Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.
Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).
Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

PC Tools ThreatFire, a bit like Norton has seen it’s ups and downs in recent times but just like Norton has now bounced back to the top of the pile. The latest version has an improved rootkit scanner with options for either an “intelli” scan or full scan. The program also seems far less capable of causing system problems than previous versions which IMO now makes Threatfire far more suitable for average users. No doubt the involvement of Symantec with PC Tools has helped with this development as has the need to integrate component parts from Threatfire into the PC Tools Internet Security suite. The end result has been to make Threatfire not only more capable than it was but also more stable.
With signature based scanners becoming less effective against new threats, programs like Threatfire have an increasing role to play in PC security. This has also been recognized by commercial vendors like F-Secure (DeepGuard) and Emsisoft (Mamutu) who have been using this technology for some time. Like these other programs, Threatfire constantly monitors your system for behavior typical of that exhibited by malware such as capturing your keystrokes etc. When used together with a traditional real-time anti virus and a good firewall, Threatfire provides the often missing link for behavioral based detection. Threatfire also contains a highly effective system activity monitor which will display your autoruns in addition to other useful information. The other tab on the advanced settings though is only for truly experienced users with a high degree of Windows system knowledge. Creating advanced rules with Threatfire can render your system unusable unless you know exactly what you are doing. In the hands of experienced users though this facility is a formidable tool.
Be aware that automatic updates are not provided with the free version if you elect to “opt out” of the ThreatFire Community. The paid version does offer this option plus other flexibility, permissions for commercial use and telephone support.
*Windows 2000 users please note that you need V4.1 of Threatfire. See footnote 3 and other useful information including the download link on this page.

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

I'd like to state at the outset that this type of program is not for the feint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

WinPatrol Startup Window

WinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.
WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.
WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.
The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here:
http://billpstudios.blogspot.com/
Softpedia review link (2007)
http://www.softpedia.com/reviews/windows/WinPatrol-Review-62232.shtml

Spyware Terminator seems to have been around for almost as long as I have and some might argue it's about as much use too! That said if you witnessed the decline of this software a couple of years ago you might now be surprised by its rejuvenated format. I'm not going to pretend that the spyware detection rates are that good because they're not, but the HIPS component is. Added to that is the option to integrate the ClamAV antivirus shield and Web Security Guard. An adware toolbar (Web Security Guard Toolbar) is included but you can un-check this at installation. There is a choice of two proficiency levels for the default install (basic and advanced) which then sets the rules and notification levels (number of popups) accordingly.
No less than ten real-time shields are provided for system protection and each one can be enabled separately. An install mode is included for use when adding new software and there's a separate cookie scanner. Other features include locked file removal, file analysis, browser restoration and even a system restore function. New as of version 2.6.7 is an anti-phishing component to help keep you safe online. This includes a facility to whitelist your favorite safe sites which Spyware Terminator will then ignore. See the full details here. There are several scan options including customized and context menu scanning. The updates are compressed to minimize bandwidth usage, and there's even free support via email and the forum.
Resource use and system impact will vary according to your component strength and what you ask Spyware Terminator to do. It is always likely to be on the moderate side but unless you have a really old computer it's worth living with.
Be advised that Spyware Terminator only loads a small installer program initially (632kb) and then connects to the Internet to download the other stuff you've ticked as options. There is a separate link for downloading an off-line installer if preferred. As of V 2.8.0.1 the program supports x64 bit Vista and Windows 7 in real time. Previous versions only had x64 support for on demand scanning. Is now also able to detect and remove so-called flash cookies.

MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.** New features in V1.2.6.7 released 4th April, 2009 : Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts, Quarantining of Files and Directories ** There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.