Wow! I can't believe how light ThreatFire is.

I was not able to find that post by CH support so not sure now.

By the way I just ried TF with a free hook based keylogger( free- limited version).

 

EQS and NG!

 

aigle, if you will tell me what practical differences are there between KGB keylogger and these keylogger tests, I will tell you why TF doesn't detect it.

 

If it really stays quite when these actions are performed, it´s worrying to me. I´d rather be alerted about all suspicious behavior, even if it´s from trusted/non malicious apps. But I guess it´s a matter of preference. Some people want the HIPS to make decisions for them, others rather do it themselves.

I haven´t tested it extensively, but to me it also looks like TF is indeed alerting about apps who trigger singular actions. Personally I don´t believe in the "intelligence" of TF. Because if it´s so smart, it should be able to recognize close to 100% of all malware, without signatures of course. And I think it´s rather strange that it does not alert about the hook created by KGB Keylogger, or doesn´t it monitor hooking at all?

 

TF quarantined BitChe torrent searcher a few days ago. At the same time it also "quarantined" my Sleipnir IE browser shell although it gave no reason and it didn't show in the quarantine list so I couldn't restore it (had to download and extract the executable).

 

You're right, it's a matter of preference. Because I can't help but wonder - what's the point of flagging trusted/non-malicious apps? Also, in the event that such an alert does pop up, how do you know it's a legitimate or suspicious request, unless you're already thoroughly familiar with the ins and outs of the program?

Perhaps you should, then you'd be in the possession of the knowledge to comment on this matter...

Or,

Perhaps you should also decide what is it that you want to believe - does TF alert on singular actions or not.

Firstly, TF does recognize close to 100% of the malware I've tested personally, though I still find two or three every month that needs submitting for analysis, mainly due to quarantine problems. Secondly, that's like saying you don't believe in doctors, because if they're so smart they should be able to cure every disease on the planet, or that you don't believe in police, because if they're so good they should be able to prevent every crime from being committed - an inherently ridiculous statement.

It's strange to you because you believe TF should work like a dumb HIPS and alert on anything and everything. It's not that strange to me.

 

May we please see the specific results of your tests?

 

Come to think of it, this may be a good idea...

Is there anything specific you're hoping to see? I only have internet access now at uni and the internet cafe where I'm working now, but I'll be going home in two weeks' time.

 

I tend to think these days like this: for trusted applications, the alerts are just to interactively build a policy. If it's compromised, and the system is long learned, any alert is suspicious (anything that falls outside previously allowed actions), or if you password protected it, you don't even get an alert, just log.

It does take time, and user consistency. You can't trial programs like these and expect them to be on their full potential.
It also does not invalidate downloading only trusted programs, from reliable sources. You're not supposed to execute malware.

 

OK, I get your point, but what I meant was that it´s hard to believe for me that TF will never miss malicious behavior, so I rather have a "dumb" HIPS that alerts me about everything and let me decide if it´s normal behavior or not.

With some knowledge it´s not difficult to figure out if a certain action might be dangerous or not. I really don´t think it´s hard to respond correctly to all these alerts. I believe that most apps don´t (need to) trigger any alerts at all, so when they do it´s worth looking at. If 90% of all apps triggered malicious behavior it wouldn´t make any sense to use a HIPS.

So basically you´re saying that it caught every malware sample you threw at it, and stayed quite when non-malware performed certain actions? That´s nice. Does this also mean that whenever TF alerts you about something, it´s almost certain to be malware? On another note, I think it´s kind of "funny" that it recognizes harmless leaktests by signature, what´s up with this?

As a non-expert it´s hard to figure out if this is indeed the case or not. For example, I installed TF today on my PC at work, and it did alert me about one hook being loaded, while it kept quited about all other hooks installed. I don´t know if there was anything special about this certain hook, but I don´t think the app triggered more than one action though. Might be a so called "false positive". But this may be also the reason why it doesn´t alert about the KGB keylogging hook. I wonder, is TF perhaps capable to distinguish non malicious hooks/drivers from malicious ones? Btw, what do you think about an app like Neoava Guard?

 

Not really. Like I said before, you are claimimg that TF is so smart that it´s able to recognize every action performed by a malicious tool. Then why is it even alerting me?

I don´t get it.

Doesn´t sound too good. Also, I have noticed when "quarantining" it may restart explorer.exe, very annoying. But to clarify, I´m not saying that this app is crap, it´s just not for me, I need to have more control.

 

Anything & everything, please. I enjoy reading test data & results.

Thou shall be home for Christmas, I hope.

Mele Kalikimaka from Hawaii,
bellgamin.

 

Fair enough.

IceSword and Gmer behave exactly like trojans, for example. Of course you know they're safe and will allow them. What I'm saying is that that's the prerequisite of using a HIPS. If you can expect yourself to be familiar with every program out there, then you're good to go. Otherwise, how do you react when you see a program that silently drops an exe file to the OS folder and installs it as a driver? Or a program that drops multiple exe's to system32 and registers them as autostart entries? Good or bad?

Not every. There were misses, some of them destructive, some of them caught but not cleaned up properly, some of them TF FUBARed up my comp by attempting to clean it. And then there were methods I could include in a malware package to bypass TF. That being said, I do stand by it, because it's been a really excellent performer so far, and the Novatix team has been prompt (so far) in fixing the more serious issues.

TF has a low FP rate for me personally for a behavior blocker, though a bit on the high side for an AV. I've had 3 so far - on WC3Banlist, the Sandboxie installer, and a special tool to connect to the network at uni that really does behave like a backdoor.

Been a while since I last tried it. I can't think of anything particularly useful to comment about it atm.

Point out to me where I said the "every" part, because I don't remember it, and that'd be particularly irresponsible and misleading. Regarding your comment, I still don't get it. Just because a program has a high detection rate, it should stay silent and not alert you? I'm not sure what the two have to do with each other.

 

Like I said before, IMO it´s not that hard to respond to alerts, it´s all about asking yourself the question: is this behavior expected? You only have to have some basic software knowledge, that´s it. But I agree, too many popups (like for example in Comodo) can be very annoying, so a bit more intelligence is always nice.

You know what my problem is? It seems like TF is spotting all malware (in my collection) by signature, so I can´t even test the HIPS part!

With "every" I meant all malicious behavior monitored by TF. Because you can´t expect it to alert about something it doesn´t even monitor, of course.

You got me wrong, what I meant was that TF will only alert you when it thinks something really fishy is going on, so if it´s so intelligent, why not immediately quarantine the process, why leave the decision up to you? But I wasn´t really being fair, at the end of the day it´s still a HIPS, and auto-blocking things would be too risky.

Now that I think of it, you probably wouldn´t like it, since it alerts about everything. But you can configure this tool quite precisely, thought you might like it. Btw, back to TF, it doesn´t seem to monitor process execution, correct? And what about the registry, does it monitor the same keys that other classical HIPS are monitoring?

 

Now that i think i've finally come to grips with my jealousy of Novatix passing CyberHawk over to PC Tools i still find myself not able to shake the reluctance of bringing it fully on board due to the multi-drivers plus running processes it depends on. I really favored this program from the very start and held no reservations whatsoever on it's affectiveness in spite of occasionally reported FP's, but i really wish they could trim it to not be so present with those supporting files if at all possible. But, hey, if it works, and is stable i guess theres really no merit in arguing their choice of coding technique, right?

EASTER

 

And that's the problem. You don't know what's normal or not unless you know the program. I've seen a legitimate IM program that installs keyboard hooks, and a legitimate anti-malware app that writes to (not read) the boot sector. I've seen legitimate system analysis tools acting exactly like trojans. Some software behave normally, other's don't. And unless you know the program's coding innards very intimately to know exactly why it's doing what, all you can do is allow or block based on blind faith, based on the program's origins and/or how it appeared on your system.

It's not hard to respond to prompts for programs you know are legit. In fact, you trust that they're legit, and allow all their actions, and from there onwards you learn what they do and what's normal for them. What about a program you don't know? Like my previous examples, what do you do when you see a program that silently copies exe files to system32 and installs drivers? Based on this alone, can you tell me if it's a good or bad program?

It's not really that hard to find new malware. Google for malware hunting techniques, and it's best (but not absolutely necessary) if you have Windows XP SP1, IE6 and P2P programs. All unpatched, of course.

All I can say is that a program should do this only when it has zero FPs. Just for example, Symantec is set to auto-quarantine by default, and it clobbered two important enough files lately that the news made it all the way to the headlines - and TF definitely has a higher FP rate than Symantec.

I used to be a major proponent of HIPS when I first learned what they could do, and they certainly taught me a great deal. I still hold a spot for SSM and EQSecure, but at the moment I've come to grips with the fact that I already know enough about PC security that whatever additional safety they have to offer me aren't worth the trouble that I have to go through to setup and maintain them. As for your question about TF, I've made a post about it some while back, which should hopefully answer you: https://www.wilderssecurity.com/showpost.php?p=1101023&postcount=36

 

Very simple. Those were tests while KGB keylogger can be installed on a users computer to record anything9 provided u have physical system access).

Now it,s beyond my expertise to test a keylogger that comes through internet, installs itslef and sends data out.

 

So you inspire me to check Neova guard out and I find it's out of development. That doesn't make me feel real great so I guess I'll stick with TF for a while.

 

Yes, the development for NG has been stopped at least temporarily. It,s well known.

Current version is working OK with me but it has still some bugs and needs many tweaks.

 

Gee, I don't know, aigle, but that sounds darned identical to what I can do with those test programs as well.

You can't win a game of security when the attacker has physical access to admin rights on your machine. Simple as that.

 

I agree. never denied it but as I said it,s beyond my expertise to test a keylogger that comes through internet, installs itslef and sends data out.

 

So does ThreatFire actually protect you well?

 

Rasheed,

Just add the custom rules posted here. https://www.wilderssecurity.com/showthread.php?t=183020

It won't make TF a noisy application

 

Yes, it does. Very well.

But since you're asking this question, it means you haven't seen much malware at all. Perhaps it'd be time to rethink whether you need all the security apps that you currently have.

 

Oh, thanks.
Yes, I haven't seen much malware these days.
However, I think it is better not to have it, by preventing it with
the software I have.

Regards OHM