Do you use traditional AV or default deny?

  • Default Deny

  • Traditional AV

  • Both

Results are only viewable after voting.

JM Safe

Level 38
Verified
Security has evolved and grew in those last years, now there are avalaible some products (also free) which offer a default deny protection. But let's discuss: is it better to use a traditional AV with a powerful signatures engine, like Bitdefender and Kaspersky, or use a default deny software? There are pros and cons: default deny solutions can block also 0 day/unknown malware samples, but a cons could be if a malware well-written manages to bypass the core of the default deny engine can infect the PC, for example a malware could also kill the main process of the default deny software before it can block it; luckily most of the security software have a strong protection of their processes (if a malware tries to kill a process then it doesn't have privileges because of critical process property). Traditional AVs, on the other hand, can block malware immediately for example when the malware is downloaded or dropped if it is detected by the signature engine. Honestly with my config I really like and use Kaspersky Free; I would like also to try again Comodo Firewall HIPS (I tried it last time several months ago) but it seems there are still unsolved bugs which compromise the functionality of the product (correct me if I am wrong but I remember Comodo has a bug which made the user rules forgotten).
Obviously also traditional AVs have evolved a lot: now almost all software have heuristic engine to determine what a file does (its behaviour) and decide if it is malicious or safe. What do you think guys? :);) let's discuss about the future of our config!
 

Inquisitive

Level 1
I've always avoided default deny. I've tried it before but blocking everything that's not whitelisted doesn't appeal to me. You have no way to know what's a virus and what's not without manual analysis, and it's to time consuming to do that for every single item it blocks on a daily basis. It's more of a corporate sort of thing. A strong config is all you really need. If you wanted to be bullet proof then a Gryphon + a good av + heimdal is all you need.
 

Local Host

Level 23
Verified
I use default-deny cause a normal AV Software consuming resources in the background is useless for me.
As long as you have safe habits and experience, you don't even need an AV in the first place (I actually ran Windows without any sort of AV for +10y and never got infected).
I like Kaspersky Free a lot too, have it installed on my partner laptop (also you don't need the buggy Comodo Firewall, simply use the Windows Firewall with strict rules unless you looking for the sandbox, cause HIPS on it sucks).
 

Moonhorse

Level 29
Verified
Content Creator
Well im using comodo firewall as default deny. Everything untrusted will run as rejected.
I dont see any benefits not to use free av ( avg right now) along with it for web protection and on-demand scanning

edit: my setup is currently;
- windows firewall hardened with syshardener (max)
- comodo firewall ( cs)
- avg antivirus free
Its very light setup , comodo firewall is stable for me.
I could add antimalware + osa or something, i really dont need but it would stack on current protection
 
Last edited:

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Some "traditional AV" like Kaspersky also have TAM (not enabled by default), which it's an "hybrid default-deny" :giggle:

Also Panda Dome has "Application Control" which may blocks unknown applications:
1534784499304.png
 

JM Safe

Level 38
Verified
I've always avoided default deny. I've tried it before but blocking everything that's not whitelisted doesn't appeal to me. You have no way to know what's a virus and what's not without manual analysis, and it's to time consuming to do that for every single item it blocks on a daily basis. It's more of a corporate sort of thing. A strong config is all you really need. If you wanted to be bullet proof then a Gryphon + a good av + heimdal is all you need.
Of course default deny are more for advanced users, but I agree with you and I like AVs more.
 

JM Safe

Level 38
Verified
I use default-deny cause a normal AV Software consuming resources in the background is useless for me.
As long as you have safe habits and experience, you don't even need an AV in the first place (I actually ran Windows without any sort of AV for +10y and never got infected).
I like Kaspersky Free a lot too, have it installed on my partner laptop (also you don't need the buggy Comodo Firewall, simply use the Windows Firewall with strict rules unless you looking for the sandbox, cause HIPS on it sucks).
You have at least WD if you use Windows 10, don't you?
 

Slyguy

Level 44
Some "traditional AV" like Kaspersky also have TAM (not enabled by default), which it's an "hybrid default-deny" :giggle:

Also Panda Dome has "Application Control" which may blocks unknown applications:

Some of the strongest aspects of Panda are it's firewall, application control and protected folders. When tweaked it, it should provide some impressive additional protection IMO.
 

JM Safe

Level 38
Verified
Default-deny > AV

AV for beginners, default-deny for people who understand Windows processes.

Most AV have default-deny modules, if not they would be all bypassed by 0-days.
Yes, but if default deny module is can be bypassed by a malware then signatures engine would block the sample on the "creation" event of the file, not execution, this is an important pros of using AVs over only default deny solutions.
 
D

Deleted member 178

How a real 0-day (not a crappy variant) can be blocked by an engine when the said engine doesnt have any signature for it...

Or how an engine will prevent a meterpreter abused by an exploit to call home?
If heuristic were so awesome we wont have default-deny modules.

Signature engines are obsolete. They still exist because Average Joe dont know and cant handle better.
 

JM Safe

Level 38
Verified
How a real 0-day (not a crappy variant) can be blocked by an engine when the said engine doesnt have any signature for it...

Or how an engine will prevent a meterpreter abused by an exploit to call home?
If heuristic were so awesome we wont have default-deny modules.
In my last post I wasn't talking about 0 day ;)