. My only BIG problem with this is it should have gave me a warning when i tried to install it before but it didn't. I had a base install of xp and then installed SP1 and that is it. I then went on the search for malware sites (which is usally the hardest part). I actually found a security site where it list malware sites they have collected which is excellent. While not all the URL are still active a few of them were. One of them was very malicious and required me to rollback to a snapshot on my VM because windows wouldn't boot. More about that later.

    OK anyways like i found a very good malware list. I made sure threatfire was updated which id like to say i don't know really quite understand. Sure you would have to require updates for new potential milicoius activities that virus/malware writers are using but that shouldn't require an update all that often. So after i found the link site that i found above the very first one i found destroyed my VM. As soon as i loaded the site there was a video and it said i needed to update to watch it which i clicked ok to. Then all hell broke loose. It quickly loaded 40 pop ups and threatfire asked me to quarantine / stop the process which i clicked ok to. It also asked me to reboot but as i did i got this type of error message:
    "Invalid handle to lsass.exe". I decided to give it one more chance so i rolled back to the snapshot and went on in the list. The next highly malicious site i found had a facebook type URL and some executables. It didn't destroy my machine but infected it quite nicely. Threatfire caught some stuff but didn't catch other things.

    I can tell you after my testing i'm going to take it off all my systems. Maybe it works much better with newer OS or service packs but it shouldn't require this to work effectively. Attached are some screen shots i took of hitman pro and malware bytes to see how much sites were able to infect the machine. It wasn't pretty. If you look in my screen shots it allowed malware to get into c:\windows, c:\windows\system32.the registry. Threatfire should have definitely prevented this. I can see if malware was in the "temp" web directories but in windows & system32 no way. Heck even UAC would have stopped this.
    I didn't even scan for root kits which it probably had. Now going to try to have fun and see how well some security products can remove the infection starting with security essentials.
    :
     

    Attached Files:

  10. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I'd be interested in seeing the results of the same test run on a properly patched system.
    XP SP3 (w/current patches) has so many differences to the original OS, I can't really see the relevance of this test, except for those that elect to run out of date software.
    I'd imagine most of the Wilders readers keep software up to date.
     
  11. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    The reason i'm running it on an unpatched machine is how to test how the security software is able to stop malicious activity to vulnerabilities in the OS. How can you test how well the security software works if your unable to infect the machine even if it doesn't have antivirus. I know what your saying is most of us don't have to worry about it because we keep our machines patched but finding malware that exploits holes in windows that aren't patched yet would be a very hard thing to do. Just my thought.

    I could run Firefox or Chrome also but that would defeat the purpose because i want to isolate the security software as much as possible. Thats why i'm using ie6

    Ncage
     
  12. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Valid answer, and I sure don't have issues with it, I'd just be interested to know if TF becomes more competent with an up-to-date OS.
    Judging by the number of forum reports around of serious infections/rogue programs, I'd imagine it shouldn't be too difficult to find malware that will run on a patched machine.
     
  13. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Yes, looks like there is one (vmscsi.sys).
    Would be interesting to know what it is and when this happened during your tests.

    I know that all youtube kiddies love to just throw malware after malware on a security program.
    But it makes really not much sense to keep on testing on an infected machine when the test object is most likely already out of order.

    Cheers
     
Loading...
Thread Status:
Not open for further replies.