PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Threatfire 4.5

More »
 & More »

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
- Threatfire 4.5
4.0 Excellent

The Bottom Line

Your standard signature-based anti-malware utility catches most things that attack your computer. ThreatFire offers supplemental protection against zero-day attacks that are too new to have a signature. It's a fine, free addition to your security arsenal—I use it myself.

Pros & Cons

    • Fast install.
    • Fast scan removes rootkits.
    • Blocks malware by analyzing its behavior.
    • Identifies known threats by name.
    • Works alongside existing anti-malware to enhance protection.
    • Makes user decide whether to allow potentially malicious unknowns.
    • Not enough information about behavior of unknowns.
    • Rootkit scan didn't clean up completely.
    • Can't detect social networking attacks like rogue security software.

Threatfire 4.5 Specs

Free: Yes
OS Compatibility: Windows Vista
OS Compatibility: Windows XP
Tech Support: Forum based. Paid users get phone support.
Type: Business
Type: Personal
Type: Professional
All Specs

PC Tools is famed for its Spyware Doctor line of signature-based anti-malware protection, but whether you use Spyware Doctor or some other brand they hope you'll supplement it with PC Tools' own behavior-based ThreatFire 4.5. ThreatFire is designed to work alongside a standard signature-based product to catch zero-day threats that are so new they don't yet have signatures. And it's free--what more could you ask? Well, you might ask for a tool that leaves a little less of the decision making to the user, but, still, this is a very good addition to any personal security toolkit.

Unlike Prevx 3.0, whose behavior-based analysis is entirely cloud-based, ThreatFire does use a local database. Upon installation ThreatFire needs to check for updates. However, the database updates are minuscule compared to those of a full signature-based product. On my test systems, the initial update took about a minute and the rest of the installation no more than half a minute. That's great, compared to Spyware Doctor with AntiVirus 6.0, whose required initial signature update took up to 15 minutes, but it doesn't beat Prevx's near-instantaneous installation.

The product's main screen initially shows a list of top malware and adware threats along with a world map. Clicking a threat in the list updates the map to show the prevalence of that threat. It's cute, but I'm not sure how necessary it is. More interesting is the next tab, which displays statistics about ThreatFire's protection activities on your computer and on the 1.5 million other active ThreatFire installations. To make sure you know it's working hard for you, ThreatFire pops up a report of these statistics every two weeks.

What Is ThreatFire?

After installation, ThreatFire launches a tutorial to make sure users understand just what it is--and what it isn't. As a behavior-based product, ThreatFire looks only at processes that are running or attempting to run. It will never catch an inert file just by looking at it. After all, a file that isn't running doesn't have any behaviors.

ThreatFire does rely on both local and online databases to help identify known threats, but it doesn't consult these until after it detects dangerous behavior. If the process under analysis turns out to be a known virus, Trojan, spyware or other high-risk item, ThreatFire immediately disables the process, quarantines its components, and displays a red popup explaining what it did. If the database identifies the item as known adware or another low-risk "potentially unwanted application," it pops up a grey box asking the user for permission to remove the item.

Most signature-based products must include removal instructions in their signature databases, adding to their bulk. Prevx takes the unique approach of downloading removal instructions only after it detects a threat. Because ThreatFire's ActiveDefense is watching the behavior of all processes, it knows what files and Registry items have been created by the malicious process. This "tracker" technology lets its clean up traces of a threat beyond the specific executable file whose behavior ThreatFire detected.

ThreatFire also uses a technique PC Tools calls "behavioral profiling" to identify an unknown threat as belonging to a known threat family based on its pattern of behavior. If neither the database nor the behavioral profiling system can identify a process that's exhibiting bad behavior ThreatFire asks the user what to do.

The yellow alert popup for an unknown threat identifies the threat level – I've seen MODERATE, HIGH, and VERY HIGH. It also reports one of the behaviors that caused ThreatFire to identify this process as malicious. This can be confusing unless you realize the single reported behavior is just part of a pattern. You can click a link for technical details about item's components and behaviors.

ThreatFire occasionally reports some false positives (legitimate programs flagged as potentially malicious). If you're in the process of installing a trusted program and ThreatFire pops up a query, go ahead and allow the program to continue. But if a warning pops up when you're not installing anything, most likely you should block it.

I'm not a big fan of solutions that put security decisions in the user's hands. Most users aren't qualified to make an informed decision. At the very least I'd like to see a more complete breakdown of all suspicious behaviors from ThreatFire, like the detail list that was available in Norton AntiBot before Symantec subsumed that technology into their other products. Even better would be a system that can make its own decisions most or all of the time. According to Michael Greene, PC Tools VP for product strategy, that's exactly what PC Tools hopes to attain, which gives me hope for the future of this already impressive product.—Next: Scanning for Rootkits

Scanning for Rootkits

An earlier version of ThreatFire included the option to scan and remove malware using the same engine as the free PC Tools AntiVirus. However, PC Tools later decided that this feature wasn't consistent with ThreatFire's positioning as a behavior-based sidekick compatible with all existing signature-based products. In the current version, ThreatFire's scan and clean component deals strictly with rootkits--threats that might conceivably manage to hide from the product's behavior-based analysis.

I installed ThreatFire on all twelve of my standard malware-infested test systems even though only five of them include threats that use rootkit technology. It installed quickly and the rootkit scans just took a couple of minutes each. I managed to run the entire test in a couple of hours. Installing and testing a standard signature-based product can take more than a full workday, so this was breeze by comparison.

As expected, ThreatFire didn't do anything to clean up non-rootkit malware. That's fine. The problem is that the rootkit-specific results weren't stellar. ThreatFire detected 89 percent of the rootkits, the same as Prevx and Webroot AntiVirus with AntiSpyware 6.0, but it wasn't very successful at cleaning up what it found. One sample was still running after its alleged removal, though its rootkit component was disabled. The rootkit component of two others continued to hide malware components (verified using two other rootkit-detection tools). And ThreatFire left behind executable files for almost all of the rootkit threats.

Looking specifically at rootkits, ThreatFire scored 5.1 of 10 possible points. Prevx got 6.7 points in this test, and Webroot beat all the rest with a score of 7.1. Prevx and Webroot detected the same number of rootkits as ThreatFire--they were just more effective at removing them. Norton 360 version 3.0 was even more effective at removing what it detected, but it detected fewer rootkits overall, for a final score of 6.8 points.—Next: Behavior-Based Blocking

Behavior-Based Blocking

With the rootkit scan test out of the way, I proceeded to the main event--a test of the product's ability to protect a clean system. I should point out that there are types of malware that just won't be caught by a behavior-based system. Some threats lie dormant for days. ThreatFire wouldn't catch those until they take action. The bad behavior of rogue security software (scareware) may involve nothing more than lying to the user about found threats and demanding cash to remove them. That's not something ThreatFire or any behavior-based tool could detect. It specifically needs to see actions at the software level that it can analyze and identify as malicious.

Of the threats it detected, ThreatFire automatically blocked about two-thirds as known Trojans, viruses, or spyware. It flagged just a couple as potentially unwanted and displayed a yellow user query for the rest. In every case when asked for a decision I checked the box to kill and quarantine the process.

ThreatFire detected 83 percent of the threats, the same as Panda Cloud AntiVirus and nowhere near the 97 percent detection rate attained by Prevx. It was less effective at fully preventing installation, scoring 7.8 of 10 possible points where Panda, which detected the same percentage of samples, scored 8.3.

In three cases, the interaction between ThreatFire and the malware sample locked up Windows Explorer. I verified that ThreatFire was involved by rolling back the virtual machine to a previous state, suspending ThreatFire's protection, and launching the malware sample--no lockup. PC Tools VP Michael Greene suggested that this behavior may be an artifact of testing within virtual machines (which is how I test), as PC Tools has had no reports of similar problems. I had to force a reboot to continue, but ThreatFire did prevent installation of those threats.

ThreatFire failed to block three commercial keyloggers that use rootkit technology to hide their activities. Apparently rootkit tech alone isn't sufficient to get a program marked as malicious. In each case where it did identify a rootkit-based threat, it completely prevented installation.—Next: Working Together

Working Together

ThreatFire is designed to work together with your standard anti-malware product to catch those zero-day threats that slip past. What sort of protection would you get by combining ThreatFire with current top scorer Prevx? No, I didn't install both and re-run the malware blocking test. I just created a new hybrid set of statistics. For each threat I copied the result from whichever of the two was more successful. The combination yielded some amazing scores.

The Prevx and ThreatFire team detected 100% of spyware, 100% of commercial keyloggers, and 100% of rootkits. Prevx previously had the top score for malware blocking – 9.4 out of 10 points. ThreatFire's help raised that to 9.8. ThreatFire didn't do a lot to block commercial keyloggers, but it did enough to raise Prevx's 8.9 points to 9.3, beating the previous top score of 9.0 from Spyware Doctor.

Looking specifically at rootkit blocking, Prevx alone rated 8.9 of 10 points, a tie for first place with Spyware Doctor. Adding ThreatFire broke that tie; the team scored 9.4 points. The only area where ThreatFire didn't help out was in blocking scareware, and that type of threat is not easily detected at the behavior level.—Next: Long Term Testing and False Positives

Long Term Testing and False Positives

ThreatFire doesn't necessarily consider commercial keyloggers to be malicious, even if they use rootkit technology. And as noted earlier rogue security products may not have any measureable malicious behaviors--there's no way a program can determine that they're lying to the user. The dozen samples that ThreatFire completely missed all fell into these two categories.

On the chance that some of these might try some trickery at a later time I loaded them in groups into three virtual machines and left them to run for 24 hours. If these samples included any time-release nastiness it must've been set for a longer delay. I didn't see any new warnings from ThreatFire after that all-day run.

I also installed a dozen-plus PCMag utilities that hook deeply into Windows to do their jobs, figuring that some of their behaviors might look suspicious to ThreatFire. The only one that got a yellow flag dropped on it was LinkPreviewer which, according to ThreatFire, was "attempting to change your security settings, privacy levels or personal options on Internet Explorer." Since I was installing a known good program from a reliable source I didn't worry. Still, I'd be happier with no false positives at all.

ThreatFire is free, and it works in conjunction with your existing security protection. I run it on my main work system alongside Norton Internet Security 2009 with no problems. I'd be happier if its yellow "potentially malicious application" warning described all the behaviors that went into the analysis. In the real world, though, your signature-based antivirus is going to catch almost everything. ThreatFire is your backup protection for that rare zero-day attack. As such it's a great addition to your security arsenal.

More Antivirus Reviews:

Final Thoughts

- Threatfire 4.5

Threatfire 4.5

4.0 Excellent

Your standard signature-based anti-malware utility catches most things that attack your computer. ThreatFire offers supplemental protection against zero-day attacks that are too new to have a signature. It's a fine, free addition to your security arsenal—I use it myself.

About Our Expert

Read the latest from More »

Read full bio