I'd like to ask how does TF currently deal with malware that writes to other files, such as svchost.exe, as part of its payload, as the quarantine concept doesn't sound quite sufficient to deal with such a problem: for instance, the overwritten file might be a critical file that might result in system errors if quarantined.

I would've tested this myself, but unfortunately TF flags all such copies of malware that I currently have as known malware and does not catch them using behavioral analysis.

Thanks

Hi
Windows File Protection replaces system critical files on reboot so this shouldnt be a problem.

ThreatFire is behavior first. Nothing is caught with black or white list before it catches it by the potential malicious behavior.

Hrm.

So... if we pretend that the malware doesn't exist in TF's blacklist, how would TF handle such a scenario?

First a behavior is detected, then if there is no black list, a yellow dialog will pop. It might not have the information on the name of the malware, so you will be given a generic one based on the first rule that it triggered. You will be given a choice to Quarantine it, or Allow it. If it appears on a black list, Threatfire will quarantine it automatically.

Hrm, perhaps I wasn't very clear...

To hopefully better rephrase my question: is TF capable of blocking and/or undoing the action of a piece of malware writing to another file - for instance, a virus that modifies the svchost.exe or iexplore.exe file?

TF has rules in it that protects against this type of attack, it protects against file infection, and data/thread injections. Quarantine would clean this up. Ideally what will occur is this malware will attempt to infect a file, TF will trigger and quarantine object before it successfully writes to the file.

Thanks for the explanation. :)