Wow! I can't believe how light ThreatFire is.

Discussion in 'other anti-malware software' started by ratchet, Dec 2, 2007.

Thread Status:
Not open for further replies.
  1. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,912
    It's basically like it isn't even there. I only surf sandboxed and have several other applications monitoring things, so I'm not even sure I need this, however, had I known how quite it was I'd have installed it back in the CyberHawk days. I was under the impression that hips drove one nuts!
     
  2. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    If you want to become mental I recommend you trying some of the classical HIPS.

    /C.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Actually, most HIPS are light on resources, so that´s nothing special. But to me ThreatFire is not an option because I need to have more control. That´s why I use Neoava Guard, it offers about the same protection and can be less "noisy" if configured in a certain way. Of course ThreatFire does have a couple of interesting features like buffer overflow protection and a rollback option (according to Solcroft).
     
  4. OHM

    OHM Guest

    ThreatFire is light and gives a nice protection, IMO.
     
  5. Arup

    Arup Guest

    Surprisingly its quite light, last time I tried CH, wasn't impressed but now with TF, it has improved a lot, a good low resource addition to Avira Premium.
     
  6. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I guess light is something subjective. In my PC TFservice is 3rd in CPU Time, only after to System idle (thank God) and to System (00.14.14)... It beats even Opera by a little.

    Classical HIPS, like PG or SSM, are WAY lighter in this sector that TF. They are like 00.00.02 or less CPU Time, compared to 00.08.13 which i have right now. The advantage of TF being that you don't have to click on everything.
     
  7. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    My tests done on a with and without basis show that with Threatfire, Super Pi (4M calculation) takes about 6% more time. That would be two instances on a dual core machine. However, the machine does not feel like it has any less snap.
     
  8. Vettetech

    Vettetech Former Poster

    Joined:
    Nov 24, 2007
    Posts:
    339
    I personally dont see the point with Threat Fire. I use OA for my firewall and NOD32 3.0 for my av. I do a spyware scan once a week with SAS and Ashampoo Antispyware.
     
  9. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi All

    Threatfire might be light but it does not stop the Keyloggertest referred to in another thread on this forum. What I do'nt understand is why all the euphoria about this and other security products which signally fail to stop keyloggers which have the potential for devastating consequences.

    Terry
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    If it alerts to a test, it's probably a false positive. TF is meant to detect real malicious behavior, not tests. The test would have to do a bit more than record keystrokes.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No, No, No
    TF must alert as it,s a behav blocker( unless test is white listed in its data base).TF is poor in keylogging behavior detection.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    TF is poor in keyloggers detection. A while ago, they had actually removed the keylogging detection due to so many false positives.
     
  13. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi & thanks to Aigle

    I had not realised that T/F was no protection for keyloggers.

    T/F is not what I thought it was. Not a very good advert. Half a prgram?

    Terry
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I also wonder when I see TF failing even against simple keyboard hooking. Very strange indeed. Why they can,t add it like lot of other HIPS? I guess may be they are afraid of false positives as legit keyboard hooks are very comon as well.
     
  15. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    With those features removed, one could wonder over TF's practical value...

    Btw, TF have a high I/O dataflow value, so I can´t agree that TF runs "light", even if this should not cause any performance problem with a fast machine.

    /C.
     
  16. Dogbiscuit

    Dogbiscuit Guest

    It normally takes a second or less to log out of a user account on my system. It takes at least 4-5 seconds with Threatfire - though, I haven't come across anything else that noticeable.
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    No, no, no.

    Why "must" TF flag it if it's a test and does nothing really malicious? Like you mentioned, TF is a behavior blocker; you're right about that, but do you know what that means?

    It means that TF doesn't popup alerts on singular actions, unlike a "dumb" HIPS who cannot determine whether a process is malicious and hence needs to alert on EVERY action and leave the decision to the user. Against some processes TF will wait to analyze a series of actions the process takes so as to determine whether it's a malicious program. I'll be worried when I see TF fail against a real keylogger trojan; getting worked up over sensationalist but harmless tests like these is a waste of time and effort.
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Like an AV, a behav. blocker/analyzer must be tested with real malware, not PoC/leaktests
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    "The tests are not meaninful" -- for a long time that SORT of statement was the rejoinder used by Prevx when they failed various tests. In udder words (said the cow)...

    *If you can't raise the bridge, lower the water.
    **If you can't disprove the message, then SHOOT the messenger.
    ***If you can't defend your client, defend the flag. :cautious:

    Actually I think TF is a good bit of security software, but responding to a negative comment by using unsupported assertions doesn't truly satisfy.
     
  20. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    If Prevx advertised itself by saying "we detect test programs!", then your statements might be meaningful.

    I can remember the scores of people who used SpyCar or Scoundrel Simulator against antivirus software, and used these as evidence to cry that their antivirus programs were not effective.

    It's a very interesting situation with test programs. On one hand, you have vendors who create test programs for their own marketing benefit, knowing full well their own products pass their own tests, and use sensationalist terms to describe the consequences of failing their test, which are often only half-true at best IF the tests are used against the proper type of security software. On one hand, you have people who've armed themselves with all sorts of security programs but have never seen any malware in all their lives, and get all terribly excited like a child on Christmas morning whenever any of their programs alert on something and anything. Altogether, watching how the newbies react makes for a very amusing scenario.
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Could you provide a link, please? I searched but couldn't find the comment you referred to.
    ~~~~~~~~~~~
    I'm not out to yank anybody's chain. Instead, I'm trying to get hard facts about TF's ability to deal with keyloggers. The idea of a keylogger ever being able to successfully hide itself within my system alarms me more than any other type of infection I can think of.

    I want to use TF. I like it a lot. However, now that the fickle finger of FUD has been hoisted, I have to have factual information about its ability to spot/block keyloggers. Otherwise, I can't use it as of now.

    TF is so dadummed good (and so nicely FREE) that it *deserves* to be tested in a valid manner. I have ZERO expertise for doing such a test. Hopefully someone else does have the time and know-how to do it. I sincerely hope so.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    What series of actions you expect from a real keylogger? It will mainly record the keystrokes, may be one, two, three or ..... hundreds, thousands..... ( plus logging and/ or sending data outside)

    TF will not alert you for keylogging no matter one key is logged or hundreds of keys are logged( it does detect few keyloggings methods but not most of them).

    You must remember that it was announced by CH people that they have removed keylogger detection for the time being and i did not see any further announcement by them that they have added it again( they probably removed it due to many false alarms with few versions).

    I tried some hook based ketloggers with an older version of CH in the past and they were detected on the besis of behavior. Now if I run those keyloggers, most of them are detected mainly by signatures( indicating that they increased signatures for keyloggers as they know CH/ TF is weak in this regard).

    I think there are two extreme opinions. Some say POC/ tests are useless and others say they are as goos as real malware to test an application. Actually I think POCs/ tests are usefull unless you find a flaw in the POC/ test itself.
    I think TF does alert on singular actions. Many examples:

    1- Creating execuatble in root of C drive( single action)- u might remember ur testing with UltreExplorer
    2- Adding a strat up reg entery
    3- Installing a driver
    4- Creating remote thread

    There are many examples. Infact it is PRSC that triggers on multiple suspicious actions not TF. TF does trigger even on a single suspicious action. It,s my understanding. I can,t claim to be exactly right though. If you have evidence against it, share with us.
     
  23. sick0

    sick0 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    143
  24. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    First I will expect it to install on my computer somehow without my knowledge. This involves attack of system/browser vulnerabilities for a remote installation, but not always, and will almost always involve creation of autostart entries. I expect it to have some basic capability of capturing only keystrokes from specific windows by via some actions at the application level. I expect it to connect to the internet, or manipulate other processes or attack the OS kernel to hide itself while doing this. Last but not least, I also expect it to be a windowless process, i.e. there will not be a window or taskbar icon sitting there and very helpfully informing me "HEY LOOK, I'M HERE LOGGING YOUR KEYSTROKES!"

    I most certainly do not! I remember them saying they IMPROVED keylogger detection (which is a big difference from removing it). You might care to provide us with the version of CH that had keylogger detection removed from it, and proof of the Novatix team saying so. In fact, keylogger detection is certainly still there - assuming you don't have the samples to verify that yourself, check this thread.

    If I run older worms and trojans, they will be detected as known malware as well. The fact is ThreatFire updates its databases of known good/bad files all the time. If you pay attention to the names it uses to report malware you'll see evidence that TF shares malware databases with Grisoft, McAfee and Trend Micro, among others. If your malware samples are especially old, then I'd be even less surprised they're detected as known malware; and no, this is not "proof" that TF is weak at keylogger detection.

    I disagree. In the case of programs like TF and Prevx that are designed to detect malware, it's simply absurd to test them with anything else and expect the test to give credible results. Keylogger tests are useful to against HIPS. Why? Because a HIPS program is designed to alert on everything whether it's malicious or not, as long as it performs a specific, single action. Not TF!

    1 is understandable, since that single action alone is dangerous enough to classify a process as malicious, and hence you don't need to monitor everything else (also, please note that it's COPYING an executable, not creating; there's a difference). As for the others, I've run plenty of programs that perform those actions, and TF remained silent. In fact, I daresay adding autostart entries and installing drivers are very common actions, and people perform them all the time! Don't you expect forums to be flooded about complaints of FPs by now, if that was indeed the case?
     
  25. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    aigle, think of it this way: what's the difference between this and notepad?
     
Loading...
Thread Status:
Not open for further replies.