Default Deny VS traditional AVs

[imuade]

Most AV have default-deny modules, if not they would be all bypassed by 0-days.

+1
For example, Avast Hardened Mode

 

[klaken]

i use comodo cloud .. Default Deny + sandbox + AV online ...
Not bad,

 

[harlan4096]

Is the ask only option or is there block one?

You may select block directly without ask...

 

[AtlBo]

If Comodo Firewall would have less bugs I would use it alongside Kaspersky Free.

Anyone done an efficacy test of Comodo recently? Maybe these tests aren't the most helpful in terms of protection value (somewhat random samples of questionable danger), but everyone knows what Comodo does and how it blocks almost everything unsigned (or contains). What about 1000 malware samples in 20 minutes or whatever? I would like to see this kind of test for the latest version of Comodo, just because of the quirkiness and bugginess. Having not seen a bypass of its protection scheme, I wonder if it could be bypassed with extremely heavy and intricate activity on a PC.

For now, I am going with Comodo Firewall and OSArmor. I think of this combination as default deny, given the way Comodo uses the TVL for containment. Only the cloud gets any say but almost exclusively only for allows. C-L allows seem kind of rare to me...

 

[shmu26]

Security has evolved and grew in those last years, now there are avalaible some products (also free) which offer a default deny protection. But let's discuss: is it better to use a traditional AV with a powerful signatures engine, like Bitdefender and Kaspersky, or use a default deny software? There are pros and cons: default deny solutions can block also 0 day/unknown malware samples, but a cons could be if a malware well-written manages to bypass the core of the default deny engine can infect the PC, for example a malware could also kill the main process of the default deny software before it can block it; luckily most of the security software have a strong protection of their processes (if a malware tries to kill a process then it doesn't have privileges because of critical process property). Traditional AVs, on the other hand, can block malware immediately for example when the malware is downloaded or dropped if it is detected by the signature engine. Honestly with my config I really like and use Kaspersky Free; I would like also to try again Comodo Firewall HIPS (I tried it last time several months ago) but it seems there are still unsolved bugs which compromise the functionality of the product (correct me if I am wrong but I remember Comodo has a bug which made the user rules forgotten).
Obviously also traditional AVs have evolved a lot: now almost all software have heuristic engine to determine what a file does (its behaviour) and decide if it is malicious or safe. What do you think guys? let's discuss about the future of our config!

Hi, it's an interesting poll. Could you maybe add a third choice, for people (like me) who use both AV and default/deny?
It would also be an appropriate choice for people using Kaspersky TAM or other hybrid solutions.

 

[Libera Milanesi]

I do not think that either are really "better"; I think it depends on your requirements as a user. There's nothing stopping someone from accompanying a default-deny approach with signature/signature-less (potentially both) either as long as they work well together.

Whether a default deny, Anti-Virus/Internet Security (or both) combination is for you depends entirely on you as a user and your requirements. It depends on the entire configuration - that is how I feel about it.

EDIT: I went off-topic and revoked those parts, leaving my pure opinion between a default deny and Anti-Virus approach.

 

[Moonhorse]

You may select block directly without ask...

Cheers, do free version have this?
Could set up syshardener + default block untrusted applications

 

[Deleted Member 3a5v73x]

SRP + AV for me.

 

[shmu26]

A weakness of traditional default-deny would be web-based file-less attacks.

Most, if not all, of the popular default/deny solutions have protection for the vulnerable processes commonly used in fileless attacks. This may not be implied by the name "default/deny", but it is the defacto standard.

 

[JM Safe]

Hi, it's an interesting poll. Could you maybe add a third choice, for people (like me) who use both AV and default/deny?
It would also be an appropriate choice for people using Kaspersky TAM or other hybrid solutions.

Hey @shmu26 this option is now avalaible, I think a mod edited the poll.

 

[Libera Milanesi]

Most, if not all, of the popular default/deny solutions have protection for the vulnerable processes commonly used in fileless attacks. This may not be implied by the name "default/deny", but it is the defacto standard.

You're right about that. I wasn't referring to the use of vulnerable processes but it's okay. That's a great point by the way, and vulnerable processes being closely watched by default deny solutions was always a great idea from the start in my humble opinion.

 

[BoraMurdar]

The third option added. Members are able to change their vote.

 

[harlan4096]

Cheers, do free version have this?

Hum I think only paid, I have a Premium license...

 

[JM Safe]

I do not think that either are really "better"; I think it depends on your requirements as a user. There's nothing stopping someone from accompanying a default-deny approach with signature/signature-less (potentially both) either as long as they work well together.

Whether a default deny, Anti-Virus/Internet Security (or both) combination is for you depends entirely on you as a user and your requirements. It depends on the entire configuration - that is how I feel about it.

I feel that most advanced users are going to lean towards the default deny side which is natural from my POV and expected. If you have a trained eye and know what you're doing, it would be of no surprise at all and would make complete sense.


A weakness of traditional default-deny would be web-based file-less attacks.

It is obviously not as common as it used to be, and exploits kits for one have lowered in the wild and crop up every now and then, but it is still possible. As long as the attack stays file-less after code execution can be achieved by the attacker (e.g. under the context of the browser process), then damage can be done. Most traditional web-browsers rely on a sandbox container nowadays (e.g. AppContainer or a custom implementation) to reduce the damage that can be done should the browser process become compromised during a session.

Features like Site Isolation in Google Chrome (or equivalent for other web-browsers) is an extra safe-guard layer against Spectre exploitation (it won't prevent the attack but it will reduce the damage that can be achieved in the event of exploitation where memory theft of the browser session data is concerned - through JavaScript for example).

The Google Chrome v8 engine was exploited awhile ago and there are other vulnerabilities documented among it on a GitHub article. PoC and being used in the wild are two very different things though. You need to be capable of leveraging the vulnerability to its full potential to make the most of it, and that is after you've discovered enough to replicate the vulnerability (which would still require a good skill-set for any good vulnerability). On top of all of this, you'd need to do it all within the time space of it being fixed and still find a trigger (e.g. an e-mail to be opened if its for an e-mail client or a website which loads a malicious script to initiate the exploit deployment to be loaded, etc.).


This is extremely unlikely as long as the default deny solution has been built properly using the same practices which Anti-Virus vendors have been using for the last decade. Microsoft intentionally went out of there way to provide a reliable way for Anti-Virus vendors to filter process creation, and these techniques are free for anyone else to use (it isn't limited to Anti-Virus vendors only) as long as they are willing to go down the path of developing and distributing kernel-mode software, which comes with its own pick of cherry bones.

In fact, all of the well-known and reliable default deny solutions on the market that I know of will use the exact same technique/s I am referring to - it is the lesser-known and cheaper-resource ones you want to watch out for because they may do it wrong and bite you in the back when you need it to work the most. If you want to find out more about process creation filtering, you can reach out to Microsoft employees on developer forums they are available at or go through the official documentation. The official documentation... can mess you around sometimes for many things, Microsoft seem to lack documentation for some things they had documented in the past as well, so watch out for that sneaky behavior.


If COMODO products work well for you then you're extremely lucky. Some people have managed to use it as their primary solution with the auto-sandbox for several years and have ran into no issues what-so-ever... it is rare but not completely unheard of. I've heard of one or two people who've really had an amazing experience like that.

I've gone a bit off-topic in my response. If anyone feels uncomfortable about this, do not hesitate to let me know and I'll be able to edit the post.

Thank you for starting this nice topic, I'll be sitting in the background now spectating how the opinions play out on the topic question. I'm curious to see what the majority will prefer between a default deny or Anti-Virus approach.

Yes, I wrote my opinions in the thread, obviously I used also default deny alongside AVs (both) in the past, now I'm trying different config. Of course bypassing a good default deny product should be really difficult but it can happen. A thing I didn't mention in the thread (but it is in my config) is that I always use Sandboxie Free to surf (this reduce the percentage of infection possibility), also with Kaspersky Free I enabled Kaspersky Security Network to improve also percentage of detection. The default deny solutions I used in the past were Comodo Firewall and SRP.

 

[509322]

You're right about that. I wasn't referring to the use of vulnerable processes but it's okay. That's a great point by the way, and vulnerable processes being closely watched by default deny solutions was always a great idea from the start in my humble opinion.

If Microsoft would just remove the garbage, then there wouldn't be the ongoing security issues. Like .NET Framework. A cesspool of security threats way worse than Adobe Flash.

 

[JM Safe]

You're right about that. I wasn't referring to the use of vulnerable processes but it's okay. That's a great point by the way, and vulnerable processes being closely watched by default deny solutions was always a great idea from the start in my humble opinion.

Vulnerable processes include cmd.exe, wscript.exe, cscript.exe, cipher.exe (CMD command that can be used to perform encryption), etc.

 

[ForgottenSeer 58943]

Hum I think only paid, I have a Premium license...

Yup, premium Panda has all sorts of goodness in it.

I was able to successfully lock down a system with Panda from an impressive array of threats using the Application Control and Protected Folders, as well as granular policy control from the firewall providing impressive firewall functionality. Speaking of the firewall, it's actually impressive and with some knowledge of how policy cascades work, it can be EXTREMELY effective. (even surpassing Symantec's firewall) The only issue I had was a bug where if you tossed additional threats at it, the product would start to drag down system performance and possibly cause a freeze.

We're set to re-test Panda in the work lab this week, and I will mirror some of the tests at home. I am hoping they addressed the bugs I reported back then. I had a lot of fun tweaking it to offer a level of protection most people didn't expect Panda capable of.

 

[JM Safe]

If Microsoft would just remove the garbage, then there wouldn't be the ongoing security issues. Like .NET Framework. A cesspool of security threats way worse than Adobe Flash.

.NET framework is necessary to running several software that can be really useful and important for a lot of users.

 

[Inquisitive]

In my opinion, as long as you understand what you're doing and you don't really download a ton of fishy pirated stuff then you'll be A-OK with a default deny. I believe that if someone were to regularly be involved in risky activity this would be counterproductive as they would never really know what's malicious or not. Otherwise, if you are a careful user, default deny works just fine. It blocks a lot of malicious payloads from being delivered that you may have not known about. Also, if you're not downloading massive amounts of stuff, it's quite easy to throw something into virustotal or hybrid-analysis if you're worried. And this doesn't even require you to understand reverse engineering.

 

[shmu26]

The third option added. Members are able to change their vote.

Thanks, Bora.