Default Deny VS traditional AVs

Do you use traditional AV or default deny?

  • Default Deny

  • Traditional AV

  • Both


Results are only viewable after voting.

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
I did read your post. Then I quoted your post and explained to you how it really works.

You can find the post here: Discuss - Default Deny VS traditional AVs

If you're interesting in educating yourself further, read the following from the official documentation:
FltRegisterFilter function
FltStartFiltering function
_FLT_REGISTRATION
_FLT_OPERATION_REGISTRATION
IRP_MJ_CREATE
IRP_MJ_WRITE
PFLT_PRE_OPERATION_CALLBACK
PFLT_POST_OPERATION_CALLBACK

There's more documentation and pointers if you seek it on MSDN and on other forums.

I think the words "Thank you" were in order, but that's okay, I can live with it.
Yes, infact I talked about monitors and events (callbacks) in my post since I am a developer.
 

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
Yes, infact I talked about monitors and events (callbacks) in my post.
Your post: Discuss - Default Deny VS traditional AVs

Your post lacked a lot of understanding on how an AV actually works; you were obviously thinking of the FileSystemWatcher component from the .NET Framework (which has communication with a Filesystem Mini-Filter driver built-in to Windows - except most AVs will be writing their own or using a better library for it which will offer more control and flexibility). I was being kind by educating you further.

I quoted your post and explained to you how it really worked because I thought you could find it handy for someone to take the time and care to help you. Otherwise you would never progress. Instead of getting back a "Thank you", I'm getting back unhealthy attitude. Incredibly rude.

@Libera Milanesi I wrote a lot of threads about programming and CMD, go to read them in programming section.
Your threads have nothing to do with this. You can write a million threads on the basics and they will still always be the basics - because they are the basics. I can't take you seriously when you're throwing back attitude at someone who took the time to help you.

If you don't want to be quoted, corrected or for people to continue discussions about things you have said, then don't say anything at all. This is a public community, a public thread, and an open discussion.

Please be more respectful.
 

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
Your post: Discuss - Default Deny VS traditional AVs

Your post lacked a lot of understanding on how an AV actually works; you were obviously thinking of the FileSystemWatcher component from the .NET Framework (which has communication with a Filesystem Mini-Filter driver built-in to Windows - except most AVs will be writing their own or using a better library for it which will offer more control and flexibility). I was being kind by educating you further.

I quoted your post and explained to you how it really worked because I thought you could find it handy for someone to take the time and care to help you. Otherwise you would never progress. Instead of getting back a "Thank you", I'm getting back unhealthy attitude. Incredibly rude.


Your threads have nothing to do with this. You can write a million threads on the basics and they will still always be the basics - because they are the basics. I can't take you seriously when you're throwing back attitude at someone who took the time to help you.

If you don't want to be quoted, corrected or for people to continue discussions about things you have said, then don't say anything at all. This is a public community, a public thread, and an open discussion.

Please be more respectful.
I tried to explain to you how monitors work in general but you mentioned FileSystemWatcher in .NET (which I never mentioned in my posts). Keep in mind that real-time security development is always based on event handlers (for example an anti-exe catches events of processes started or created) I think you are only trying to demonstrate to be the best expert in this thread. Then you thought to "help me" by sharing links when I develop software for years. Then please remember that: an AV that doesn't monitor each "thing" is not really useful.
 

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
@Libera Milanesi P.S. this is my thread and you made posts clearly off-topic by talking about Chromebook and I said to you to don't go off-topic but you didn't respect me.
 

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
I tried to explain to you how monitors work in general but you mentioned FileSystemWatcher in .NET (which I never mentioned in my posts). Keep in mind that real-time security development is always based on event handlers (for example an anti-exe catches events of processes started or created) I think you are only trying to demonstrate to be the best expert in this thread. Then you thought to "help me" by sharing links when I develop software for years. Then please remember that: an AV that doesn't monitor each "thing" is not really useful.
The hilarious part about all of this is that I've actually worked with engineers from AV vendors and I have friends who are currently engineers at Microsoft. You'd think I know a bit about what I'm talking about. Whether you believe me or not is irrelevant, it's the truth. I may or may not have audited parts of the Windows source code as well. We'll leave it a mystery. Spooky! Boo!

You didn't need to mention the FileSystemWatcher. It's obvious. I'm aware of the .NET Framework and your description matches it perfectly. The FileSystemWatcher even has an easier naming of the events for you, which is what you referred to. Instead of the I/O Request Packet naming used for registering callbacks in an actual Filesystem Mini-Filter.

If you don't want to listen to what I've told you and you want to shine your ego, then you can do that. My post still stands. I saw you struggling and decided to be kind enough to chime in and help everyone.

I'm not trying to look like the "best" here. The only person I see doing this is you. This is why you felt the need to point out your programming threads and that you're a "developer". Note: I only mentioned my experience after you started causing an issue, so I didn't really do what you did.
 

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
The hilarious part about all of this is that I've actually worked with engineers from AV vendors and I have friends who are currently engineers at Microsoft. You'd think I know a bit about what I'm talking about. Whether you believe me or not is irrelevant, it's the truth. I may or may not have audited parts of the Windows source code as well. We'll leave it a mystery. Spooky! Boo!

You didn't need to mention the FileSystemWatcher. It's obvious. I'm aware of the .NET Framework and your description matches it perfectly. The FileSystemWatcher even has an easier naming of the events for you, which is what you referred to. Instead of the I/O Request Packet naming used for registering callbacks in an actual Filesystem Mini-Filter.

If you don't want to listen to what I've told you and you want to shine your ego, then you can do that. My post still stands. I saw you struggling and decided to be kind enough to chime in and help everyone.

I'm not trying to look like the "best" here. The only person I see doing this is you. This is why you felt the need to point out your programming threads and that you're a "developer". Note: I only mentioned my experience after you started causing an issue, so I didn't really do what you did.
Why you didn't quote post #164?
 

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
Why you didn't quote post #164?
Because post #164 is spam. I'll respond to it if you really want me to.

@Libera Milanesi P.S. this is my thread and you made posts clearly off-topic by talking about Chromebook and I said to you to don't go off-topic but you didn't respect me.
What relevance does this have to the current debate? One minute you're angry because I wanted to help you learn more and now you're angry about a Chromebook post. Make up your mind.

You've made posts not about the specific original topic:
Discuss - Default Deny VS traditional AVs
Discuss - Default Deny VS traditional AVs

May I remind you about the posts you made talking about AV real-time with your C# pseudo-code snippet? Also off-topic to the original thread topic.

My off-topic post about a Chromebook was not the only post about a Chromebook on the thread, but you only felt like calling me out for it only. The discussion continued long after I had stopped talking about a Chromebook.

If you go back and check, you'll see the Chromebook-related post you are referring to was one which helped another member of the community understand Chromebook's a bit more (and another member chimed in to help them a bit more as well). They had misunderstood about internet connection and Printers... I assume you want to see other members on the community benefit from discussion.

You have double standards and you're being inappropriate.
 
  • Like
Reactions: Deleted member 178

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
No it isn't.
Are you sure?

@Lockdown correct me if I am wrong but you dislike Windows for security and then on your profile you have "From AppGuard", so a software which works on Windows OS...
Source: Discuss - Default Deny VS traditional AVs

How is that specifically tied to the original default deny topic? It's not. Just because @Lockdown works for AppGuard doesn't make your off-topic personal comment on-topic.

You think C# isn't good for security programs?
People can use whatever they want to use. In my experience, vendors usually use a variety of different languages.

I am personally not a fan of the .NET Framework but that is my personal opinion. I have worked with vendors who have used it for some things in the past.

Once again, you've just gone off-topic yourself. You're asking me these questions, but what relevance does any of this have?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
You can do that in ReHIPS too.
Indeed, thanks for the correction. Although there are only RWX permissions in the ReHIPS panel for the concrete sandbox, the user can set manually all available ACL permissions for folders & files outside ReHIPS. It is possible because ReHIPS creates the new user for each sandbox.
The same is true for the ACL permissions in the ReHIPS registry hives - they are loaded when the sandbox is active.
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
The user, for example, can disable the read access for the chosen folders and drives via ACL permissions.

Yes Secure_Folder does not has read access to Kees User Folders and other Data Partitions. Reversely only Backup_User has create-write-delete access to my quick (work) backup-folders (contains only Office Documents and PDF's) and photo's/video's folders. Only downside is that I have to use Syncbackfree (which runs as Backup_user) to copy new files to these folders. .
s
 
  • Like
Reactions: AtlBo and Andy Ful

Brie

Level 10
Verified
Well-known
Jan 1, 2018
488
i have bitdefender TS, zemana antilogger paid, voodooshield free, osarmor, syshardener, k9 webfilter, netcraft, unchecky and appcheck antiransomware.
 
  • Like
Reactions: AtlBo
D

Deleted Member 3a5v73x

i have bitdefender TS, zemana antilogger paid, voodooshield free, osarmor, syshardener, k9 webfilter, netcraft, unchecky and appcheck antiransomware.
That's one hell of a default-deny + AV setup, are you running all that in real-time? How do you manage to keep up with everything and have you experienced any problems so far?
 
  • Like
Reactions: Brie and AtlBo

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
457
i have bitdefender TS, zemana antilogger paid, voodooshield free, osarmor, syshardener, k9 webfilter, netcraft, unchecky and appcheck antiransomware.

Seems too much would just go with bitdefender, VS, syshardener, k9 webfilter, netcraft, and unchecky... you might want to consider isolation/sandbox.
 
  • Like
Reactions: Brie and AtlBo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top