A curious problem: TF sometimes fails to catch malware that it obviously should. Executing the malware draws no response from TF. Reboot the system, try again, and TF is suddenly working as normal again. Sometimes.

Running under WinXP SP2 Pro with no other resident programs in memory. I know this sounds horribly vague, but I'm not sure what else to add that might be useful. This problem also doesn't seem to be limited to specific samples.

I had the same issues with CyberHawk Pro. Recently with a freeware application that checked whether your CPU facilitates DEP and Virtualisation.

It fired when it tried to manipulate memory, it also fired when the ap tried to install a driver. After an allow (on first, without remember option) on the DEP check I choose block always on the driver load. Second time I ran CB Pro it let the loading of the virtual driver pass although I had a rule for it. After reboot, the problem was gone. I could not replay it either.

I thought I had made a mistake, but now Solcroft also has noticed this, there may be a fall through logic error related to rules.

We are working on an issue where it take the engine a bit of time before it starts. If you run malware during this time, we won't pop alerts.
Also there is a known issue (fixed in next release) where on first install, not all drivers are loaded and TF won't quarantine.

Still this is interesting, and I will play around with this idea today.

Thanks

Can you give us an approximate of how long it takes after bootup before the TF engine kicks into action?

Approx is hard, since it depends on the system and what you have running on it. On a relatively clean system 1.6G around 20 seconds. Like I said we have a fix for this, but I don't know if it is %100 yet.

You can try this by suspending TF and then Unsuspending it. You can see how long it takes by placing the mouse over the tray icon. You will see it stating, "initiating" until engine and tray are communicating, which is when TF should start responding to behaviors.