Why does Threatfire want internet access?

Discussion in 'other anti-malware software' started by Firebytes, Dec 22, 2007.

Thread Status:
Not open for further replies.
  1. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Why does Threatfire still want internet access when I have disabled automatic updates and community protection participation? I am sure I have seen the answer somewhere before but I can't find it at the moment and can't remember the answer.

    Threatfire tray app and Threatfire service both occasionally attempt internet access, especially after an alert. I would think that with the auto update and community protection turned off it would have no reason to attempt internet access. What am I missing here?

    Hopefully someone can provide an answer or point me to the thread where it was already discussed. Thanks.
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    Why does it bother you that it wants internet access?
     
  3. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Because if I wanted it to have internet access I would have turned on auto updates and community protection. Since I did not turn them on I would like to know what other need it has for accessing the internet. If I then choose to do so I will allow it past my firewall.
     
  4. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    It does that with me as well just use a firewall and block its IP, Comodo works well for the task. Turning off community protection isn't working correctly maybe not a big deal anyways. :)
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    Alright.... I just wondered what the concern was. Seems to me you either trust an app or you don't, but perhaps you have other reasons for wanting to restrict communication.

    I would imagine, just guessing, that it might do some type of checking like Prevx does, but if you turn all that off, then it should stop. Could also just be a plain old bug, i.e. turning those features off doesn't work or take as it should.

    Is there a Threatfire forum where you can ask? That might be a good place to check also...
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Correct me please if not accurate but doesn't Prevx also practice the same direct connection feature that checks for matches from it's server?

    Some apps even after you uncheck that particular feature for some reason don't get the message, but like mentioned, use your firewall to BLOCK it if it's not to your expectations which it's obvious it's refusing to obey your setting.
     
  7. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Hmm aren't you guys supposed to use something like Ethereal to see what is going on...

    I know this is wilders security forum that we are talking about but still.....
     
  8. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Dont forget TF maintains a whitelist ,whilst Community Protection is about identifying new threats.

    Blocking access to CP doesnt block access to the whitelist.
     
    Last edited: Dec 22, 2007
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Thats all well and good but it still escapes me why the same just couldn't be done more simpler like most AV's and AS's by user downloading sigs to the local machine instead of keeping open an internet link to a server for that task.

    Point being if server is off-line for any extended period or even compromised, then what?
     
  10. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    "ThreatFire will still always examine all the behaviors being performed on a system and if something suspicious is occurring, regardless of whether it is from a whitelisted application or not, it will alert you. "
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Whitelists are too big to be kept on local machine.
    You rely purely on the behaviour blocker, at the expense of some FPs.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Fair enough and thought as much that was likely the reason but still favor if it was users choice of the local database approach, but then again if it's a Behavioral Blocker of real substance it will instantly SUSPEND the actions of an unknown or listed baddie untill it's finished it's search match first.

    Guess theres room for arguement on both concepts but with the pure numbers of blacklists for such a program it's bound to be enormous for sure.
     
  13. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Threatfire uses the whitelist to reduce the amount of false positives,but is a behaviour blocker first and foremost,rather than signature based.

    Presumably what it does is block first, then check the whitelist.

    Cant see how any disadvantages of lists would apply .
     
  14. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Why would anyone care if Threatfire contacts the internet? I guess it is some sinister plot to spy on its users.
     
  15. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    The constant Internet connection with TF's mother ship is the integral part of its full strength and unique characteristics(shared with some others, such as prevx2, Drive Sentry). Without it, you get only partial protection.

    GM(auto), On Star device keeps drivers safely protected on road, but w/o the constant connection with home base, your GPS won't work, your locked door won't get unlocked, and Tiger Wood won't appear on TV commercials ..

    Mercedes Benz 's constant monitor device will not alert home base when the vehicle is stolen by lifting up four wheels and moved it onto a flatbed truck.

    Connection is part of program, if you use app with full trust, then IMO you should ,by same token, trust it fully, without any doubt.

    In earlier stage(CyberHawk beta era), a lots of debates have been conducted here at Wilders, and numerous topics also have been explored. To this day, I believe most users feel more comfortably in those regards.

    I do hope you can gradually adopt this modern day's concept.

    Take care.
     
  16. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Perman,

    Thanks you for your reply. Much more helpfuly than just asking why I even care about the attempted internet connections.

    Diver,

    I guess if I didn't care about any apps I have on my computer connecting to the internet at any time they wanted I could just toss my outbound protection firewall. I do care however and there are some apps that really don't need a connection but seem to want it anyway (example: Windows Explorer). I trust Windows Explorer to do the things I need it to do on my computer, however I have never once needed it to connect to the net to do it's job and I do not want it to connect either.

    Merry Christmas
     
  17. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    That is why I insist on having a firewall with application control myself. :D
     
  18. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    I have a couple of questions concerning how TF (or Prevx for that matter) works. If the program checks a whitelist that is online wouldn't it have to take some time to make the connection and check the list before it could issue an alert to the user when a potentially malicious action is observed? Is the program then just supposed to suspend the potentially malicious action until a check of the whitelist has been completed and then alert the user via popup if the trigger isn't on that list? When I had TF set to "ask" for internet connection on previous alerts it never asked for the connection until AFTER the alert popup. I thought the whole idea of a whitelist would be so TF would check the list first and then wouldn't even alert me on a known "good" program.

    I am just trying to get an understanding of the whole online whitelist thing. Are whitelists really that much larger than say AV definitions which are stored locally on a computer?

    One reason I haven't wanted community contributions allowed is that a file that triggers an alert is automatically sent to TF for analysis. If that file contains sensitive data I probably don't want it sent, especially if it's a false alarm. So I have just been blocking TF with my firewall since I have been unsure why it wanted access to the net even with community contributions off.

    Well, at any rate I think TF is a very good addition to my computer's protection. I am just attempting to understand its workings and then use it in a way that I am comfortable with.
     
  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    This concern is valid but completely and utterly baseless in this situation. Malware files are programs, not documents or other data, and as of such are improbable contain any of your personal data at all. In fact, with the exception of dll libraries, ThreatFire only triggers on programs, whose nature makes it impossible for them to contain any personal data.
     
  20. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Actually, some of my personal data is stored in an executable. LockNote is a program that encrypts data in a stand alone executable. Anytime you close the application, after making changes to the data you have previously locked inside, the executable copies/replaces itself (which triggers Threatfire) with the newly encrypted information inside.
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I stand corrected.
     
  22. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    As previously mentioned,TF uses the whitelist to reduce the amount of false positives,but its action is that of a behaviour blocker.

    The whitelist isnt checked primarily to block.

    Therefore it would firstly block and then check the whitelist.

    The alert is coming from the behaviour blocker with confirmation from the list.

    The whole action is completed almost instantaneously from my experience,which is rather incredible,but no different from the speed for example of Site Advisor,which also appears instantaneous.
     
  23. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Nothing to be surprised about. The average computer can perform thousands of logical actions in the blink of an eye. Consider the standard antivirus scanner, which can check if a file contains any of the tens of thousands of malware code it can identify, and run a heuristic emulator on it, all in the fraction of a second.
     
  24. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Solcroft,

    In my case,TF would initially block the malware and then successfully seek an FP query from the whitelist server maybe 7000 miles away,all in the blinking of an eyelid-not too shabby really!
     
  25. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    After Threatfire alerts you to a possible threat; if it then finds the program it alerted on in the whitelist what does it do then? Does it issue another popup advising of such or does it just remove the first popup and allow the program to perform the action it had alerted on? Even when I allowed TF to access the net I never had it alert on anything that was in the whitelist I guess, so I don't know.
     
Loading...
Thread Status:
Not open for further replies.