Status
Not open for further replies.

LaserWraith

New Member
Fireball for ThreatFire

ThreatFire is behavior-based threat detection system from PC Tools. At least this claimed.

I paid attention on it only because of numerous bugs and incompatibilities it produces with any third party software (especially antirootkits).
And I was looking for a key to solve this. Like in case of AV products co-exists so-called Fake AV - mostly scareware, so obviously some sort of this must exists and in HIPS part.
ThreatFire is perfect example of FakeHIPS. And not only.
Continue reading (Recommended)


Screenshot in case the post is changed or removed: http://tinypic.com/m/e7xgna/1
 

bogdan

New Member
Yes, i saw that article (was posted on rM too). Without the info on how it should be done the post looks like a rant against all HIPS products. The author seems to disprove the fact that they need to inject their own custom monitoring DLL into all running processes which potentially may affect overall system performance and stability. Nevertheless, he also created a tool that can bypass TF's protection and disable TF completely. So all that hooking, aside from affecting system performance, seems to be inefficient in the case of ThreatFire.

He also mentions that the insability of TF determined him to start this experiment.

I used TF some time ago and in my own experience it was a bit buggy. After a long time they've released a new version (4.7.0.48) but when I installed it it proved to be incompatible with sandboxie. I reported this to sandboxie and tzuk said that it will be fixed in 3.53.01. Currently the 3.53 version of sandboxie is in beta. At that time I wasn't able to register on TF-s forum to report this problem (the registration email never got to me)

Note that a tool created especially to kill a security app has nothing to do with real malware.

On the same forum they posted a tool that can bypass PrevX self protection.
 

bogdan

New Member
TF as behavior blocker might be easier to use, but Comodo made HIPS much more usable with D+ and the auto-sandbox. Still a pop-up with Allow/Deny that displays just once for an application is easier.
 
Status
Not open for further replies.
Top