Wow! I can't believe how light ThreatFire is.

Discussion in 'other anti-malware software' started by ratchet, Dec 2, 2007.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Kees1958

    That´s another thing that I didn´t like about TF, making and adding all these rules looks way too complex. Why do this when you can do about the same with Neoava, all out of the box? And if you read the thread, I would actually like TF to become a bit more noisy! But I just saw in another thread that with TF Pro you can make it act more like a "dumb" HIPS.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Sounds like expected behavior what you described, if you trust these tools you will allow it. However, it also depends, for example if an IM wants to install a driver or tries to inject code, then there´s something strange going on. Like I said before, I ask my self, "does it make sense that a certain app wants to do a certain thing"?

    For example, take Orbit Downloader, its file sniffer wants to "create a remote thread" and have "write access to memory", sounds fishy, but without it, the file sniffer wouldn´t work. And a lot of system utilities need to install global/window hooks, without it they wouldn´t be able to manipulate windows (Filebox Extender, Taskbar Shuffle, AutoSizer), to me it does make sense.

    (Of course, in theory they all could be keyloggers, but with the current anti-keylogging tools it´s not really a problem. Besides they don´t have network access.) But anyway, this requires some basic software knowledge. Of course, you may say that I won´t always respond correctly to these alerts, however, it´s more likely that I will deny perfectly harmless tools from running than that I will install malware accidently. I´m cool with that, rather be safe than sorry.

    As you already know, I don´t look at that way, from my experience (and I have tested quite a lot of apps for the last 3 years) most apps shouldn´t trigger any high risk alerts at all. Most of the time it´s the security tools and some system utilities that will trigger stuff. Most tools should be able to function just fine without doing dangerous stuff. At least, that´s from my experience, you may have downloaded other kind of tools.

    Yes, me too, I wouldn´t have learned all the stuff that I know without classical HIPS, all those alerts forced you to think about stuff.
     
    Last edited: Dec 16, 2007
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This "rollback" feature really sounds nice, this is definitely something that I´m missing at the moment. Btw, I just read a review about KIS7 which also has this feature. But what was interesting to me was this part:

    So what is meant by "sandbox technique"? If I´m correct, most HIPS will of course monitor for certain behavior, but all commands are executed on the "real machine".
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    First Neova does not offer this kind of registry protection. The average Regdefend user will laugh at the NG registry filters. I think it is a great feature of TF. Then again i was problably one of the few who bought CyberHawk Pro. With the custom rules it is a sort of swiss army knive. Good thing about the registry and file protection in those custom rules is that shoudl be static. Comodo V3 has more or less the same file and registry protection. First thing I did when I tries Comodo was to loosen its file protection (was covered with UAC anyway so quite over the top in Vista) and added some registry keys. Comodo V 3.4 will problably the HIPS we are going to use on the Vista Box, that is when TF does not provide vista64 in the future.

    Second Neoava has not got the option to allow system processes, which reallly reduces the pop-ups. Raising the sensitivity level of TF from 3 to 4 did not produce a single pop-up.

    But when your happy with NG or EQS why bother with TF?
     
  5. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Neoava is abandonware whereas TF is vigorously maintained by a team that quickly responds to support requests & issues. That's a major advantage of TF in my opinion.

    As to TF's capacity for customization -- the button on TF's GUI clearly says "ADVANCED Rules." As was noted by Solcraft, TF works just fine, right out of the box, for the "everyday user."

    Thus, TF offers the distinct advantage of offering the OPTION for advanced/high-risk users to tweak it to attain a greater scope-of-protection. For example, I tweaked TF so that it now alerts me of apps that are trying to connect out -- a job that is usually done by a firewall. However, I have a NAT/SPI router so I don't want to use a software firewall. TF's option for adding custom rules enables me to have this FW capability, but without the necessity for running a separate software firewall.

    Ergo, TF's flexibility for advanced settings enables it to do a number of FW functions, as well as classical HIPS functions, IF THE USER DESIRES. TF's option for advanced rules is, to me, a very major feature of TF. I find it odd that this extremely useful option would be considered a disadvantage by anyone. If someone dislikes the option, simply do not use it -- simple as that. :)
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes this is true, maybe I should have mentioned SSM instead. But NG does offer outbound network protection and it can also protect files/folders, out of the box. Of course, making of custom rules in TF is interesting, however, IMO this all should be much easier to do, it all looks so silly and way too complex to me.

    Well, it seems like an interesting, quite powerful app, but some people make it sound like it´s much better than other HIPS. I´m not so sure, so that´s how I ended up in this thread. But I have to say that I´ve done some reading on the TF forum and even LUSHER is impressed! That can only mean two things: either it´s the best HIPS out there, or it´s complete crap! :p
     
    Last edited: Dec 15, 2007
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    By design, a "dumb" HIPS in the hands of an expert user is undoubtedly superior to TF in terms of protective power. But even then, it's not by much, and TF really brings a very powerful defense while requiring minimal - almost zero - amounts of hassle. Personally, I like it a lot.
     
  8. rolarocka

    rolarocka Guest

    why is this? i noticed very low cpu but also that high I/O measured with processexplorer. the system slows somewhat down because of that.
     
  9. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Well I'm just wondering if any one of you above know what this is. I get this after installation of Threat Fire, even if I can delete the entries they always come back, when I uninstall Threat Fire they are gone. Yes Threat Fire runs nice and fast on my system but still I have not encountered any other program that would keep ADS in the temp folders other than this program.
     

    Attached Files:

  10. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Lusher is impressed only because Rasheed isn't! :p

    Seriously though you might be joking but I can't help but notice the same nonsense about "the best HIPS" slipped out again.

    "Best" means nothing if you don't define what best means. As usual you fail to appreciate that what is considered "best" depends on what one's criteria are. Something you really should know after years of reading this place.

    I can say for sure though that TF could make coffee, make your bed and cure cancer on top of being a top class security product and it still wouldn't be for you, because you belong to the paranoid freak's club* who convince themselves that if they don't personally approve everything the computer does, it is not secure....

    That's okay really, we all have different needs. I don't understand why you continue to beat on TF. As already mentioned TF is probably the best realistic choice for people who don't want to approve every little thing their computer does. in that sense, it is the "best".



    *Disclosure I was one of the members of that club and am still a recovering paranoid.
     
  11. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Unfortunately, a "dumb" HIPS doesn't let you do that either - not everything. A popular myth, but an erroneous one. I'm still waiting for a HIPS to be able block manipulations to XP access permissions, for one (DefenseWall claims to be able to do this AFAIK).
     
  12. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Actually Solcroft, "everything" was hyperbole of course. I seriously doubt anyone believes this myth, though i'm sure it is the cherished dream of many paranoids as they urge HIPS makers to add more and more stuff to monitor.

    at the rate at which HIPS are getting more and more complicated, and as people demand more and more features just to beat yet another test..... The target is not achievable, but I'm sure HIPS will eventually give a very good shot at achieving this.

    Look at how the feature set has expanded from the basic PG functions to ProSecurity/Eqsecure/Comodo/SSM today!

    As i have often joked, ultimately the computer will be prompting you for each and every single cpu instruction cycle .
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That´s exactly right, it all depends on what we think is important, what we need. That´s why I will continue to stay with my SSM/NG combo. As for beating on TF, as a nonexpert who´s used to classical HIPS, it´s easy to get skeptical about a more "quite" HIPS like TF, but I´m sure the developers are no idiots, and know at least 100 times more than me about malware. And you´re PM also helped to convince me that TF is quite an advanced tool.
     
  14. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    1 question please, I don't want start new thread for this: can I install TF and AntiBot on the same machine? will they conflic?
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I wouldn't be surprised if they did.

    Why do people always think stacking the same kind of apps together is a good idea? Just the pick one that works for you.
     
  16. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    :) maybe because they want maximum protection? ;)
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    True. Unfortunately it's also as helpful as... as... er, something very unhelpful...
     
  18. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello solcroft,

    Although, this is a little bit off topic, DriveSentry(DS) technical support has informed me that DS monitors access permissions. I can not confirm if DS detects and blocks changes to XP access permissions as a result of this as I have yet to test this scenario.


    Peace & Gratitude,

    CogitoErgoSum
     
  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Actually, that's much less of a problem than unknowingly allowing malware to run because you think it's a normal program that won't run properly unless you allow it to, say install global hooks.
     
  20. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Or that OLE thinggie...
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I´m not sure what you mean, these kind of apps actually don´t work without allowing them to install hooks. And because of my experience with certain software categories I know what to expect, with that I mean, I know if certain behavior might be fishy or not. And besides, what else can I do more? I scan the file, it comes up clean and then I analyze it with my HIPS. And so far my approach is working, but that doesn´t mean I will always get it right.

    Yes, according to some screenshot I saw, it seems like DS is monitoring this, I really can´t believe that other HIPS completely missed this, this all must be stored in the registry, not?
     
    Last edited: Dec 19, 2007
  22. rolarocka

    rolarocka Guest

    i really want to use this application but its too heavy for my pc especially when browsing, poor me :(. i noticed if i add my browsers (firefox, opera) to the excluded apps then browsing is much faster with nearly no cpu. is it a big security loss doing this? i use an antivirus besides. thx
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    As far as I know the process list options are in regard to your custom rules, so Trusted aps means they are not checked on self made custom rules and email and browser aps selected are checked against your own custom rules.

    The default TF rules are always applicable to all aps. Members please correct me when I am wrong.

    Regards K
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    My understanding is same.

    I did suggest to them to give an option for Exclusion for default rules as well but no such feature so far.
     
  25. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    You want maximum protection?

    You can run threatfire/norton antibot with Geswall/sandboxie/safespace (pick one) + Prosecurity/SSM/Comodo Defense+ (pick one). I'm sure there won't be any problems running these 3 together, because they are different security software... :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.