ThreatFire is a behavioral detection antivirus that studies a system for malicious changes (similar to Prevx). Any malicious activity is then detected as a virus etc. and deleted and or uploaded to PC tools servers. The advantage to all of this is the most advanced detection possible because of collective intelligence (virus discovery and detection) from millions of users. This makes ThreatFire 4.7 an excellent addition to a free antivirus program. However, ThreatFire 4.7 is not recommended to be used as a standalone program as per our tests.
Installation:
The ThreatFire download was extremely small at only 8 megabytes in size. The download is eclipsed only by Prevx’s 1-megabyte size. The installation was smooth other than the annoying and mandatory security advisor. The security advisor attempts to detect how secure the target computer is by testing for a firewall, antivirus, spyware, and a threat scan. The threat advisor will then link to products that can satisfy the above protections. Unfortunately, a novice user might interpret this as the actual ThreatFire program. Regardless, after the security advisor has completed, the program will immediately start and update; no system restart is necessary.
Interface:
The ThreatFire 4.7 interface is very interesting and resembles other PC tools programs. Upon opening the program, the user will be presented with a map and 7 of the latest and most prolific malware and spyware threats. A user can click on “more info” to learn about threat. I also like how ThreatFire displays global settings. According to the protection statistics, ThreatFire 4.7 has checked almost 3 trillion different computer events and 30 million programs for malicious activity (these numbers significantly exceed even Norton’s trusted program database). With statistics such as these, a user can confident that malicious activity will be detected.
I didn’t encounter any specific problems with the interface. I only found the lack of many configuration options as the worst problem. In addition, there are a lot of advertisements throughout the software asking for an upgrade etc. Thankfully, there are no startup pop-up advertisements such as the ones Free Avira frequently displays.
Features:
Threat Fire 4.7 is a little lacking on features but excels at crucial zero day malware detection.
Advanced Rule Settings. Just like a firewall, ThreatFire operates by a rule-based system. Rules are configured based upon the source (the program to be monitored), the trigger (a certain event that triggers a rule), options (ability to tweak the trigger), and the exclusions (what shouldn’t trigger the rule). Some of the event triggers are file access, renaming, writing to the registry, creating network connections, accessing on a certain port. These settings allow a user to setup a sort of alarm system on a computer. I can see how Threat 4.7 could be used as a honey pot to monitor changes to critical files. In addition, ThreatFire includes default rules such as host file and screensaver file protection (.scr files). ThreatFire also has hundreds of preconfigured rules that are constantly monitoring the whole system for viruses.
System Activity Monitor. This is a truly unique feature to ThreatFire 4.7. The system activity monitor displays all active processes and then assigns a trusted rating to them. In addition to this standard information, ThreatFire includes all active .dll files and even active program windows. The active program windows are helpful because often spyware and viruses will attempt to hide their active window from the user. However, the crown jewel of this program is the file system activity monitoring. On an application-by-application basis, ThreatFire 4.7 will display what files and registry keys are renamed, deleted, and created etc. This information is crucial in diagnosing what a rouge toolbar is doing within Firefox or Internet Explorer, a program accessing files that it shouldn’t be, and discovering program errors. I haven’t seen this level of detail in a system explorer found in other antivirus programs.
Virus Detection and Scanning:
Threat fire includes behavioral detection to protect against zero day threats. This protection augments definition-based protection because virus definitions can only be released after a virus is discovered. Behavioral protection is always watching out for malicious activity regardless of virus definitions. The malicious activity is then uploaded to PC tools servers from the millions of active Threat Fire users. Since all of this happens in real-time, the latest definitions can be quickly complied (Threat Fire 4.7 updated an average of 4 times every hour) and sent to all active Threat Fire users. Therefore, a worldwide virus outbreak can be mitigated within minutes.
ThreatFire also includes a rootkit scanner that is specifically targeted at stealthy rootkits. The scanner is actually one of the fastest rootkit scanners. There are two scanning options the Intelli-scan and the Full System Scan. The Intelli-scan completed in about 5 minutes while the full system scan took about an hour. In addition, the rootkit scanner can be scheduled for automatic scans.
Since ThreatFire lacks definition-based detection, it lacks capability to detect a virus before it is executed. Therefore, it is crucial to have a definition-based antivirus to make sure that viruses are not started.
Resource Usage:
During idle operation, ThreatFire 4.7 used an average of 4 megabytes, which is ridiculously low and even lower than Prevx. When a full rootkit scan is run, the software used an additional 50 megabytes for the GUI. CPU usage was on the higher end averaging at about 50%.
Conclusion:
ThreatFire 4.7 is an excellent security suite and should be installed to augment free antivirus protection. ThreatFire gives the option to install PC tools antivirus with ThreatFire. The two software programs will combine behavioral and definition based protection. For example, schedule a regular virus scan at night and a rootkit scan in the morning for excellent security.
