check this out new hips system

Melih check this out and give me your feedback http://www.threatfire.com/ and
http://www.threatfire.com/faqs/

Its not new, Patrice. It was CyberHawk, recently acquired and renamed by PC Tools, an ambitious security company.

Its a famous behavior blocker, a complement to ur anti-malware apps. It can slow down ur pc, da antirootkit is not so good.

w CPF3 (+CAVS) u dun need it.

I like it, dosnt have a drain (for me) as said before. Its great because it dosnt require so much intervention as defence + does (not complaining ;))

Well according to Melih defense+ has the same things as threatfire only more advanced intelligence…

Greetings!

First of all, ThreatFire is not a HIPS, it’s a behaviour blocker. ThreatFire blocks applications based on their actions, so non-malware might get blocked.
Defense+ uses a malware heurisitc analsysis , and if the .exe is doing something that might be considered as malicious, it’ll warn the user.

Cheers,
Ragwing

So does threatfire. After threatfire runs through its thing, if it still dosnt know what it is, Threatfire will ask the user, as CPF3 does.

A line that is maintained by some people, so I’m not surprised that you say this… But the next bit puzzles me.

ThreatFire blocks applications based on their actions, so non-malware might get blocked. Defense+ uses a malware heurisitc analsysis , and if the .exe is doing something that might be considered as malicious, it'll warn the user.

TF blocks application based on their actions - that is correct (probably they analzye bits of the code as well…but that’s a nitpick).

You say Defense+ is different.

But How is “blocking application based on their actions” different from “if the .exe is doing something that might be considered as malicious, it will warn the user?”

How does defense+ know the .exe is doing something that might be considered malicious?

Fact is there is only two ways to tell if something is bad. either you analyze the code which can be done before it is executed or you run the code can then watch what it does*.

Are you maintaining that defense+ is scanning the code using heuristics like antiviruses? I have seen people argue over and for every possible interpretation of the definition HIPS, but this would be the first time, i’ve seen someone claim that code based heuristics is HIPS…

*Another way would be to do emulation, virtualization, sandboxing (all three are different), but the point here is to “run” the code safely.

i don’t know how tf works, however the way Defense+ works is by first blocking then analysing to give you information… this is why you have 3 levels (colours) of threat where red is very suspicious…

Melih

Actually, I didn’t meant that Defense+ was different, what I meant was that it has a similiar feature like TF.

Yes, of course there’s many way to define the word HIPS, but I’ve never said that heuristic scanning is HIPS, I said it’s not.

Cheers,
Ragwing

Well of course you could decide that say any attempt to install a driver is automatically a hign “alert” as compared to a unknown process starting which would be “low” alert. Unfortunately this would still be analyzing singular behavior… And my experience is in 99% of cases, that is exactly what Defense+ is doing* and I can predict what defense+ will alert on before hand.

TF and company take into account other characteristics like whether the process is invisible, whether it is packed,etc…

  • That said occasionally i get a different “heuristic kind of alert”, which would probably be the only component i consider that makes it TF-like

Hmm you say Threatfire is not HIPS. And you say Defense+ is the same as TF

So you saying Defense+ isn’t HIPS?

While Melieh has being recently touting behavior analysis recently (a fairly new development), I’m pretty sure he considers Defense+ Hips…

Yes, of course there's many way to define the word HIPS, but I've never said that heuristic scanning is HIPS, I said it's not.

Don’t worry, even if you did you are in good company (Gartner uses a broad definition of HIPS, including firewalls, standard avs etc)

I think you misunderstood it again… I said that TF is not a HIPS. I never said that Defense+ is the same as TF, I said it has a similiar feature that scans for malicious behaviour. And one single feature doesn’t cover the whole software.

Cheers,
Ragwing