ThreatFIre 3

ASCII · External Since: Mar 01, 2009 Posts: 32

This message is not archived

VanguardLH · External Since: Feb 12, 2009 Posts: 19

ASCII wrote:

> I noticed ThreatFire is now up to v4.6 as of yesterday.
> Does anyone here use it and to what success?

Can conflict with the operation of web shields or guards (monitor your
web traffic to look for malicious content) in some anti-virus software
which can cause long or permanent hangups of your host. It is a HIPS
(Host Intrustion Protection System) product which some firewalls now
include. You'll get prompted as to whether or not to allow a process to
have an Internet connection or to make changes to your OS or web
browser. I don't recall if it goes so far as to also query if you even
want to allow a program to load (i.e., force a whitelist of allowed
processes).

I'm not a fan of PC Tools' products. This one is okay and it might work
with your current suite of security software (presuming you have one).

ASCII · External Since: Mar 01, 2009 Posts: 32

This message is not archived

VanguardLH · External Since: Feb 12, 2009 Posts: 19

ASCII wrote:

> VanguardLH wrote:
>>
>>I'm not a fan of PC Tools' products. This one is okay and it might work
>>with your current suite of security software (presuming you have one).
>
> During the installation process it scans for the existence of a firewall
> and AV as well as something else and displays no FW in my case even with
> the native windows IDS enabled. maybe it's looking for an aftermarket
> product? I'm not likely to install it outside the evaluation sandbox as
> I rarely come close to unsafe hex in the real world. It just sounded
> like they have an intriguing spiel, reminiscent of the old 'invircible'
> days, and was wondering if behavior monitors had really come of age.
> Oh, and my security suite...
> mostly a collection of related software in an archive folder, but
> nothing active (real time on-access) on board here.

More likely is that Threatfire will simply disable the Windows Firewall.
If you install programs under an admin-account, and because the
installer than can make registry changes, it can just disable the
Windows Firewall. 3rd party firewalls like Online Armor and Comodo
protect themself against termination.

Because of its HIPS function, it acts like a firewall. You have to make
rules as to whether or not a process can make a network connection. I
don't remember if it provides any inbound (unsolicited) attempts to
connect to your host and, as I recall, it doesn't replace a full fledge
3rd party firewall (but it is a very good choice - barring conflicts
with other software - to replace the Windows Firewall).

If the choice (limited in this example) of installing Windows Defender
or Threatfire, I'd go with Threatfire (again, barring any conflicts).
As I recall, I got a lot more control with Threatfire than with Windows
Firewall. Alas, my last trial was like over half a year ago and it
became evident it conflicted with Avast on my host (and I won't use
Avira because of a 3-year old bug regarding its constant 1-minute
polling of removable drives that can get exhibited on some hosts, and
that included mine) if a program merely sensed the device type but it
perceived as an access to its media (once you used the other program to
detect what devices you had, or ran anything that polled SMART data,
Avira would start 1-minute polls of that device).

Toxic · External Since: Sep 27, 2009 Posts: 3

This message is not archived

VanguardLH · External Since: Feb 12, 2009 Posts: 19

Toxic wrote:

> VanguardLH wrote:
>
>> You'll get prompted as to whether or not to allow a process to have an
>> Internet connection or to make changes to your OS or web browser.
>
> I suppose there might be circumstances where someone might wish for this
> activity, certainly not on this system however. It sounds like an
> elaborate way of saying no to things that are routinely denied.

If you don't use a security product that pends the changes and asks you
for your permission, just WHEN would there ever be a way to "routinely
deny" anything? If you're not using a security product, how could
anything be "routinely" denied since you'll never get prompted and the
action is allowed every time? Like Online Armor and Comodo's firewall
with their HIPS functionality, Threatfire also provides a whitelist of
known good apps. You can leave all these products configured to use the
whitelist to reduce their prompting, or you can configure them to give
YOU more control. Personally, just because a program isn't classed as
malware doesn't mean that I want to give it carte blanche access to the
Internet.

I want to know and I want to decide if a program gets access or not.
"Good" doesn't mean (to me) that a program gets to do whatever its
developer wanted. But, again, you get to configure these HIPS-
enabled products to be more silent or more vocal. Yes, you can let
someone else make your decisions and go along fat, dumb, and happy
hoping what's happening in silence is what you really want to happen.
These programs give you choice over being smart and nuisanced (for a
short time) or blissfully ignorant and not nuisanced.

ASCII · External Since: Mar 01, 2009 Posts: 32

This message is not archived

Toxic · External Since: Sep 27, 2009 Posts: 3

This message is not archived

VanguardLH · External Since: Feb 12, 2009 Posts: 19

ASCII wrote:

> VanguardLH wrote:
>
>> If you don't use a security product that pends the changes and asks
>> you for your permission, just WHEN would there ever be a way to
>> "routinely deny" anything?
>
> "WHEN"? In the initial configuration of your system! In my case, and
> I think that applies to the other guy 'Toxic' as well, I have my
> system configured to avoid what I deem unwanted behavior.

Since the topic of this thread is Threatfire then the discussion
concerns its use on Windows. WHICH operating system do you use? And
what is this unidentified "configuration" that fully protects your
instance of Windows that doesn't require 3rd party software and relies
completely on what came with Windows?

> By not having just anything receive authorization. My box doesn't
> automatically click at every opportunity, however few still exist.

Whose box "automatically clicks"? And how do you EXACTLY not grant
authorization and for what authorization?

>> These programs give you choice over being smart and nuisanced (for a
>> short time) or blissfully ignorant and not nuisanced.
>
> Third choice is to do neither and nuisance yourself to do an initial
> config correctly.

Which you have yet to explain just what is this magical configuration
using only the features available within Windows that give you
invincibility against ALL vectors of attack (and not just through your
web browser).

ASCII · External Since: Mar 01, 2009 Posts: 32

This message is not archived

VanguardLH · External Since: Feb 12, 2009 Posts: 19

ASCII wrote:

> VanguardLH wrote:
>>WHICH operating system do you use?
>
> XP home w/SP3
> Well configured I might add.
>
> your tone seems to have degenerated from here on
> so I'll just ignore the rest

Not a surprise that you chose not to reveal your configuration of
Windows that gives you "superior" protection.

ASCII · External Since: Mar 01, 2009 Posts: 32

This message is not archived

Toxic · External Since: Sep 27, 2009 Posts: 3

This message is not archived

VanguardLH · External Since: Feb 12, 2009 Posts: 19

ASCII wrote:

> VanguardLH wrote:
>>ASCII wrote:
>>
>>> VanguardLH wrote:
>>>>WHICH operating system do you use?
>>>
>>> XP home w/SP3
>>> Well configured I might add.
>>>
>>> your tone seems to have degenerated from here on
>>> so I'll just ignore the rest
>>
>>Not a surprise that you chose not to reveal your configuration of
>>Windows that gives you "superior" protection.
>
> Not much different than an out of the box config, just shut down some
> unneeded processes, closed some ports etc. enabled the FW without
> exceptions, I don't use Internet Explorer nor Outlook Express either.
> No magic nor wizardry and certainly don't need any anti-malware.
> Back to the topic - TF seems like it could have some benefit to some
> users that fall into the class that I call 'happy clickers', and I sense
> there's quite a bunch of them that pass this way from time to time.
> Are you sure you haven't gotten caught up in some of the hysteria
> fomented by AV vendors that would have people think they can't get by
> without their product?

Actually Threatfire and other HIPS-enabled security programs are
convenient for training the "good" programs. As I said, just because a
program isn't malware doesn't mean it should get access to the network
or even load unless I authorize it. I don't want to waste the long time
and major effort on generating a whitelist of allowed applications that
can even run. I don't want to waste the time monitoring each one at the
system API level to determine how they call other processes to do their
bidding. I'd rather have a dynamic monitor, like HIPS, that tells me
when a program wants to load or if it is being called as a child process
or another already allowed process.

The same goes for network access. I may choose to install some software
but that doesn't mean I want to give it carte blanche access to the
network and especially to the Internet. Even if I choose to let it
phone home, I want to know first that it wants to do this, why, when,
and where.

You cannot get control of what loads into memory (to run) Windows unless
you generate a big list of software restriction policies (SRPs).
However, that only regulates the programs that can load and not which
programs can load other programs, like a program calling the web browser
to connect to the program's home site. Windows Firewall gives you no
control over what processes are allowed outbound connections (only which
ones may want to establish a listening port). Many programs you obtain
to install on your host come from unknown sources. Even well-known
sources are still untrusted unless the software has first been trialed
inside a virtual machine (very good isolation but not perfect and some
malware remains quiescent inside a VM or sandbox) or on an isolated test
host (without security software since malware can detect its presence
and also remain dormant). Windows alone is not a useful software
product. It is just the OS (with a lot of fluff but then every OS these
days comes with lots of non-OS fluff). You need to install apps.
Regardless of the source, whether on a CD or from online, are you really
going to trust that software from somewhere else with behaviors that are
unknown to you?

Even with some level of security software on your host, you still need a
way to back out of a software install should you decide that, even if
not malware, that it has behaviors that you don't want and that you
don't want to exercise control (or the product fails if controlled).
Uninstallers and image backups lets you get rid of the software that you
thought you wanted but wasn't behaved within your restrictions.

Security isn't just about keeping out the baddies due to a lapse in your
personal choices (and even the most diligent users make mistakes). It's
also about controlling the stuff you *choose* to install on your host.
Users may get some documentation but it hardly the level of the
Functional Spec or Design Spec available to the developer's QA
department to understand fully what are a product's behaviors.

To be honest, I've given up on many security products and have
simplified my system. I don't use any HIPS products (other than SRPs to
keep a couple ancilliary programs from running for programs that I have
chosen to install) but I keep that list very small so it is easily
recognizable what restrictions that I have and they are manageable. I
test unknown software inside a VM (without and with anti-virus and other
security software) while monitoring its behaviors with Process Explorer
and HIPS programs to let me see what is calling what. When I decide to
let it loose on my real host, I monitor its installation (to allow
complete uninstallation) but do an image backup beforehand so I can back
out to the prior state of my host with an uninstall or reimage. Even
after using the VM, I still monitor the behaviors of the new software by
using Process Explorer, FileMon, RegMon, network sniffer and router log,
and other monitors to see that it doesn't do anything sneaky (despite
its author thinking it is okay). Even what I do isn't a complete
battery of safety testing but simply sufficient for a comfort level that
I will permit the software to run on my host. I do NOT expect normal
users to go through all this safety testing hence the usefulness of
anti-virus, anti-malware, 3rd party firewall, HIPS, and other security
products.

I never even considered the "happy clicking" user scenario when
commenting on security software for those interested in it. Those happy
clickers often don't employ any security software other than what comes
in Windows but they don't even know what comes in Windows or how to
properly use it. You'd be preaching to the wrong crowd. They don't
care. However, anyone that claims they need no safety net to catch
their mistakes during a lapse in safety protocol are pretending they are
God and make no mistakes. Those aren't the types that are helpful to
common users, either. I've worked in hardware and software QA for 30
years. I have yet to see anyone at any level of expert proficiency in
computers not make a dufus mistake. Without a planned escape route or
safety net, they end up flattening and rebuilding (and then explaining
their loss in time and not making their schedule because of wasting time
correcting their mistake). It happens. It will happen to you, too.