Do you use traditional AV or default deny?

  • Default Deny

  • Traditional AV

  • Both

Results are only viewable after voting.
The more usable & universal will be the Chromebook, the more vulnerabilities can be found. I am afraid that compatibility with android apps opened the interesting attack vector for the malc0ders. :(
Google need to spend more resources on improving their moderation for the Google Play / Chrome Web Store. It's quite sad really. Google were on the road to become a trillionaire dollar company (or they've already accomplished it) and they don't seem to be capable of properly moderating their own digital markets... all the meanwhile, you can always spot them carrying out Anti-Trust behavior or spotting out flaws of other companies.

I hope they do something about it because many novice users will be under the impression that Google's digital software stores are safe and a family environment - just because it is Google. But that's far from the truth in reality.
 

Local Host

Level 23
Verified
The more usable & universal will be the Chromebook, the more vulnerabilities can be found. I am afraid that compatibility with android apps opened the interesting attack vector for the malc0ders. :(
Actually the door to malware was open further on Chromebook, Tutorial - Install Linux apps on Chrome OS (Chromebook)
It's not hard to create malware for the Chromebook, OSX and even Linux (way easier to exploit than Windows), as you said it only lacks market to make it worth the time.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Andy Ful correct, but you know me, using ReHips would be to easy for someone who tweaks PC security and motorbikes :) I can waist saturdays on a row just fiddling with other needles in the carburetors my old Laverda of 1984
 

Attachments

  • laverda.png
    laverda.png
    853.5 KB · Views: 156
D

Deleted member 74454

She is a beginner in the security matter. She uses the computer for the standard tasks and does not install new programs. All updates are performed via Windows Updates, Microsoft store, and scheduled tasks. All applications are installed in 'Program Files' and can run only as standard user (elevation not allowed).
In the locked setup the user cannot install/run new executables and scripts. The scripts and executables are blocked by SRP in all locations, except: Windows, Program Files, and Windows Defender folders. The user (also exploits and payloads) cannot copy/change/replace files in Windows, Program Files and Windows Defender folders because that would require elevation.
I configured also Adguard DNS for safe web browsing. For viewing documents, I installed Universal Apps (Word Mobile, Excel Mobile, PowerPoint Mobile and Adobe Touch) which run in AppContainer. For document editing, I installed SoftMaker Office (no macro support or DDE vulnerability).
The identical setup is installed on my father's computer. He is a total beginner.
The locked SUA is silent and very secure. The user can run what is prepared for running. Everything can update without user intervention and the user has no problem with choosing between allow or block.
Maybe I'm wording this incorrectly
I'm going to rephrase this, as sometimes I fail to deliver my point accurately.

Would you place that kind of set up on a users machine that you may never see again, if they ran into trouble, and had no one around to help guide them through troubleshooting the security set up? If the obvious answer is no, then that kind of configuration is not good for average users and leads us back to knowledge and lack of.
 
Last edited by a moderator:

Andy Ful

Level 65
Verified
Trusted
Content Creator
@Andy Ful correct, but you know me, using ReHips would be to easy for someone who tweaks PC security and motorbikes :) I can waist saturdays on a row just fiddling with other needles in the carburetors my old Laverda of 1984
Nice motorbike.:giggle:
ReHIPS free would not be so effective for web browsers which use multi-processes. The free version has a limit of 10 sandboxed processes at a time.(y)

Edit.
The account-based-sandbox can be made more restrictive than ReHIPS sandbox. The user, for example, can disable the read access for the chosen folders and drives via ACL permissions.
 
Last edited:

Slyguy

Level 44
Actually the door to malware was open further on Chromebook, Tutorial - Install Linux apps on Chrome OS (Chromebook)
It's not hard to create malware for the Chromebook, OSX and even Linux (way easier to exploit than Windows), as you said it only lacks market to make it worth the time.

Linux on Chromebooks runs on a K-VM that was custom designed by Google. There won't be any escaping from that because it not only runs in isolation but there isn't any user space for it to escape to. I believe Android Apps on Chromebooks run in a Crostini and are under true isolation and untrusted mode with no user space access as well.

I am unaware of any demonstration of any Linux or Android malware circumventing the K-VM/Crostini on Chromebooks. There eventually could be something, but I highly doubt it. There is a reason Google wrote their own kernal VM and took so long to do it. Also, with verified boot, even if something crossed the isolation barrier, then the NML, then the second isolation barrier the VB would probably trigger an automatic powerwash and reimage.

Another good part - Google was the first to push meltdown/spectre mitigations, even in some cases, before the CVE came out. In other cases (like mine) they were never vulnerable due to the more recent ARM chips. I'm fully confident taking my Chromebooks anywhere, including high risk situations. It was generally thought 'almost' impossible to create an environment as secure as Chromebooks just a decade ago that wasn't a purpose designed defense department OS. HPUX, and some custom Linux Distros for govt. like Mandriva.

About the most Chromebook gets in terms of attacks are bad web pages or extensions. So the full instructions for malware removal on Chromebooks are 48 seconds. No tools, no toys, no on demand scanners.. Blah.

 
Last edited:

17410742

Level 4
We can agree, that for now, Chromebooks are much more secure than Windows machines.(y)
define secure.

Google literally steal every piece of privacy & personal info of yours.

Just this week alone, Incognito for Chrome is in the news for being completely useless & Google already being sued for location tracking even with it all turned off.

Once you add all your browsing, Contacts, passwords, documents, Photos, Videos etc - Secure isn't what id call it.

if you had a PC with 'malware' that was stealing all that, it wouldn't be called a secure computer
 

17410742

Level 4
We definetly have a different view on this, which is fine :)

most people dont have a clue what the TOS are or who Google are selling your data to - for that reason, it makes no difference at all who is taking all the data, its still being taken & used. (have you read them? - do you know where it all goes? - did you know you were still being tracked even with it all turned off?)

Facebook have already had their time in the news for such practices (more to come - FB are able to track users 24/7 even if account & app is deleted/deactivated), so has Twitter - ...keep an eye on the news in the next few months, expect more of Google (& Amazon) to be hitting the headlines for such privacy/data related breaches.

These companies are not offering security, you are the product they are selling.

Google is 'The Worst' of them all.

-----

To bring it back to the Topic, Deny all - Deny Everything.

Ive not used a traditional AV for a very long time now.

I recommend Qubes OS too.
 
Last edited:
5

509322

Mine too, it's called Chromebook. My life has become so simple these days, I have to create problems for myself

It's so awesome. I get to get out of the bug pool when using it. Just used it today for a few hours while waiting at a few appointments. Still had 7.75 hours left on the 10+ hour battery. Light, reliable, low-hassle. Have a problem ? Powerwash… within minutes. And reconfig the system takes minutes instead of hours. So, so awesome.
 
5

509322

Your post is not totally correct. When a new file is downloaded or modified, etc. There are different events: creation, modify, deletion, etc. AVs could have some methods (pieces of source code) that can handle each of those events. So AVs monitor each new files on the OS and a well written product should skip by default system files (but verifying that they aren't false system files, so malware hidden in critical folders such as
Code:
AppData, Win32, etc.

The general point that I made was that a lot of peoples' expectations are that an AV\IS will monitor everything on as well as everything happening on a system on a 100 % continuous basis - which they patently do not do. It's partly the reason that AVs don't effectively remediate pre-infected systems very well.

The other point is that the above unknowledgeable expectation is paranoia driven.
 

Slyguy

Level 44
It's so awesome. I get to get out of the bug pool when using it. Just used it today for a few hours while waiting at a few appointments. Still had 7.75 hours left on the 10+ hour battery. Light, reliable, low-hassle. Have a problem ? Powerwash… within minutes. And reconfig the system takes minutes instead of hours. So, so awesome.

Fun times. Agreed on battery life, it's incredible largely because it runs so clean and doesn't have bloatware, bloated apps, thousands of useless backend services, programs, dll's hogging it all up. Also, a Chromebook properly setup doesn't cost anymore privacy than using Chrome itself, and you can tweak Chrome to reduce your exposure, similar to Chromebook. It's actually far far less telemetry/data than Microsoft steals from Windows boxes.

I love this guys article, so true...

Goodbye Windows Update, hello Chromebook
 
Last edited:
D

Deleted Member 3a5v73x

Chromebook may be more secured, but Windows is more interesting with all tweaking possibilities, processes, options, AVs, bugs, etc. I am not going to spend on Chromebook anytime soon just because of the fact it's boring.

Let's stay on the topic guys.
 
Last edited by a moderator:

Andy Ful

Level 65
Verified
Trusted
Content Creator
...
Just this week alone, Incognito for Chrome is in the news for being completely useless & Google already being sued for location tracking even with it all turned off.

Once you add all your browsing, Contacts, passwords, documents, Photos, Videos etc - Secure isn't what id call it.
...
Google is secure like your bank. Your money is secured against everything except your bank.
There are always the privacy concerns when using the device connected to the Internet.
Why do you trust the Qube OS? Because no one said that the vendor gathers the private data.
So, you are in the position of the man who does not trust his government and choose to trust the private security firm with a good reputation.
In Google, you are protected by a kind of anonymity. In theory, one could gather a lot of information about you, but first, the seeker had to know who to seek from the billion possibilities. It is not profitable, so you are safe until you become famous.(y)
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
Back to the topic. Using default-deny setup (no AV) has the advantage of not sending the private data to AV vendor. This is similar to healing the deep wounds at home, instead of the medical center.:giggle:

Edit.
That is why default-deny is so popular.;)
 
Last edited:
@Libera Milanesi if you read my post I wrote that @Lockdown post was not totally correct, not completely wrong and then I explained to him how AVs work.
I did read your post. Then I quoted your post and explained to you how it really works.

You can find the post here: Discuss - Default Deny VS traditional AVs

If you're interesting in educating yourself further, read the following from the official documentation:
FltRegisterFilter function
FltStartFiltering function
_FLT_REGISTRATION
_FLT_OPERATION_REGISTRATION
IRP_MJ_CREATE
IRP_MJ_WRITE
PFLT_PRE_OPERATION_CALLBACK
PFLT_POST_OPERATION_CALLBACK

There's more documentation and pointers if you seek it on MSDN and on other forums.

I think the words "Thank you" were in order, but that's okay, I can live with it.