Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Default Deny VS traditional AVs
Message
<blockquote data-quote="Andy Ful" data-source="post: 759036" data-attributes="member: 32260"><p>In this thread, we are talking about execution default-deny. The 'default-deny' is also commonly used in the context of the network traffic.</p><p>The most common definition of execution default-deny setup would be as follows:</p><p>The crucial system processes and processes whitelisted by the user are allowed to run. Other processes are not allowed to run. Additionally, there can be some restrictions for DLLs or files that may have active content (scripts, scriptlets, documents with macros, etc.).</p><p></p><p>Some users may extend the above to include processes not blocked but ran restricted/isolated in the kind of sandbox.</p><p></p><p>The examples:</p><ul> <li data-xf-list-type="ul">Browser blocks a malicious download</li> <li data-xf-list-type="ul">Extension prevents access to a phishing website</li> </ul><p>are not default-deny (even not for network traffic). In fact, they are default-allow with the blacklist. The blacklist contains signatures of malicious files and URLs of phishing websites.</p><p></p><p>The example "Unable to install program due to account permissions" is not default-deny too, because the user can run any executable that was downloaded outside the browser (no MOTW attached). The above protection is an Anti-Exe feature that can prevent users from installing any application outside Microsoft store, but the application has to be downloaded via the web browser or another online service that marks files with MOTW (MOTW = Mark Of The Web).</p><p></p><p>Also, Windows SmartScreen is not default-deny, because it uses MOTW, too. Probably, it would not be wrong to say that SmartScreen is based on default-deny feature for files with MOTW + whitelisting all files with a good reputation in Microsoft cloud.</p><p></p><p>Avast set to Hardened Mode Aggressive can be a kind of smart default-deny. The 'smart' means that the user additionally allows all executables that have a good reputation in the Avast cloud. All, not reputable executables will be blocked by default (even not malicious).</p><p></p><p>Windows SRP (Software Restriction Policies) can be set either to default-allow or default-deny.</p><p>The default-allow SRP setup was adopted in CryptoPrevent and some other Anti-Ransomware applications. The default-deny setup was adopted (recommended settings) in Hard_Configurator and Simple Software Restriction Policies.</p><p></p><p>Comodo Firewall (CS settings) can be considered as default-deny based on highly restricted sandbox. If one uses File Lookup, then it is a smart default-deny.</p><p>Anti-Exe applications (VoodooShield set to ON, NVT ERP) can be considered as default-deny setup.</p><p></p><p>AppGuard is default-deny SRP setup (based on 3rd party driver). In addition, it uses the Guarded Applications feature, which is a kind of isolation light sandbox for vulnerable processes.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 759036, member: 32260"] In this thread, we are talking about execution default-deny. The 'default-deny' is also commonly used in the context of the network traffic. The most common definition of execution default-deny setup would be as follows: The crucial system processes and processes whitelisted by the user are allowed to run. Other processes are not allowed to run. Additionally, there can be some restrictions for DLLs or files that may have active content (scripts, scriptlets, documents with macros, etc.). Some users may extend the above to include processes not blocked but ran restricted/isolated in the kind of sandbox. The examples: [LIST] [*]Browser blocks a malicious download [*]Extension prevents access to a phishing website [/LIST] are not default-deny (even not for network traffic). In fact, they are default-allow with the blacklist. The blacklist contains signatures of malicious files and URLs of phishing websites. The example "Unable to install program due to account permissions" is not default-deny too, because the user can run any executable that was downloaded outside the browser (no MOTW attached). The above protection is an Anti-Exe feature that can prevent users from installing any application outside Microsoft store, but the application has to be downloaded via the web browser or another online service that marks files with MOTW (MOTW = Mark Of The Web). Also, Windows SmartScreen is not default-deny, because it uses MOTW, too. Probably, it would not be wrong to say that SmartScreen is based on default-deny feature for files with MOTW + whitelisting all files with a good reputation in Microsoft cloud. Avast set to Hardened Mode Aggressive can be a kind of smart default-deny. The 'smart' means that the user additionally allows all executables that have a good reputation in the Avast cloud. All, not reputable executables will be blocked by default (even not malicious). Windows SRP (Software Restriction Policies) can be set either to default-allow or default-deny. The default-allow SRP setup was adopted in CryptoPrevent and some other Anti-Ransomware applications. The default-deny setup was adopted (recommended settings) in Hard_Configurator and Simple Software Restriction Policies. Comodo Firewall (CS settings) can be considered as default-deny based on highly restricted sandbox. If one uses File Lookup, then it is a smart default-deny. Anti-Exe applications (VoodooShield set to ON, NVT ERP) can be considered as default-deny setup. AppGuard is default-deny SRP setup (based on 3rd party driver). In addition, it uses the Guarded Applications feature, which is a kind of isolation light sandbox for vulnerable processes. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
