PC Tools Threatfire

Luke Sighs

I personally wouldn’t comment on products I haven’t used before. But that’s just me.

I used TF to test it out. Honestly I think it is quite useless if you have an antivirus, and antispyware.

Well honestly i think most security software are quite useless if you know what you are doing.

Except for an antivirus, it really makes life easier.

sigh ;D

thx for the explanation. i’m not security guru, i’m security ninja (:TNG)

@ luketan or infosec,
i don’t think using Defense+ is difficult. it has training mode & clean PC mode.
and, what about their ability to catch malware/malicious attack? are you guys, how are they compared to each other?
(noob explanation please ;D )

Oh D+ is very powerful. However most users won’t like the interaction needed, hence TF is a more probable choice for people that want quieter protection.

OK :■■■■ thx :■■■■
so beside the “comfort” issue, Defense+ is better than Threatfire. (B)

uh huh? and uh, what’s that actually? (:TNG)

Yes, TF have magic wand.
If some of process behavior does not match by TF criteria of detecting, TF will fail to catch malware or some part of malware will be able to pass by TF, that is not case with CFP…

Well actually I hate to point out that is exactly the case also with CPF as well!

If some of the process behavior does not match by CPF (admittedly numerous) criteria of warning, CPF will fail to warn about it.

The only way for this statement not to apply to CPF would be that it warns of EVERYTHING that happens. so it criteria is literally everything that can happen…

Also see this post by one of your comodo’s heroes…

"For those already using Comodo Firewall 3, here are some reasons to also use ThreatFire:

a) ThreatFire can protect you if you misconfigure Comodo Firewall to be too permissive. The downside to having a lot of choices is that you can make the wrong choices.
b) If you temporarily disable Defense+, as I do when installing Windows Updates, you might forget to turn it back on, since the tray icon doesn’t change its appearance. ThreatFire is still there if Defense+ is off.
c) If you use ‘Installer or updater’ mode on an installer program that is malicious, ThreatFire is there for you.
d) If a malicious program takes down Comodo Firewall but not ThreatFire, ThreatFire is there for you.
e) ThreatFire’s advanced rules allows some rules you can’t specify in Comodo Firewall.
f) If rogue code from a buffer overflow exploit is executing within a process, ThreatFire may spot the bad behavior the rogue code performs. For example, if the rogue code from a buffer overflow exploit in your media player is keylogging code, and if Defense+ trains for the media player, then Defense+ will train to allow low-level keyboard access for the media player, but ThreatFire might warn of the keylogging. Note that if the rogue code does things such as download a file, or start another process, then Comodo Firewall may alert you also, depending on the Defense+ security policy for the given program.
g) If you’re not using full Defense+, then you’re not using a full HIPS anyway, and thus ThreatFire is even more important to use, to monitor the things that are turned off in Defense+ in anti-leak mode.
h) ThreatFire can detect some buffer overflows. Comodo Firewall cannot currently. Comodo does have a separate free product called Comodo Memory Firewall designed to handle buffer overflows.
i) When device drivers are being loaded, Comodo Firewall will in some cases give an alert about accessing the service control manager. Unfortunately, this same alert often appears for reasons other than loading a driver. ThreatFire, on the other hand, clearly alerts that a driver is about to loaded.
j) ThreatFire can warn if a process is about to be hidden, indicating possible rootkit activity. Comodo Firewall cannot do this.
k) ThreatFire can warn if exact copies of an executable file, possibly with a different name, are being made in the file system. This is a possible sign of a virus. Comodo Firewall can warn about executables being created, modified, and deleted in general, but no special mention is made that an exact copy is being created.
l) If Comodo Firewall has bugs that prevent full defense, ThreatFire is still there for you.
m) ThreatFire can warn about a process sending email. Comodo Firewall includes the port used, but the user could fail to notice it’s email-related if not looking closely or not knowledgable enough to know. Also, the user in Comodo Firewall may have given general Internet access permission upon first Internet access by the process, and therefore not know that the process is sending emails."

The main problem with TF is how it alerts the user, and what information it provides.

I had false positives when trying TF, and besides the non existent real information, i just allowed it, since it was a program i knew.

Taking into account some advanced attack on, say, a browser (browser is compromised with some addon, … whatever), TF could perhaps detect a bad behavior from the browser and warn (lets say it does). What do you do, besides allowing it? (“it’s Internet Explorer so it’s safe”)
Another scenario is a standalone malware executable (pretty much all you find), and TF detects it. The user still has to figure out if it’s a FP. If it’s remote code execution, execution blocking is way better.

CFP has a feature not being used in full, which is the predefined policies. It should have built in policies specific for each major browser, IM, etc., and not just the generic ‘web browser’ …
Still, the foundation is built, now it needs the rest of the walls and roof.

I think TF is very good, but i also think it has to improve the alert. Maybe it changed for the better on the last versions, i don’t know. Perhaps you can provide a screenshot, like 1 FP and 1 real malware alert.

Main conclusion: TF isn’t the magic bullet either. It’s a most interesting approach indeed, along with Prevx (which also provides execution blocking, better information in the GUI imo, etc.).

I always marvel about the double standards when it comes to hips like D+ versus other software.

Defense+ and similar products can throw up as many prompts as they please on perfectly innocent and harmless actions and people like you don’t get angry about inconvenience.

But let something like antiviruses throw out an occasion unnecessary prompt, and the same person will start to whine about false positives. (:WAV)

Taking into account some advanced attack on, say, a browser (browser is compromised with some addon, .. whatever), TF could perhaps detect a bad behavior from the browser and warn (lets say it does). What do you do, besides allowing it? ("it's Internet Explorer so it's safe")

If one reasons like that, D+ would be useless as well. The very same person would put IE into the trusted programs or allow everything associated with the browser… In fact, because D+ warns so much about everything that IE does, it is even more likely for that to occur…

In fact, because TF does not warn about everything IE does, the user should indeed place attention when TF whines about IE…

Another scenario is a standalone malware executable (pretty much all you find), and TF detects it. The user still has to figure out if it's a FP. If it's remote code execution, execution blocking is way better.

Again you fail to see that using Defense+ has the same if not worse problem. With TF not all new executables will trigger an alarm and you focus only on those that do trigger an alarm. With D+ , EVERY executable will trigger some prompt (and some very cryptic ones indeed)!! When your security program triggers on almost everything what’s the point?

Main conclusion: TF isn't the magic bullet either. It's a most interesting approach indeed, along with Prevx (which also provides execution blocking, better information in the GUI imo, etc.).

No one is saying TF is a magic bullet. Just that TF indeed has it’s merits and it isn’t necessarily inferior to Defense+

Your problem is that you basically want TF to be Defense+. TF has some capability of doing so through custom advanced rules, but it really isn’t meant for that.

Prevx has the same problems. It can’t make up its mind really if it wants to be like D+ or TF like, though it seems to be more TF.

In fact the original prevx went down Defense+'s road (or rather vice versa, given that D+ came much later), but they decided to change this, after analysing user behavior on prompts that most users decided wrongly when answering prompts…

(:WAV)
Who said anything about whine? Who mentioned AVs? Why do you assume i’m defending Defense+?
Can you comment on what i said about TF, or are you just going to throw sand?

Yes, the user should place attention on it. But i’m saying and you’re ignoring is what information does TF provide? …

No, you’re failing to see that TF will have its misses regarding remote code execution, and execution blocking solutions will not miss 1. I assume binary execution, which is the majority of threats, and it’s what TF analyses.

It does indeed have merits. I do think it’s a most interesting approach, and proving to be quite effective at flagging malware (though, again, it needs to provide better information in order to be usable for the intended audience).

Nope, that’s not my problem. I never said that.
Are you Lusher btw?

It can’t make up its mind if it wants to be like D+ or TF? You’re not being serious so i’ll just giggle.

What false positives, maybe CFP can simulate nonexistent behavior?
BTW, what is TF merits, with CFP you can enable/disable almost everything (you can be prompted about everything and nothing if you decided to)

I see that some features of TF looks very interesting.

I hope that when CFP is going to be enhanced there will still be a chance to make it work like it does now.

I don’t mind if there is a product that is able to show less prompts, wich is good of course but I do really like a product that is able to trap a huge amount of behaviours and that can be customized at will.

There are definitvely behaviours that can confirm or raise a suspicion about an ongoing infection so catching them will only prove a positive outcome but I also prefer to trap also seemingly legit behaviors.

Even a legit app can be used to cause harm but even if a legit app is not misused IMHO it would be still a good thing to have a tool to enforce/limit a specific behaviour.

In the end also malware are softwares and while we all agree to consider them as bad-behaving apps we may disagree if a legit app should be able or not to take specific actions.

I just saw a thread on Wilders about PCMag’s review.
Looking at the screenshot, i’d say TF has indeed enhanced the alerts, and i’m seing valid information displayed. I wonder how consistent are the alerts on information?

Nevertheless, it is improving no doubt. I think i’m going to let it fly on the VM. :slight_smile:

Yes from what PC MAG has stated the new 3.5 version has even improved its malware detection.

You saying you aren’t?

No, you're failing to see that TF will have its misses regarding remote code execution, and execution blocking solutions will not miss 1. I assume binary execution, which is the majority of threats, and it's what TF analyses.

I’m not missing anything. There is a tradeoff obviously. People here like to tout the virtues of flagging everything without realizing the cost.

How do you create an antivirus that detects everything? Simple, flag every file. 100% detection but FP galore.

A real antivirus of course, tries to figure out what is actually malicious based on signatures, but will miss some.

How does this example relate to Defense+ versus TF?

Defense+ (at least the execution startup) is more like the AV that flags every file, while TF is the selective one.

People like to say D+ is 100% because it flags everything, but what about the costs?

Everytime you get an unnecessary prompt is a false positive.