Default Deny VS traditional AVs

Do you use traditional AV or default deny?

  • Default Deny

  • Traditional AV

  • Both


Results are only viewable after voting.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
How should we define the following; Ae they "Default-Deny"?
  • Browser blocks a malicious download
  • Extension prevents access to a phishing website
  • Unable to install program due to account permissions (or see image).
In this thread, we are talking about execution default-deny. The 'default-deny' is also commonly used in the context of the network traffic.
The most common definition of execution default-deny setup would be as follows:
The crucial system processes and processes whitelisted by the user are allowed to run. Other processes are not allowed to run. Additionally, there can be some restrictions for DLLs or files that may have active content (scripts, scriptlets, documents with macros, etc.).

Some users may extend the above to include processes not blocked but ran restricted/isolated in the kind of sandbox.

The examples:
  • Browser blocks a malicious download
  • Extension prevents access to a phishing website
are not default-deny (even not for network traffic). In fact, they are default-allow with the blacklist. The blacklist contains signatures of malicious files and URLs of phishing websites.

The example "Unable to install program due to account permissions" is not default-deny too, because the user can run any executable that was downloaded outside the browser (no MOTW attached). The above protection is an Anti-Exe feature that can prevent users from installing any application outside Microsoft store, but the application has to be downloaded via the web browser or another online service that marks files with MOTW (MOTW = Mark Of The Web).

Also, Windows SmartScreen is not default-deny, because it uses MOTW, too. Probably, it would not be wrong to say that SmartScreen is based on default-deny feature for files with MOTW + whitelisting all files with a good reputation in Microsoft cloud.

Avast set to Hardened Mode Aggressive can be a kind of smart default-deny. The 'smart' means that the user additionally allows all executables that have a good reputation in the Avast cloud. All, not reputable executables will be blocked by default (even not malicious).

Windows SRP (Software Restriction Policies) can be set either to default-allow or default-deny.
The default-allow SRP setup was adopted in CryptoPrevent and some other Anti-Ransomware applications. The default-deny setup was adopted (recommended settings) in Hard_Configurator and Simple Software Restriction Policies.

Comodo Firewall (CS settings) can be considered as default-deny based on highly restricted sandbox. If one uses File Lookup, then it is a smart default-deny.
Anti-Exe applications (VoodooShield set to ON, NVT ERP) can be considered as default-deny setup.

AppGuard is default-deny SRP setup (based on 3rd party driver). In addition, it uses the Guarded Applications feature, which is a kind of isolation light sandbox for vulnerable processes.
 
Last edited:
D

Deleted member 74454

There are not many traditional stand alone AV's left, most are now accompanied by other modules.

I see both used by advanced users, simply because it requires knowledge to navigate and understand advanced features of your AV's and also configuring default deny applications. Both of which can be fine for beginners (once set up) until they run into an issue, in which case both would become a problem for them.

While default deny would appear to be better suited for beginners, one thing to keep in mind is most of them will not remove an infection, only block it from executing, where as your AV's upon detection will quarantine/remove. If those beginners have someone on speed dial to remove and adjust default deny, they would be fine, otherwise I would state AV's would be best for them, although determining legit files from false positives again would be quite the challenge for beginners, so really, there is no easy answer to this, except knowledge. Teaching the beginners.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
While default deny would appear to be better suited for beginners, one thing to keep in mind is most of them will not remove an infection, only block it from executing, where as your AV's upon detection will quarantine/remove
....
It would be hard for many beginners to safely use default-deny setup. The exception could be the people who do not install new applications. Also in some cases, the configuration of default-deny setup may be hard even for more experienced users, especially when they use programs installed in the Userspace or external devices which run configuration/diagnostic/update scripts. Also, some web browser extensions and wrapped applications can cause problems in default-deny setup.
The best for beginners would be smart default-deny setup (based on file reputation), supervised occasionally by the advanced user.
If the beginners (in the home environment with well-updated system/software) use smart default-deny with blocked scripts and disabled active content for documents, then the chance to be infected is very very small. When using only AV solution, many infections are removed only partially. The chance of it is probably much greater than being infected when using smart default-deny.
 
Last edited:
D

Deleted member 74454

It would be hard for many beginners to safely use default-deny setup. The exception could be the people who do not install new applications. Also in some cases, the configuration of default-deny setup may be hard even for more experienced users, especially when they use programs installed in the Userspace or external devices which run configuration/diagnostic/update scripts. Also, some web browser extensions and wrapped applications can cause problems in default-deny setup.
The best for beginners would be smart default-deny setup (based on file reputation), supervised occasionally by the advanced user.
If the beginners (in the home environment with well-updated system/software) use smart default-deny with blocked scripts and disabled active content for documents, then the chance to be infected is very very small. When using only AV solution, many infections are removed only partially. The chance of it is probably much greater than being infected when using smart default-deny.
Even the simplest security requires knowledge. There are downsides to both methods for those lacking.

If you were to look at computer security as a responsibility, which it most certainly is, as a user can effect others as much as themselves, then the requirements should be placed to learn basics.

One would simply not place a new driver in a vehicle without them learning to safely operate it.

We could debate the pros and cons of both methods, and in the end, it would balance out and directly point to the best method, which is helping beginners learn basics and also the applications of their choice.

Even with a beginner using default deny that does not download, there is always product and operating system updates and upgrades, which today, are a constant, and would completely over whelm a beginner.
 
Last edited by a moderator:
5

509322

In this thread, we are talking about execution default-deny. The 'default-deny' is also commonly used in the context of the network traffic.
The most common definition of execution default-deny setup would be as follows:
The crucial system processes and processes whitelisted by the user are allowed to run. Other processes are not allowed to run. Additionally, there can be some restrictions for DLLs or files that may have active content (scripts, scriptlets, documents with macros, etc.).

Some users may extend the above to include processes not blocked but ran restricted/isolated in the kind of sandbox.

The examples:
  • Browser blocks a malicious download
  • Extension prevents access to a phishing website
are not default-deny (even not for network traffic). In fact, they are default-allow with the blacklist. The blacklist contains signatures of malicious files and URLs of phishing websites.

The example "Unable to install program due to account permissions" is not default-deny too, because the user can run any executable that was downloaded outside the browser (no MOTW attached). The above protection is an Anti-Exe feature that can prevent users from installing any application outside Microsoft store, but the application has to be downloaded via the web browser or another online service that marks files with MOTW (MOTW = Mark Of The Web).

Also, Windows SmartScreen is not default-deny, because it uses MOTW, too. Probably, it would not be wrong to say that SmartScreen is based on default-deny feature for files with MOTW + whitelisting all files with a good reputation in Microsoft cloud.

Avast set to Hardened Mode Aggressive can be a kind of smart default-deny. The 'smart' means that the user additionally allows all executables that have a good reputation in the Avast cloud. All, not reputable executables will be blocked by default (even not malicious).

Windows SRP (Software Restriction Policies) can be set either to default-allow or default-deny.
The default-allow SRP setup was adopted in CryptoPrevent and some other Anti-Ransomware applications. The default-deny setup was adopted (recommended settings) in Hard_Configurator and Simple Software Restriction Policies.

Comodo Firewall (CS settings) can be considered as default-deny based on highly restricted sandbox. If one uses File Lookup, then it is a smart default-deny.
Anti-Exe applications (VoodooShield set to ON, NVT ERP) can be considered as default-deny setup.

AppGuard is default-deny SRP setup (based on 3rd party driver). In addition, it uses the Guarded Applications feature, which is a kind of isolation light sandbox for vulnerable processes.

The recurring issue that is raised over-and-over is that default-deny does not tell the user what to do. A lot of the people that gravitate towards default-allow solutions are those that are paranoid and feel the need to inspect everything. The funny part is that they don't realize that the AV is not inspecting all files on the system against signatures or monitoring the files at all. In short, they don't know how AVs work for optimization and conservation of system resources. They think the AV is carefully monitoring every single thing on the system, when it isn't.
 
L

Local Host

The recurring issue that is raised over-and-over is that default-deny does not tell the user what to do. A lot of the people that gravitate towards default-allow solutions are those that are paranoid and feel the need to inspect everything. The funny part is that they don't realize that the AV is not inspecting all files on the system against signatures or monitoring the files at all. In short, they don't know how AVs work for optimization and conservation of system resources. They think the AV is carefully monitoring every single thing on the system, when it isn't.
Anti-Virus can monitor every single thing if they're configured that way.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Even with a beginner using default deny that does not download, there is always product and operating system updates and upgrades, which today, are a constant, and would completely over whelm a beginner.
The locked system (no new installations), can be initially configured by an advanced user to allow system updates/upgrades and software auto-updates (in most cases). That is not a big deal when using SRP default-deny.
Also on Windows 10, there are some very useful Universal Applications (auto-update is made without UAC prompt).
The updates of desktop applications can often trigger UAC prompt, but in many cases that can be solved by forcing updates via scheduled tasks.
Finally, the beginner can use the very silent and secure setup.

When using scheduled tasks for software updates, default-deny can be set to block the elevation of all processes on SUA (via UAC setting), because most applications can run as standard user without elevation.
My wife uses such locked setup for a few years without any problem.
 
Last edited:
D

Deleted member 74454

My wife uses such locked setup for a few years without any problem.
The question would be at this point, could she do so without you being there, ever...

My significant other uses a highly tweaked system as well, but only because i'm there to help when she needs it, this would not be ideal if she lived on her own.

Even default deny applications have bugs/issues that do not always work out as intended, and can be a problem, just as FP's would be using Av's/suites, or partial removals as you stated. I have used both, and seen issues with both that would irritate a normal user beyond belief.

It is easy for anyone, in any profession, to forget what being a beginner at it is like, and how over whelming it can be. Most are doing good to get the browser open and access their emails. I still state teaching knowledge is the best answer to both.
 

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
The funny part is that they don't realize that the AV is not inspecting all files on the system against signatures or monitoring the files at all. In short, they don't know how AVs work for optimization and conservation of system resources. They think the AV is carefully monitoring every single thing on the system, when it isn't.
Your post is not totally correct. When a new file is downloaded or modified, etc. There are different events: creation, modify, deletion, etc. AVs could have some methods (pieces of source code) that can handle each of those events. So AVs monitor each new files on the OS and a well written product should skip by default system files (but verifying that they aren't false system files, so malware hidden in critical folders such as
Code:
AppData, Win32, etc.
A monitor could be done like this (it is only an example):

Code:
public bool creationEvent()
{
string filePath=component.getEventFullPath();
bool b = scan(filePath);
return b;
}
So yes an AV well developed monitors all files.
 
  • Like
Reactions: roger_m and AtlBo
F

ForgottenSeer 58943

My wife uses such locked setup for a few years without any problem.

Mine too, it's called Chromebook. My life has become so simple these days, I have to create problems for myself

Military tanks and certain ics works like that. EvilGrade can hack windows systems via OTA. Theres also some nasty APT's out there using this method on windows android and ios. WSUS is the way to go in high secure environments. But thats expensive and only feasible for certain agencies/entities. I lknow that MOSSAD runs like that.

We (at work) run on VDI's with redirects over an encrypted EOC behind a double layered NGFW environment with WSUS and a heavy handed active HA with hot spares. Not just for high security, but for corporations working on important things that need some sort of reasonable guarantee of functionality and privacy. Windows proper, can be hacked in so many ways that it defies explanation. Hence the VDI's with realtime desktop regeneration on shutdown and other things. Even then, we don't have any great illusions of privacy with anything involved with the Windows Infrastructure and act accordingly - as if it was already compromised.

Plugging up windows is like a kid sticking fingers into a leaking dam.
 
F

ForgottenSeer 58943

The cost of the hack must be less that the ROI:) If you can make it really expensive beyond their gain. You've already won. Cheers to that!

Although there are too many holes, we can manage them if your good at what you do.

Correct, it requires a single pane of glass, with people trained(or experienced) to spot anomalies.

One company I know, I can't name them other than to say they make impressive vacuum cleaners and stuff - they use a full Linux environment with self-destructing bootable Linux terminals using custom linux servers with on-prem linux security engineers and automated daily security audits on every station. Need to say - we've never heard of them ever having a single compromise, a single piece of malware, or any sort of incidents. It's sort of a thing of beauty quite honestly, and I am envious of all of it.

Life is pretty easy security wise outside of Windows environments. Within them, as you said, it's a matter of the ROI.

At home I've migrated 100% of my network off Intel first and foremost, and about 90% has been migrated away from Windows. We've got some embedded systems (IoT), some Debian, maybe a BSD or two, a good number of Chromebooks, then some AndroidOS junk. 3 gaming rigs running Win10 remain in the mix and quite honestly, as long as they are isolated on a VLAN I don't really care too much about them anymore. Any old AV and some lockdowns works fine for them.

My threat surface has reduced so significantly, I am pretty confident I could/can downscale my gateway protection significantly as a result. I personally only fire up a Windows box for gaming, the other 98% of the time I am on Chromebook or Debian devices and not giving a crap about security.
 

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
Your post is not totally correct. When a new file is downloaded or modified, etc. There are different events: creation, modify, deletion, etc. AVs could have some methods (pieces of source code) that can handle each of those events. So AVs monitor each new files on the OS and a well written product should skip by default system files (but verifying that they aren't false system files, so malware hidden in critical folders such as
It depends on the Anti-Virus product and how the vendor has implemented the components.

Lockdown's point in general is that people expect too much of the security solution they are using... which is what happens. It could be something from a book about Greek mythology. Next there will be rumors of Anti-Virus products having several snake heads popping out the screen to guard you from real-life threats.

Decent Anti-Virus products will be using a Filesystem Mini-Filter device driver which will leverage the Filter Manager (fltMgr.sys) to register callbacks for IRP_MJ_CREATE, IRP_MJ_WRITE and any other I/O request packets that need to be filtered - it is product dependent based on their requirements. Some products will post to a worker queue and cancel the operation from a post-operation event, others will do it on the pre-operation. Once again, it is product dependent and is based around their requirements. Regardless, there's no guarantee that every request will be processed... it depends on what the product wants to do whether it cares enough or based on paging/other verification methods. It might not bother if the operation came from a process it trusts (for example - be it a Windows one or not). All depends on the product as its product implemented.

What Lockdown said:
The funny part is that they don't realize that the AV is not inspecting all files on the system against signatures or monitoring the files at all.

Most of the time, what he said is going to be accurate. It's an accurate representation of what is going on. An Anti-Virus isn't going to inspect all the files on the system unless it needs to. If you install an Anti-Virus product, the real-time protection component won't be scanning a file on the environment unless the real-time component is triggered to scan it according to the configuration criteria... so it isn't going to randomly scan all the files on the environment. Even if you were to use the on-demand scanner for a full system scan, it will not necessarily scan absolutely everything. Just because you're told everything is being scanned doesn't mean it really is.

It depends on the product and how the vendor wants to deal with it, the configuration for the real-time protection component and how everything combines together.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The question would be at this point, could she do so without you being there, ever...
...
She is a beginner in the security matter. She uses the computer for the standard tasks and does not install new programs. All updates are performed via Windows Updates, Microsoft store, and scheduled tasks. All applications are installed in 'Program Files' and can run only as standard user (elevation not allowed).
In the locked setup the user cannot install/run new executables and scripts. The scripts and executables are blocked by SRP in all locations, except: Windows, Program Files, and Windows Defender folders. The user (also exploits and payloads) cannot copy/change/replace files in Windows, Program Files and Windows Defender folders because that would require elevation.
I configured also Adguard DNS for safe web browsing. For viewing documents, I installed Universal Apps (Word Mobile, Excel Mobile, PowerPoint Mobile and Adobe Touch) which run in AppContainer. For document editing, I installed SoftMaker Office (no macro support or DDE vulnerability).
The identical setup is installed on my father's computer. He is a total beginner.
The locked SUA is silent and very secure. The user can run what is prepared for running. Everything can update without user intervention and the user has no problem with choosing between allow or block.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Mine too, it's called Chromebook. My life has become so simple these days, I have to create problems for myself.
...
Unfortunately, a few programs she has to use were not available on Chromebooks 3 years ago.
I am not sure if there are the right alternatives even with android apps support, but who knows.
But I agree, that for most standard tasks the Chromebook is a perfect choice for the beginners.
 

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
For viewing documents, I installed Universal Apps (Word Mobile, Excel Mobile, PowerPoint Mobile and Adobe Touch) which run in AppContainer. For document editing, I installed SoftMaker Office (no macro support or DDE vulnerability)
What about the web-version of Microsoft Office or Google Docs? Food for thought. Maybe you've already looked down these avenues before, I'm sure you have.

I'm interested in your thoughts on whether they'd be applicable for them. Some of my friends use those services since I recommended them because they always work with an active internet connection and do not require features unsupported on the web versions.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
What about the web-version of Microsoft Office or Google Docs? Food for thought. Maybe you've already looked down these avenues before, I'm sure you have.
...
Web versions are OK and maybe even more secure. But, applications installed on disk are slightly more user-friendly, especially for beginners. The user can simply click the file to open it for viewing, instead of opening Web application and use file explorer to find/open the document.
Personally, I use Universal Apps for document viewing and Microsoft Office Online for document editing.
 

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
Not just beginners. I use one now too. You should see the tools I have available on Chromebooks now. (Linux emulator or otherwise)
I love them for online research and writing up notes. It just feels nice.

Personally, I use Universal Apps for document viewing and Microsoft Office Online for document editing.
I've used the Universal App for Microsoft Word in the past and it worked nicely for me - I never ran into problems with it. I think Microsoft did a good job making a Universal App version because AppContainer is always a good bonus over nothing.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top