Default Deny VS traditional AVs

Do you use traditional AV or default deny?

  • Default Deny

  • Traditional AV

  • Both


Results are only viewable after voting.

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
Security has evolved and grew in those last years, now there are avalaible some products (also free) which offer a default deny protection. But let's discuss: is it better to use a traditional AV with a powerful signatures engine, like Bitdefender and Kaspersky, or use a default deny software? There are pros and cons: default deny solutions can block also 0 day/unknown malware samples, but a cons could be if a malware well-written manages to bypass the core of the default deny engine can infect the PC, for example a malware could also kill the main process of the default deny software before it can block it; luckily most of the security software have a strong protection of their processes (if a malware tries to kill a process then it doesn't have privileges because of critical process property). Traditional AVs, on the other hand, can block malware immediately for example when the malware is downloaded or dropped if it is detected by the signature engine. Honestly with my config I really like and use Kaspersky Free; I would like also to try again Comodo Firewall HIPS (I tried it last time several months ago) but it seems there are still unsolved bugs which compromise the functionality of the product (correct me if I am wrong but I remember Comodo has a bug which made the user rules forgotten).
Obviously also traditional AVs have evolved a lot: now almost all software have heuristic engine to determine what a file does (its behaviour) and decide if it is malicious or safe. What do you think guys? :);) let's discuss about the future of our config!
 

Inquisitive

Level 1
Verified
Oct 4, 2017
20
I've always avoided default deny. I've tried it before but blocking everything that's not whitelisted doesn't appeal to me. You have no way to know what's a virus and what's not without manual analysis, and it's to time consuming to do that for every single item it blocks on a daily basis. It's more of a corporate sort of thing. A strong config is all you really need. If you wanted to be bullet proof then a Gryphon + a good av + heimdal is all you need.
 
L

Local Host

I use default-deny cause a normal AV Software consuming resources in the background is useless for me.
As long as you have safe habits and experience, you don't even need an AV in the first place (I actually ran Windows without any sort of AV for +10y and never got infected).
I like Kaspersky Free a lot too, have it installed on my partner laptop (also you don't need the buggy Comodo Firewall, simply use the Windows Firewall with strict rules unless you looking for the sandbox, cause HIPS on it sucks).
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
Well im using comodo firewall as default deny. Everything untrusted will run as rejected.
I dont see any benefits not to use free av ( avg right now) along with it for web protection and on-demand scanning

edit: my setup is currently;
- windows firewall hardened with syshardener (max)
- comodo firewall ( cs)
- avg antivirus free
Its very light setup , comodo firewall is stable for me.
I could add antimalware + osa or something, i really dont need but it would stack on current protection
 
Last edited:

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Some "traditional AV" like Kaspersky also have TAM (not enabled by default), which it's an "hybrid default-deny" :giggle:

Also Panda Dome has "Application Control" which may blocks unknown applications:
1534784499304.png
 

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
I've always avoided default deny. I've tried it before but blocking everything that's not whitelisted doesn't appeal to me. You have no way to know what's a virus and what's not without manual analysis, and it's to time consuming to do that for every single item it blocks on a daily basis. It's more of a corporate sort of thing. A strong config is all you really need. If you wanted to be bullet proof then a Gryphon + a good av + heimdal is all you need.
Of course default deny are more for advanced users, but I agree with you and I like AVs more.
 
  • Like
Reactions: harlan4096

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
I use default-deny cause a normal AV Software consuming resources in the background is useless for me.
As long as you have safe habits and experience, you don't even need an AV in the first place (I actually ran Windows without any sort of AV for +10y and never got infected).
I like Kaspersky Free a lot too, have it installed on my partner laptop (also you don't need the buggy Comodo Firewall, simply use the Windows Firewall with strict rules unless you looking for the sandbox, cause HIPS on it sucks).
You have at least WD if you use Windows 10, don't you?
 
  • Like
Reactions: harlan4096
F

ForgottenSeer 58943

Some "traditional AV" like Kaspersky also have TAM (not enabled by default), which it's an "hybrid default-deny" :giggle:

Also Panda Dome has "Application Control" which may blocks unknown applications:

Some of the strongest aspects of Panda are it's firewall, application control and protected folders. When tweaked it, it should provide some impressive additional protection IMO.
 

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
Default-deny > AV

AV for beginners, default-deny for people who understand Windows processes.

Most AV have default-deny modules, if not they would be all bypassed by 0-days.
Yes, but if default deny module is can be bypassed by a malware then signatures engine would block the sample on the "creation" event of the file, not execution, this is an important pros of using AVs over only default deny solutions.
 
D

Deleted member 178

How a real 0-day (not a crappy variant) can be blocked by an engine when the said engine doesnt have any signature for it...

Or how an engine will prevent a meterpreter abused by an exploit to call home?
If heuristic were so awesome we wont have default-deny modules.

Signature engines are obsolete. They still exist because Average Joe dont know and cant handle better.
 

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
How a real 0-day (not a crappy variant) can be blocked by an engine when the said engine doesnt have any signature for it...

Or how an engine will prevent a meterpreter abused by an exploit to call home?
If heuristic were so awesome we wont have default-deny modules.
In my last post I wasn't talking about 0 day ;)
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top