I installed ThreatFire v3.5.0.21 on my PC. I am also running Symantec AntiVirus (SAV) Corporate Edition v10.1.7.7000. Immediately after the installation of ThreatFire, SAV's "Tamper Protection" went nuts. It blocked 14 "Allocation Memory" attempts by TFService.exe. I attached one screenshot. There were 13 others just like it except the "Target" changed to various .EXEs that are part of SAV. I rebooted the PC and no more of the tamper attempts logged and everything seems to be running OK.

My questions are...


Has anyone else seen this before?
Is everything running OK?
I know that EICAR exists for testing antivirus software. Does a harmless test file exist for ThreatFire?

Thanks for any help,

-SJM

Hi
ThreatFire tries to inject a DLL into all processes so that it can monitor them. Symantec is obviously complaining about this. You can try the Spycar (http://www.spycar.org/) test suite to see if ThreatFire detects these behaviours.
Hope that helps

Thanks. I ended up excluding TFService.exe and we'll see how it goes.

-SJM


Hi
ThreatFire tries to inject a DLL into all processes so that it can monitor them. Symantec is obviously complaining about this. You can try the Spycar (http://www.spycar.org/) test suite to see if ThreatFire detects these behaviours.
Hope that helps

I'm still having issues with ThreatFire and SAV. This morning, after letting SAV and ThreatFire run together overnight, there were 32 more blocked tamper alerts by TFService.exe. This time, it was targeting Rtvscan.exe (which is the real-time virus scan portion of SAV). I attached two screenshots showing the error.

Does anyone have experience with this problem or suggestions how to resolve it? Thanks.

-SJM

SJMarty, we have been working on this for a short time in our lab. We should have a fix for this in the next version.

Thanks for the update. I appreciate it.

Is there anything I can do in the interim?

When do you expect the next version to be available?

-SJM


SJMarty, we have been working on this for a short time in our lab. We should have a fix for this in the next version.

We are currently testing the next release in house. Mostly legal issues are keeping this one from release at this time. Not serious, but nonetheless we have to wait.

I have a support ticket opened on this but thought I'd add this information to this thread. I hope it helps. Also, let me know if you'd like me to test anything in my environment.

In SAV, the real-time virus scanner is called Auto-Protect. In the Auto-Protect configuration, you can exclude files, folders, etc. I have excluded the entire ThreatFire folder but the Tamper Protection alerts keep popping up (especially after running Live Update to get new definitions). Unfortunately, the Tamper Protection is totally different than Auto-Protect and the Auto-Protect exclusions don't apply to Tamper Protection. Also, according to Symantec, there is no way in SAV to exclude files, folders, etc. specifically from Tamper Protection.

Yeah, the Live Update is where we see a pop ups as well. We have reproduced this in house and have a fix for this in the next version. Thank you for your offer, I hope to hear some feedback from you when the new version shows up.

Do you have any update on when the new version of ThreatFire may be available? Thanks.

-SJM

Working on it still. I don't want to give out exact dates.

djames,

With Symantec purchasing PC Tools, I was sure hoping that getting one of PC Tools' products working properly with one of Symantec's products would be at the top of the fix list. Unfortunately, it's been a good two months since I reported this issue and almost six months since the last release of Threatfire. I paid for Threatfire because of the niche it filled but I have to admit, I'm a little let down by the infrequency of new build releases.

Is there any update on a release date?

Hi
As far as I know, there is still a legal issue holding back a new release of ThreatFire.
Hope that helps

We have worked out most "legal" issues, we are now free to carry on with our releases.
We are currently working real hard to get a quality product out as soon as possible. Like I said I don't want to give out dates, so as not to disappoint, however I really hope withing a few weeks.

Unfortunately, it doesn't appear that this fix made it into v4.0.0.6 as I was greeted with 14 pop-ups from Tamper Protection after installing the new version.

I have uninstalled ThreatFire Pro (I paid to register). Unfortunately, after uninstalling and even running PC Tools' ThreatFire cleanup tool, a reinstallation of the product still identifies itself as Pro.

Can you tell me how to remove ThreatFire Pro completely so a subsequent installation of the free version in fact sees itself as the free version?

I know this is an old thread, but I am having the same problems - only worse - with TF4.5.

I bought a new Toshiba NB205-311 (running 32-bit XP) and installed Threatfire 4.5 to run alongside the Norton AV that came (30 day trial) with the machine. A few days later I uninstalled Norton and installed Symantec Corporate. Then the problems began.

As described in the older posts on this thread, SAV was unable to run live update. Attempts to live update would reach 99% and then fail.

Windows was also unable to live update. It would download the same updates again and again. Either the download would fail or it would hang up installing the update.

After an update would fail (either SAV or Windows), Explorer would be unable to connect to the internet. I would shut down my machine to reboot and get a bluesheet of death, noting an rdbss.sys problem.

The tech support people at my institution said they thought it was a conflict between TF and SAV corporate. They removed TF, and everything has worked fine since.

I like TF a lot and would love to run it behind SAV Corporate, but it seems that the earlier compatibility problems between the two have not been fixed.

Has anyone else had this problem?

Is it possible to reconfigure TF or SAV Corporate to eliminate the conflict?

Thanks,
CLP

Well, we do some ancillary testing with Symantec AV via our IBM contracts, and thus far haven't had any issues like that. What version of Symantec CAV? And can I get a BelArc system Snapshot by chance?

-ebennett

Thanks for your response.

The Symantec CAV program version is 10.1.6.6000.

I'm afraid I don't know what a BelArc system Snapshot is, but if you give me some instructions, I'll be happy to provide one.

It's a system analyzer that'll give me an idea of all the software installed on your system. Check it out here:

http://www.belarc.com/free_download.html

Also, have you tried Symantec 11 yet?
http://www.symantec.com/business/support/downloads.jsp?pid=54619

-ebennett

Here's the software list from the BelArc snapshot. I can post more of the snapshot if you like, but for security reasons I didn't want to post all the details.

2007 Microsoft Office system Version 12.0.4518.1014
i Acrobat.com
ı i Adobe Acrobat Version 9.1.0.2009022700
i Adobe AIR 1.5 Version 1.5
ı i Adobe Reader Version 9.1.0.2009022700
ı i Alps Pointing-device Driver Version 7.0.2.212
ı i Atheros Communications, Inc. - ACU Version 8.0.0.72
ı i Atheros Configuration Service (ACS) Version 8.0.0.72
ı i Belarc, Inc. - Advisor Version 8.1b
i Bluetooth Stack for Windows by Toshiba Version 6, 0, 0, 0
ı i Bluetooth Stack for Windows by TOSHIBA Version 6, 2, 1010, 0
ı i Bluetooth Stack for Windows by Toshiba Version 6, 20, 0, 0
i Bluetooth Stack for Windows by TOSHIBA Version 6.2.0.0
ı i Chicony traybar Version 1, 5, 4002, 79
i Cinematronics - 3D Pinball Version 5.1.2600.5512
ı i COMPAL ELECTRONIC INC. - EKey Application Version 1, 0, 0, 50
ı i COMPAL ELECTRONIC INC. - TPTray Application Version 1, 0, 0, 15
i Create and edit drawings, flow charts, and logos by using Draw.
i Create and edit presentations for slideshows, meeting and Web pages by using Impress.
i Create and edit scientific formulas and equations by using Math.
ı i Create and edit text and graphics in letters, reports, documents and Web pages by using Writer.
i DataLode, Inc. - RealConnect Agent Version 6.6.87
i Dritek System Inc. - TOSHIBA Fn-esse Launcher Version 1, 0, 10, 1203
ı i Intel(R) Common User Interface Version 6.14.10.4926
i Intel(R) Matrix Storage Console Version 8.8.0.1009
i Macrovision Corporation - InstallShield Version 11.50
ı i Malwarebytes' Anti-Malware Version 1.41
i Manage databases, create queries and reports to track and manage your information by using Base.
i Microsoft (R) Windows Script Host Version 5.7.0.18066
ı i Microsoft Corporation - Internet Explorer Version 8.00.6001.18702
ı i Microsoft Corporation - Messenger Version 4.7.3001
ııı i Microsoft Corporation - Windows Installer - Unicode Version 3.1.4001.5512
i Microsoft Corporation - Windows Movie Maker Version 2.1.4026.0
i Microsoft Corporation - Windows® NetMeeting® Version 3.01
i Microsoft Corporation - Zone.com Version 1.2.626.1
i Microsoft Data Access Components Version 3.525.1132.0 i Microsoft Open XML Converter Version 12.0.4518.1014
ı i Microsoft(R) Windows Media Player Version 10.00.00.3646
ı i Microsoft® .NET Framework Version 2.0.50727.3053
i Microsoft® .NET Framework Version 3.0.6920.1427
i Microsoft® Fax Server Version 5.2.1776.0
i Microsoft® Works 9 Version 9.07.0613.0
ı i OpenOffice.org 3.1
ı i OpenOffice.org 3.1 Version 3.01.9420
i Perform calculation, analyze information and manage lists in spreadsheets by using Calc.
ı i Pinger
i Sun Microsystems, Inc. - Java(TM) Platform SE 6 U16 Version 6.0.160.1
i sweb.exe
ı i Swupdtmr
ı i Symantec AntiVirus Version 10.1.6.6000
ı i Symantec Corporation - Client and Host Security Platform Version 104.0.13.2
i Symantec Corporation - LiveUpdate Version 3.1.0.99
ı i Symantec Corporation - SPBBC Version 2.3.0.2
i Symantec SAVRoam Version 10.1.6.6000
i Symantec Security Drivers Version 6.0
ı i TAccessibility Application Version 1, 0, 0, 34
i TOSHIBA - PC Diagnostic Tool Version 3, 2, 0, 0
i TOSHIBA - Skype Version 1.0.0.0
i TOSHIBA - TRDCLauncher Version 4, 0, 1, 3
ı i TOSHIBA CO.,LTD. - HWSetup Version 1, 0, 0, 18
ı i TOSHIBA CORPORATION - ConfigFree(TM) Tray Version 6, 0, 0, 0
i TOSHIBA CORPORATION - ConfigFree(TM) Version 5, 9, 0, 0
i TOSHIBA CORPORATION - ConfigFree(TM) Version 6, 0, 0, 0
i TOSHIBA Corporation - Software Upgrades Version 4.0.0.3
ı i TOSHIBA Corporation - TDCSrv Application Version 1, 0, 0, 5
i TOSHIBA Direct Disc Writer Version 1.1.0.0
ı i TOSHIBA HDD Protection Version 2.0.1.3
i TOSHIBA Resources Page Version 1.0
i TOSHIBA SD Memory Card Format Version 2, 3, 1, 9
ı i TOSHIBA USB Sleep and Charge Version 1, 2, 0, 0
i TOSHIBA USB Sleep and Charge Version 1.2.0.0
ı i TOSHIBA Zooming Utility Version 2, 0, 0, 24

I have not tried Symantec 11. The SAV version I have was supplied to me by my institution.

Also, I should note that Malwarebytes was not installed when I started having problems. The behavior of my computer was so odd after the Symantec installation (i.e. when I installed Symantec for the first time, alongside TF) that I thought that my copy of Symantec might be infected. I downloaded Malwarebytes to check it. (It came up clean.)

I also had CCleaner on my computer when I was having problems. Tech support here removed it, saying it might also be causing conflicts, although I can't really understand why.

Thanks again for your help.

This is quite interesting.

I'll look into this. What version of ThreatFire are you running? If you're trying 4.5, try 4.6, if you're using 4.6, does 4.5 have this issue, too?

-ebennett

Sorry for the slow response.

I was running TF 4.5. I downloaded it on 9/9 or 9/10.

4.6.0.19 was released on the 24th of Sept.

Give this a shot, we've revamped a huge section of the software and it should have lots of increased protection and compatibility.

-ebennett