Wow ThreatFire 3.5 seems to have a lot of FPs. :(

Discussion in 'other anti-malware software' started by cheater87, Jul 20, 2008.

Thread Status:
Not open for further replies.
  1. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    I decided to try out the new version. I installed it and opened Firefox to browse when when I got a pop up saying that Threatfire detected a HIGH ranking problem. Is this just because the program is learning or has Theatfire always had a high level of FPso_O
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    what i experience from threatfire is that it triggers alot of false positive,
    cause it analizes the behaviour and no all program are bad,so there comes the gambling into place(level 5 protection) you decide yes or no for the false positive.for the black list it is ok it recognise the bad stuff's behavior.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i too decided to give a try yestarday but after 5 minutes it was out the pc,
    you may say way"threatfire is a very good malware detector"
    but wife is a happy clicker yes to all so i dont want to crash my system.
    so i use a silent weapon approach.(DefenseWall Hips insted);)
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    to add more i remember when it was cyberhawk it was really good,fast and less noicy.i loved cyberhawk but not the new threatfire:'(
     
  5. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I rarely have FPs with ThreatFire.
     
  6. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    501
    This is not a normal behaviour of threat fire (used on level3) regarding firefox.On default level(3),while i used it until recently it was quiet,unintrussive.
    It's possible that in case u still use alongside with it ,all the software in your signature one of those apps conflict with threat fire.
     
  7. Gren

    Gren Registered Member

    Joined:
    May 31, 2007
    Posts:
    93
    Haven't used it doe a few months but when I last used TF it was as quiet as a mouse. Maybe it depends on the level you have it set at?

    Only removed it as I moved to Comodo and use D+ for that side of things.
     
  8. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    I had the protection at default. Uninstalled it and I'm back to Defense Plus.
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i noticed you have spyware terminator.
    it has a hips, i tried it before and it was really fast and good alerter
    ofcourse when you put the protection on high.
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Next time take a screenshot.
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    sure i will.;)
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    A- In case some folks didn't notice, TF is now a MUCH bigger download than it used to be in earlier versions.

    B- The reason why TF is so much larger is the fact that TF now includes PCTools Antivirus (PCTAV), together with all of PCTAV's extensive blacklist signatures. That is good news & bad news.

    1- It's good news because TF can now screen for KNOWN nasties with its PCTAV component, & can still screen for zero-day & other UNknown nasties with its behavior blocker component.

    2- It's bad news because PCTAV began as a clone of Virus Buster -- a 2nd tier AV in terms of protective power, based on recent tests. PCTools evidently has been working hard to enhance PCTAV to be better than its V-Buster beginnings. Perhaps as a result of this effort, there have been recent reports at DSLR forums of lots of FPs by PCTAV. Ergo, IMO the splurge of TF FPs is primarily attributable to its use of PCTAV. I'm sure PCTools folks will get PCTAV's FPs under control soon. When they do, TF's FPs should return to normal -- which is "VERY low FPs when set at 3."

    C- By the way, if you know how to use TF's advanced rules component, you can add rules that will: (1) enable TF to nicely protect files & registry, AND (2) turn TF into a fairly effective outgoing firewall. Thus, if you use Windows built-in FW for incoming FW, & TF's advanced rules for outgoing FW, TF thus becomes a more-or-less "suite" -- FW+HIPS+File Protector+Registry Protector+AV.

    D- TF can sometimes use a lot of cpu cycles for short periods of time. I substantially reduced TF's cpu usage by setting it to the highest level (level 5)! Kees explained this phenomenon in THIS Wilder's thread, where he said (in part)...
    In other words...

    1- At Level 3 TF does the work of checking possible intrusions to see if they are a real nasty or an FP. Result: fewer FPs BUT surges in cpu usage.

    2- At level 5 TF doesn't do as much checking, but let's the user do most of that work. Result: more FPs BUT much less cpu usage.

    E- When using TF, I run at level 5 but have few FPs. That's because I am a clean liver. (Nya nya nya -- Our class won a Bible!)
     
    Last edited: Jul 21, 2008
  13. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    If you're going to set it at level 5, wouldn't Comodo Firewall be a better choice? Or at least just as good?

    Thanks
     
  14. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    In regards to the OP, I have only had TF give one false positive that I can think of (been using it since it was CyberHawk) and it wasn't really a false positive. TF alerted me to a program trying to copy itself, which definitely can be a malicious action. In this instance though it was a necessary function of the program LockNote, so in essence a false positive. Other than that though in my experience TF is very low in false positives.
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    A- Comodo Firewall Pro (CFP, with Defense+ activated), is just as good as ANY Firewall+HIPS, and better than most.

    1- Defense+ is the HIPS component of CFP. It is a classical HIPS -- fairly dumb, with extremely broad-scope coverage. D+ will demand a LOT of your attention, and ask you many questions (via "alerts) that you may or may not be prepared to answer.

    2- The firewall component of CFP is pretty much "state-of-the-art" in terms of protection, & is incredibly configurable.

    B- Whereas CFP is firewall+HIPS, TF is HIPS only. With advanced rules TF can be set-up to do rudimentary firewall duties, but NEVER to the level of CFP's firewall component.

    1- As to TF versus the HIPS component of CFP -- out of the box, TF (being smarter) seldom pops alerts & therefore demands much much less of your attention than D+. If and only if you answer D+'s many alerts carefully & correctly, in the process of time you MIGHT possibly have SLIGHTLY broader-scope protection than is available from TF.

    2- If you want to bring TF to CFP's level, then you need to add a firewall.

    3- PCTools (the proponent of TF) is also the the proponent of a very effective firewall. Thus a combination of PCT's TF+FW is reasonably comparable to CFP. So also is Webroot's Firewall, which includes a HIPS component (Dynamic Security Agent). So also is OnlineArmor, which is HIPS+firewall.

    C- MEANWHILE, back at the topic:

    1- Any HIPS (such as TF or D+) watches what a process is trying to do, & reports "suspicious" actions to you.

    2- There are many "suspicious" actions which are not only common to malware but are sometimes performed by NON-malware/legitimate processes as well. This is especially true for security apps. The behaviors of certain security apps will often cause the behavior monitor/heuristics of a HIPS to pop an alert. That sort of alert is not truly an FP because the security app's behavior, at times, really IS similar to a malware's behavior.

    3- Therefore, when TF (or any HIPS) pops an alert for one of your legitimate apps, do not get all ballistic about FPs. If the HIPS keeps its own whitelist (as do TF, Prevx, Drive Sentry, OnlineArmor, & CFP) then your "safe" app MIGHT be on that list -- in which case the HIPS will not pop-up an alert even though your app's behavior IS suspicious at times. However, if your app has not yet made their whitelist, or if your HIPS has no whitelist, then it isn't an FP -- instead, the HIPS is just doing the job you hired it to do.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I'm a fierce hold-out when it comes to this app which used to be CyberHawk!

    I know TF can do better and i also understand that as a behavioral blocker a lot of drawing board or blueprint schematics goes into these just like HIPS, but even more so in this unique structure of TF.

    Theres always FP's, even in HIPS btw, but the key from my speculation point of view is in it's DRIVERS! When or if they ever perfect those drivers to their maximum potential and address them more constructively so as not to find posts over and over again about FP's or conflicts, then the job can finally be claimed a huge success, and that does take time, study, and testing in-depth for extended periods of time when constrained with limited lab staff to work it all out.

    In the meantime, it's my guess there will be other issues brought to the forefront and all those need to be passed on to the developers with the necessary details of how to reproduce as well as their observations and measurements of how much it applies demand on CPU Cycles/Memory and the like.

    I always admired greatly CYBERHAWK and if Novatix Team is actively still very involved with this project then it is sure to climb again to total customer satisfaction once again.

    EASTER
     
  17. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I mean, if you're going to use ThreatFire level 5 I think Comodo is a better choice. One thing I find missing in ThreatFire is the ability to just block and not quarantine (I know this has been discussed before). But if you're going to use TF as a "dumb" HIPS then I prefer Comodo as you can just block.

    Thanks
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I concur completely.

    Although i understand TF wants to take a page from AV's as to QUARANTINE, it would be better IMO if it allowed the alerted user to have a feature of BLOCK instead. Others might argue in favor of the other alternative, and at any rate, a QUARANTINE can be restored and placed in a "safe white list" so as not to be pulled again if i understand it correctly.

    Although i don't use TF myself but opted rather for an older version of CyberHawk for minimal behavioral blocking duties without all the confusion and add-ons that PC Tools supports, i agree TF has a way to go yet.

    EASTER
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    TF is not "dumb" at level 5. It still uses excellent AI to assess potential threats. And, if it spots a potential threat, it still checks it against the PCT antivirus blacklist AND the Threatfire whitelist. However, it is true that, at level 5, TF does not check & double check quite as much -- thus the user might encounter a few more FPs that he would encounter if TF were set at level 4 or 3. Kees1958 suggests level 4 as a good compromise.

    As to the "block" option -- The proponents of TF call this the "deny" option. Recent update to TF added the deny function to alerts that are popped-up by user's custom rules (see item 3b at THIS TF forum news post). I must agree, however, that CFP's block is always an option on every alert, whereas SOME of TF's alerts offer the deny option, but many do not.

    BOTTOM LINE- If you are prepared to deal with CFP's long & arduous learning period, then CFP is a teensy bit more powerful than TF + custom rules. But only a "teensy."
     
  20. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    But the description in ThreatFire says "5. Alerts on any suspicious action."? So I assumed the AI would be reduced by a lot.

    Yes, but I was referring to the default protection, which is the one most people use.

    Thanks
     
  21. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    My Avira AntiVir Premium 6 month trial just ran out yesterday (did manage to renew it 2 times previously) and I thus uninstalled it and installed AntiVir free back.

    Would TF antivirus part conflict with Avira?
    I have been thinking of installing TF to cover missing antispyware/antimalware protection in the free AntiVir. Would TF be a good addition?

    It should not also conflict with Sandboxie and ProcessGuard free and kerio 2.1.5 firewall. My system is XP Pro (service pack 3).

    I know that I had some confclicts in the past with Sandboxie, SSM free and one of the first versions of Cyberhawk.

    Jarmo

    EDIT
    TF should also uninstall cleanly if some conflicts if I try it.
     
  22. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    From what I've been reading and a bit of testing, ThreatFire is an overall good addition to any AV (Avira in your case). As far as I know, it doesn't conflict with Sandboxie, though I'm not sure about PG and Kerio.
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Conflicts between two antivirus programs normally ensue ONLY when both of them are scanning in real-time. This will not occur when using TF. The antivirus module of TF does not scan real-time, but is only used by TF itself to "on-demand" look-up possible threats to see whether or not they are blacklisted.

    There should be no conflict between TF & SBIE or good old Kerio 2.1.5.

    As to Process Guard (PG), I do not run that ancient HIPS so I don't know whether it will conflict with TF or not. There is always a possibility of conflict between two deep-digging HIPS applications such as PG & TF so... good luck. However, TF plays nicely with such HIPS as SSM & Defense+ so it probably will be okay.

    Jarmo, I strongly recommend that you make an image of your system drive before testing ANY security application. If you do not image, it is 99% certain that eventually you will come to grief when trying/using multiple security apps.

    Absolutely positively THE best uninstall is to restore a previous image.

    If you don't have an imaging program, I recommend you get one. An imaging program IMO is absolutely THE BEST security program available. If you decide to get one, and want recommendations, I suggest you start a thread on that topic. There are many choices, free & non-free. As to a freebie (to get you started on your search) I have heard mostly good things about DriveImage XML.

    Personally, I use Image for DOS. It's not free, however.
    ~~~~~~~~~~~~~~~~~~~~~~

    P.S. I am not responsible for any problems that may result from following my advice. This includes, but is not limited to, computer failure, erectile disfunction, PMS, the heartbreak of psoriasis, or your daughter running off with a biker gang. Follow my suggestions at your own risk. :cool:
     
    Last edited: Jul 24, 2008
  24. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Ty Belgamin. Getting rid of Prevx2 was a bit nightmare. I dont have any image disk software, so it was just an idea to add TF. Knowing too well that it might have some to cause troubles with my current setup.

    Mostly as a safe user I am content with running my browser inside sandboxie and with a limited user account. And TF is a hips as is PG, so I think I will stay with that well behaving ancient one :p

    There are nice software like Process Explorer to see what my system runs.
    I have also installed SuperAntiSpyware free but that of course no real time protection but able to scan any file I am to be installed that are very few.

    So, even if Avira AntiVir Personal is lacking in some ways, I am not going to install some software that might cribble my system.

    Jarmo
     
Thread Status:
Not open for further replies.