Default Deny VS traditional AVs

Do you use traditional AV or default deny?

  • Default Deny

  • Traditional AV

  • Both

Results are only viewable after voting.
L

Local Host

Arequire said:
It's a double-edged sword. Default-deny integrated into AVs usually works off a massive whitelist so it makes it a lot more user friendly than something like VS or SAP. The problem is, if a malicious application triggers a block, the majority of the population would instantly allow the offending application to run and then be outraged when they got infected.

Happens with "advanced" users too. Drop a piece of malware called "GoogleUpdate.exe" onto an advanced user's system and watch them either allow it to execute because they assume it's legitimate or have a small panic attack while debating with themselves whether it's legitimate or not.
Click to expand...
Is not as hard as you state, specially if you have knowledge.
A malicious GoogleUpdate wouldn't have the Google Certificate, I don't let it run nor access the Internet anyway.
I update my Software manually, and only programs that really need the Internet have access to it (Browsers, Game Clients, etc.).
 
  • Like
Reactions: Sunshine-boy and ZeroDay
D

Deleted Member 3a5v73x

Arequire said:
Happens with "advanced" users too. Drop a piece of malware called "GoogleUpdate.exe" onto an advanced user's system and watch them either allow it to execute because they assume it's legitimate or have a small panic attack while debating with themselves whether it's legitimate or not.
Click to expand...
"Advanced" users who use default-deny don't make assumptions, they make sure in the first place that file they are about to execute is legitimate or not with other tools and manual inspection.
 
Last edited by a moderator:
  • Like
Reactions: InnoScorpio, AtlBo, Deleted member 178 and 2 others
5

509322

JM Security said:
@Lockdown correct me if I am wrong but you dislike Windows for security and then on your profile you have "From AppGuard", so a software which works on Windows OS...
Click to expand...

So what ?

What does my dislike of Microsoft and Windows have to do with my job ?

And my dislikes are in-line and shared by many in the industry.

I short Microsoft because it is no one's friend.
 
Last edited by a moderator:
  • Like
Reactions: Tiny
ZeroDay

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
Arequire said:
It's a double-edged sword. Default-deny integrated into AVs usually works off a massive whitelist so it makes it a lot more user friendly than something like VS or SAP. The problem is, if a malicious application triggers a block, the majority of the population would instantly allow the offending application to run and then be outraged when they got infected.

Happens with "advanced" users too. Drop a piece of malware called "GoogleUpdate.exe" onto an advanced user's system and watch them either allow it to execute because they assume it's legitimate or have a small panic attack while debating with themselves whether it's legitimate or not.
Click to expand...
I agree hence the 'Not JUST for advanced users'
 
A

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
davisd said:
"Advanced" users who use default-deny don't make assumptions, they make sure in the first place that file they are about to execute is legitimate or not with other tools.
Click to expand...
You'd be surprised. I see it a lot with CF too; people complaining about how they don't know whether a file is safe or not when it's been put inside the sandbox. Happens less with default-deny but it's there if you look.
 
  • Like
Reactions: AtlBo and Moonhorse
RoboMan

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,487
This is turning into a war rather than an argument-based discussion... Remember guys, that Linux, Windows, antivirus or default deny, we all pursue the same goal of security and, on different levels, we all either achieve it or keep learning on our way to the top. Some may find, at this moment, AV more suitable for them, others may find default-deny solutions more suitable, and lastly some may find a combination of both as their best solution. There are no black or white, good or wrong here, it's more a matter of tastes. I switched to default deny not so long ago and I haven't had any trouble or infection with it. I used AV for years and I hadn't had any infection as well. Everything starts on our habits and our workspace, and what we do or aim to do. It's like, I don't know, secured hardware firewalls. There are great thousand of dollars routers that provide great security. Although, me as a home user would never spent so much money on them, because I don't need them nor will they actually make me "safer" on my condition as a home regular user. The best option varies on the kidn of user. :)
 
  • Like
Reactions: Nightwalker, Mahesh Sudula, AtlBo and 7 others
ZeroDay

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
Pers
RoboMan said:
This is turning into a war rather than an argument-based discussion... Remember guys, that Linux, Windows, antivirus or default deny, we all pursue the same goal of security and, on different levels, we all either achieve it or keep learning on our way to the top. Some may find, at this moment, AV more suitable for them, others may find default-deny solutions more suitable, and lastly some may find a combination of both as their best solution. There are no black or white, good or wrong here, it's more a matter of tastes. I switched to default deny not so long ago and I haven't had any trouble or infection with it. I used AV for years and I hadn't had any infection as well. Everything starts on our habits and our workspace, and what we do or aim to do. It's like, I don't know, secured hardware firewalls. There are great thousand of dollars routers that provide great security. Although, me as a home user would never spent so much money on them, because I don't need them nor will they actually make me "safer" on my condition as a home regular user. The best option varies on the kidn of user. :)
Click to expand...
I'm glad you said it lol. Many threads seems to cause a clash of ego lol
 
  • Like
Reactions: Tiny, ForgottenSeer 72227 and RoboMan
D

Deleted Member 3a5v73x

Arequire said:
You'd be surprised. I see it a lot with CF too; people complaining about how they don't know whether a file is safe or not when it's been put inside the sandbox. Happens less with default-deny but it's there if you look.
Click to expand...
I won't even bother asking why someone should continue to use CF if they can't differentiate if a sandboxed file is legitimate or not. CF as default-deny with auto-containment enabled is popular here, still, I don't see a purpose of using it for an "Advanced" user system.
 
  • Like
Reactions: Mahesh Sudula, AtlBo, ForgottenSeer 72227 and 2 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
davisd said:
I won't even bother asking why someone should continue to use CF if they can't differentiate if a sandboxed file is legitimate or not. CF as default-deny with auto-containment enabled is popular here, still, I don't see a purpose of using it for an "Advanced" user system.
Click to expand...
CF is one of the best if not the best free software but sadly is also the most buggy software out there with the worse support and atmosphere.
 
  • Like
Reactions: kylprq, Schank873, AtlBo and 6 others
L

Local Host

RoboMan said:
This is turning into a war rather than an argument-based discussion... Remember guys, that Linux, Windows, antivirus or default deny, we all pursue the same goal of security and, on different levels, we all either achieve it or keep learning on our way to the top. Some may find, at this moment, AV more suitable for them, others may find default-deny solutions more suitable, and lastly some may find a combination of both as their best solution. There are no black or white, good or wrong here, it's more a matter of tastes. I switched to default deny not so long ago and I haven't had any trouble or infection with it. I used AV for years and I hadn't had any infection as well. Everything starts on our habits and our workspace, and what we do or aim to do. It's like, I don't know, secured hardware firewalls. There are great thousand of dollars routers that provide great security. Although, me as a home user would never spent so much money on them, because I don't need them nor will they actually make me "safer" on my condition as a home regular user. The best option varies on the kidn of user. :)
Click to expand...
Let is die as it's a waste of time to argue about it unless both persons are open minded, plus it's off topic.
I sure ain't going to waste my time explaining and talking to a person who would never be open minded, they stuck with their way of thinking.
JM Security said:
Yes, more a software is sophisticated and then more is the possibility to have it buggy.
Click to expand...
That is right, but at the same time is not the reason why CF is so buggy, there's software way more sophisticated that has no problems, it goes down to the programmers being lazy or lacking knowledge.
Also by ignorance from the Publishers (Comodo).
 
  • Like
Reactions: ZeroDay, Deleted member 178, RoboMan and 1 other person
oldschool

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
Arequire said:
You'd be surprised. I see it a lot with CF too; people complaining about how they don't know whether a file is safe or not when it's been put inside the sandbox. Happens less with default-deny but it's there if you look.
Click to expand...

+1. I had issues with the blocked files, some of them Windows processes, not the sanboxed files. Happened often enough that I said "Bye bye Comodo!" Not exactly home user-friendly.
 
Last edited:
  • Like
Reactions: Sunshine-boy
5

509322

People should use what they like. They should use what works best for them on their specific system(s).

The drama that happens on the forums is largely a result of communications via posts that can be interpreted many different ways. In virtually 99 % of the cases, the intent and intended meaning of the post is lost or misinterpreted by the reader. People twist things within the context of a thread for a whole range of reasons.

When I post something, its intent and meaning is what I say it is... not how others interpret it. That's how written communications have worked since ape man started painting pictures on cave walls.
 
  • Like
  • Hundred Points
Reactions: kylprq, Tiny, ZeroDay and 3 others
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
No issues with updates :) with my double deny (AppLocker & ACL) with different users for different uses (programs) approach :)

Don't think Microsoft intended it to use it that way :) Every folder in Program Files has a deny with exception for its own signature. It is not as tight as hash based whitelist, but a lot easier to maintain (zero maintenance problems, everything updates fine).

1534888892028.png
 
Last edited:
  • Like
  • Wow
Reactions: kylprq, AtlBo, ZeroDay and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Windows_Security said:
No issues with updates :) with my double deny (AppLocker & ACL) with different users for different uses (programs) approach :)

Don't think Microsoft intended it to use it that way :) Every folder in Program Files has a deny with exception for its own signature. It is not as tight as hash based whitelist, but a lot easier to maintain (zero maintenance problems, everything updates fine).

View attachment 196357
Click to expand...
Most readers will not understand the idea. But this is simple. The picture on the right is related to making the light 'on demand sandbox' for the Firefox web browser and the shortcut to run it. This sandbox is simply another account for the user named Secure_Surfer (standard user type of account). When Firefox is running in that sandbox and has been exploited, then the payload is usually dropped somewhere in the %UserProfile% and cannot be executed due to ACL permissions for Secure_Surfer's account.
The next logical step would be adding some other restrictions for Secure_Surfer's account (via ACL or local policies) , like blocking: CMD shell, script interpreters (powershell.exe, powershell_ise.exe, wscript.exe, cscript.exe, mshta.exe, hh.exe) and some other vulnerable tools.

Similar 'on demand sandboxes' can be made for securing other vulnerable applications like MS Office, PDF viewers, etc. In fact, the similar idea was adopted in ReHIPS.
 
Last edited:
  • Like
Reactions: Windows_Security, endsecure, AtlBo and 5 others
D

Deleted member 178

Andy Ful said:
Similar 'on demand sandboxes' can be made for securing other vulnerable applications like MS Office, PDF viewers, etc. In fact, the similar idea was adopted in ReHIPS.
Click to expand...
Exact, which make sandboxing very tight and stable without requiring much maintenance or updates, opposed to other sandboxing mechanisms.
 
  • Like
Reactions: Brie, ZeroDay and Andy Ful

Similar threads

gfgtkitkat34
    • Wow
Kaspersky extreme settings vs default/optimal settings.
Replies
18
Views
761
Kaspersky
jamey910111
J
Shadowra
    • Like
    • +Reputation
    • Applause
App Review AhnLab v3 Lite Antivirus 2024
Replies
3
Views
466
Video Reviews - Security and Privacy
Khushal
Khushal
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Avira Pro Antivirus
Replies
12
Views
1,359
Video Reviews - Security and Privacy
bazang
bazang

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top