Threatfire's near-fatal flaw

Discussion in 'other anti-malware software' started by bellgamin, Jan 2, 2008.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    TF's custom rules are an excellent capability EXCEPT that the only allowed actions are "Allow" & "Quarantine." There is no option to simply "Deny" a given action by an otherwise safe process.

    If a process is quarantined, it ceases to function. Thus, the mere act of trying to block an outgoing connection by (for example) explorer.exe will cause explorer.exe to be quarantined, thereby causing bad things to happen.

    Thus, a "safe process" cannot be limited as to its actions. Any & all actions must be allowed BECAUSE the only other option is "Quarantine" -- which will "break" the process.

    It's an absurd limitation for an otherwise superb security app. Oddly enough, TF's proponents have long been aware of this fault, but user complaints have not yet resulted in a fix being made.

    I am posting this issue here at Wilders with the positive goal of perhaps motivating TF's programmers to give timely attention to this issue.
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    that one issue is what keeps me from buying it.
     
  3. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    That, and I simply don't see any advantage to running it.
     
  4. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I agree.

    The lack of a Deny function makes the Advanced Rules feature virtually useless.

    However, some of you may also know what I think about the necessity for Advanced Rules, and that's that...
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Let me say it might be because the company behind id PC Tools now( not Novatix).
     
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Describing this "feature" as near fatal is a gross overstatement. Threatfire's real value is as a set it and forget it behavior detection system. You don't have to be an expert to use it. Not everyone wants to spend their time tinkering with security software.
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    It would be nice to hear from Cyberhawk Support as to if this is a possibility for the future.;)
     
  8. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    https://www.wilderssecurity.com/showpost.php?p=1061692&postcount=33

     
  9. Cyberhawk Support

    Cyberhawk Support Registered Member

    Joined:
    Oct 26, 2006
    Posts:
    140
    Location:
    Boulder, CO
    baited ;-)

    It is on the wish list.

    Processes like explorer.exe will not get quarantined. It will get killed, but like ie, and other system critical processes will not get quarantined. It must be noted, that the "Deny" feature would also stop explorer.exe much the same way the quarantine is doing now. So explorer will get killed in the scenario that a custom rule makes it pop an alert, but get restarted by the system.

    Making a Custom Rule assumes that you know what your are targeting. If a process pops an alert that you know and trust, it should be "always" allowed, and "teach" ThreatFire what to ignore.
    Saying this, I too would like the Deny feature back, not just for Custom Rules.

    Happy New year to you all!
    djames
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thank you. You are off the "hook" now.;)
     
  11. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Why not have an option to deny an action, but not shut down the app entirely?
     
  12. Cyberhawk Support

    Cyberhawk Support Registered Member

    Joined:
    Oct 26, 2006
    Posts:
    140
    Location:
    Boulder, CO
    The idea is being thrown around here. How to implement it alongside other/new features.
    Also one must take into consideration the target audience for this. Stopping malware from one action might lead to many other pop ups, this is confusing to some, and can lead to lazy clicking (just clicking ok).
    The action of stopping the process's event will probably lead to the app being killed anyway, but still might be handy.
     
  13. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    The "lazy clicking" concept is unfortunately something a lot of folks around here ignore when choosing their security software. Of course we also have a contingent here that think false positives are proof of a great AV.
     
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Whatever is done in the future, please make it configurable with options. For me, one of the best selling points of TF is that it doesn't bother me at all.. Hopefully it will stay that way.....
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    System Safety Monitor & Prosecurity can be set to block a process (including explorer.exe) from connecting out, but without causing that process (including explorer.exe) to otherwise cease functioning. Why not TF?
     
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Seconded.

    I have no need for Advanced Rules, and I like TF the way exactly it is. In particular, please do not remove the ability to instantly terminate any offending processes right from the alert window.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree as well. TF must be a bit different from classical HIPS>
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I totally agree with this.

    We should keep in mind that TF is basically a HIPS for nivice so don,t expect it to behave exacttly same as a classical HIPS.
    To me default rules/ working of TF are much more important than advanced rules.
     
  19. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Exactly. Threatfire is made for a broader audience, not just for Wilders' HIPS addicts. I tried to make some friends use HIPS many times, i failed because they couldn't understand the pop ups. Threatfire is the answer for such audience.

    My only wish for Threatfire is to make it possible to disable the NET MODULE. Without it, it runs MUCH lighter.
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I agree with Bellgamin. I want to bring acrross two points:

    (addtional) Custom rules for protection areas which should be static, won't generate pop-ups

    Other posters claim that custom rules will always create extra pop-ups, this is not true. I for instance am dragging along a registry and file protection set, which I developed using SSM, later on EQSecure. I also ported them to WinPooch, ThreatFire and Comodo V3 with D+ enabled. On Comodo this meant a few extra entries and the trimming down of a lot of others. D+ actually got quiet.

    Custom rules and protection level slider need to be aligned for usage
    When you look at TF they have included a security level slider. This to facilitate users who are more into classical intrusion detection (setting protection level to 4 or 5). The point is when you facilitate this usage (let the user decide), you should also allow a deny functionality for custom rules to tweak the protection yourself.

    Regards Kees
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I say abolish Advanced Rules altogether. Those who want that feature can use a program that actually caters for that purpose. Problem solved. -.-
     
  22. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks:

    Facing such pressures from both sides; pro-advanced, pro-basic folks.

    IMO,TF has arrived at a crossroad.

    Forgetting that Pro version, smart people would not touch it for mere AV scanner addition (they could use PCTools AV, free and freely) and $$$ extra ( I have called it a marketing blunder, right from the day one, and its marketing gurus had a very different views).

    If PCTools has a same vision and mission as Comodo does, then it should, at least in my view to make this long-waited, finally polished gem to be as simple and user-friendly as possible. Adding complexity to TF of present form is a suicidal mistake, unless it wishes to please those advanced players, then again, there are tons of others (HIPS) at their disposal at this moment. TF with those extra features is just another me-too copy.

    Take care.
     
  23. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    That's why we like HIPS, after all there is no such thing as a "false positive" in a HIPS.

    In fact, for HIPS the aim is to generate as much prompts as possible, generating prompts for actions that are harmless in 99.9999% of cases are the proof of a great HIPS.
     
  24. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    So sad, yet so true.

    Personally I wonder how they can afford to give out this great app for free. Something tells me it won't be forever.
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Point I am making is that they should also get rid of the sensitivity level (erroniously called protection level), to facilitate more conventional HIPS users. So it is either way.

    Mamuto although less strong in self protection has a more straight forward approach. No custom rules, but exceptions managed on application level. Mamuto works like TF on level 4. It is a clear setup.
     
Loading...
Thread Status:
Not open for further replies.