ThreatFire 3

PC Tools’ ThreatFire 3 blocks malware (including zero-day threats) by analyzing program behavior, and it does a better job than many signature-based products. Add its free protection to your security arsenal, but don’t pay extra for the less-effective scan-and-clean Pro edition.

Very successful at blocking malware based strictly on analysis of behavior. Blocks zero-day attacks. No false positives in testing except for rootkit detection utilities. Free.

Can’t detect a threat until it attempts to take malicious action, thereby offering behavior for analysis. Non-free Pro version adds scan-and-clean but isn’t worth the money.

PC Tools


PC Tools, maker of the popular Spyware Doctor utility, acquired Novatix’s Cyberhawk this past May. The company has now thoroughly incorporated Cyberhawk’s behavior-based malware detection technology into a new product, PC Tools ThreatFire 3. TF3’s ActiveDefense technology detects malicious software entirely based on its behavior, so it can block threats that are too new for signature-based scanners to handle. No configuration is required, so it’s a snap to use. And unlike Symantec’s Norton AntiBot (NAB), which costs $30, ThreatFire is free.

After detecting a threat based on behavior, TF3 enhances its analysis by checking the found threat against a signature database. This allows it to quarantine known high-risk items immediately and offer the user a choice for known lower-risk items. For programs not found in the database, TF3 reports a calculated risk level, describes the behavior that put it over the edge, and asks permission to quarantine the threat. NAB identifies a few of the programs it catches, but it uses a very small subset of the full Symantec signature database.

TF3 is intended as an extra layer of protection, working alongside your existing signature-based antivirus/antispyware product. However, PC Tools does offer a Pro edition, for $29.95 per year, that adds on-demand or scheduled scan-and-clean as well as an option for telephone support (with the free edition you get only e-mail support).

TF3 installed quickly—refreshing after the lengthy installation procedures required by the many full security suites I’ve been evaluating. After the required reboot at the end of installation, I got out my arsenal of malware samples, including adware, spyware, rootkits, Trojans, and rogue antispyware products.

I wasn’t too surprised when TF3 let all but one of the rogue antispyware samples install and run. The mischief perpetrated by these products is often more at the social-engineering level than the software level. Like a gangster running a protection racket, rogue antispyware apps report threats that aren’t present and extort payment before they’ll remove anything. You can’t expect TF3 (or any behavior-based product) to detect that type of activity. If you want to be safe from rogue antispyware, your best bet is not to install a supposed antispyware app on the basis of a pop-up telling you to, but instead to make sure that what you’re getting is the good stuff—by reading one of my reviews first, for instance.

Rogues aside, TF3 successfully detected and blocked every single malware sample I threw at it. I do define success a bit differently for behavior-based products like TF3 and NAB. Normally I give half credit if a detected malware installation still manages to place one or more executable files on the disk. For front-line defense products like TF3, however, I give full credit as long as it prevents any installed executable files from running. Only one of the samples managed to slip executable files past TF3, and the app did keep those from running.

TF3 quarantines known high-risk threats without asking permission and reports what it did in a red alert window. Known lower-risk “possibly unwanted programs” get a gray alert that lets the user choose to quarantine or not. And for unknown threats TF3 shows an informative yellow alert, again letting the user choose. That’s all you’ll see unless a reboot is needed to complete the cleanup. I like this style better than NAB’s chatty default behavior, in which blocking a single threat can involve four pop-ups and a noticeable wait. Each of TF3’s alert windows includes a link to learn more about the threat by launching a Google search.

In testing, I always quarantined “possibly unwanted programs,” and I quarantined any unknown yellow-alert items with a risk level of HIGH or VERY HIGH. Actually, I saw only one alert at the MODERATE level (I allowed the program in question to continue), and it was quickly followed by a HIGH alert for the same program as its behavior worsened.

The reported behaviors in the yellow-alert warnings were all over the map. Some sounded truly bad—logging keystrokes, hiding from Task Manager, tampering with other programs, and the like. But others, like a program registering itself to launch at start-up, didn’t seem to merit the reported risk level. PC Tools experts explained that the alert box just reports the behavior that pushed this item over the line. The rating is based on many behaviors, but the box can display only one. I’d like to see an option to get an overview of full behavioral details, similar to that offered by NAB.

When I compiled all of the malware-blocking test results, TF3 came out with 8.6 out of 10 possible points. If I omitted the rogue antispyware programs, however, that score zoomed to a perfect 10 out of 10. Tested against the same collection of threats, NAB scored 7.1, and removing the rogues from the mix brought its score only up to 7.6. In fact, TF3’s 8.6 score beats out the 8.1 points garnered by Spy Sweeper 5.2 with AntiVirus. That’s pretty impressive.

I did run a separate test using commercial keyloggers. Behavioral detection of programs that are designed for spying may seem a bit redundant, but those same behaviors in a program you didn’t choose to install would be a serious worry. TF3 detected every single one and successfully blocked almost all of them, scoring 9.5 out of 10. NAB scored 7.1 against this same collection.

Detecting bad programs based on behavior is only half a solution, though. The other half is making sure not to report any good programs as malicious just because they share some behaviors with bad programs. For a sanity check, I rounded up a dozen-plus PC Magazine utilities that might look suspicious. KeyTick monitors keystrokes the way a keylogger might, BHOcop disables other BHOs, Startup Cop Pro puts itself in the start-up sequence—that sort of thing. Like NAB, TF3 didn’t make any erroneous accusations. It didn’t throw a single false positive alert on the PC Magazine utilities. It did flag RootkitRevealer, from Sysinternals, as possibly dangerous. That doesn’t worry me. Most rootkit detection utilities use rootkit-like technologies in order to see the rootkits they’re targeting.

ThreatFire 3 is designed to keep malicious software, known or unknown, from installing on a clean system. It assumes that you have a standard signature-based antivirus/antispyware utility for cleaning up any existing infestations. In case you don’t, PC Tools offers a Pro edition of ThreatFire 3 that includes scan-and-clean technology from PC Tools AntiVirus. This is not the same protection you get in Spyware Doctor with AntiVirus 5.0, and that fact became clear rather quickly in my testing.

TF3 Pro had problems installing, scanning, or quarantining files on some of the infested systems, and it doesn’t install or scan in Safe Mode. PC Tools tech support suggested that I use their Alternate Operating System Scanner (, a free downloadable ISO image of a bootable CD. When you boot from the CD, Windows isn’t even running, so the Windows-specific tricks used by rootkits are powerless. AOSS won’t remove every trace of every threat, but they suggested it might clean things up enough to let TF3 Pro install and do its job.

AOSS got stuck repeatedly during the scan on one problem system, ran to completion but didn’t clean up sufficiently on another, and successfully fixed the third. At this point I resorted to using my own wizardly skills to fix the problem systems. I disabled the malware that prevented installation on one system and manually removed all the traces that I could from the system where AOSS got stuck. But I never could get TF3 Pro to finish quarantining files on one system.

Even with my help—help that an ordinary user wouldn’t have been able to offer the app—TF3 Pro scored a poor 5.7 of 10 for malware removal and 6.5 of 10 against commercial keyloggers. NAB scored even lower, but since it makes no claim to remove existing malware at all, anything it did manage to fix was strictly for bonus points. Challenged with removing the same set of samples, PC Tools’ own Spyware Doctor with AntiVirus 5.0 got 9.1 out of 10 points, and it didn’t require any hand-holding from me.

ThreatFire 3’s ability to block installation of malware strictly by identifying bad behavior is phenomenal. It did a better (and faster) job than Norton AntiBot and even beat out Spy Sweeper. This free tool is an excellent addition to your security arsenal. But don’t spend your money for the scan-and-clean Pro version—it’s just not up to the job.

Download at:


Filed under Software

2 responses to “ThreatFire 3

  1. Pingback: » Blog Archive » ThreatFire 3

  2. Anjelicus

    Hmm… I’ve been using PrivacyKeyboard for rather long period of time. It is also based on so called euhristic methods (unlike many other products that are signature-based). I’m pleased with its work. But I will definitely try the recommended one $)