Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Default Deny VS traditional AVs
Message
<blockquote data-quote="Libera Milanesi" data-source="post: 759187" data-attributes="member: 74385"><p>It depends on the Anti-Virus product and how the vendor has implemented the components.</p><p></p><p>Lockdown's point in general is that people expect too much of the security solution they are using... which is what happens. It could be something from a book about Greek mythology. Next there will be rumors of Anti-Virus products having several snake heads popping out the screen to guard you from real-life threats.</p><p></p><p>Decent Anti-Virus products will be using a Filesystem Mini-Filter device driver which will leverage the Filter Manager (fltMgr.sys) to register callbacks for IRP_MJ_CREATE, IRP_MJ_WRITE and any other I/O request packets that need to be filtered - it is product dependent based on their requirements. Some products will post to a worker queue and cancel the operation from a post-operation event, others will do it on the pre-operation. Once again, it is product dependent and is based around their requirements. Regardless, there's no guarantee that every request will be processed... it depends on what the product wants to do whether it cares enough or based on paging/other verification methods. It might not bother if the operation came from a process it trusts (for example - be it a Windows one or not). All depends on the product as its product implemented.</p><p></p><p>What Lockdown said:</p><p></p><p></p><p>Most of the time, what he said is going to be accurate. It's an accurate representation of what is going on. An Anti-Virus isn't going to inspect <strong>all </strong>the files on the system unless it needs to. If you install an Anti-Virus product, the real-time protection component won't be scanning a file on the environment unless the real-time component is triggered to scan it according to the configuration criteria... so it isn't going to randomly scan all the files on the environment. Even if you were to use the on-demand scanner for a full system scan, it will not necessarily scan absolutely everything. Just because you're told everything is being scanned doesn't mean it really is.</p><p></p><p>It depends on the product and how the vendor wants to deal with it, the configuration for the real-time protection component and how everything combines together.</p></blockquote><p></p>
[QUOTE="Libera Milanesi, post: 759187, member: 74385"] It depends on the Anti-Virus product and how the vendor has implemented the components. Lockdown's point in general is that people expect too much of the security solution they are using... which is what happens. It could be something from a book about Greek mythology. Next there will be rumors of Anti-Virus products having several snake heads popping out the screen to guard you from real-life threats. Decent Anti-Virus products will be using a Filesystem Mini-Filter device driver which will leverage the Filter Manager (fltMgr.sys) to register callbacks for IRP_MJ_CREATE, IRP_MJ_WRITE and any other I/O request packets that need to be filtered - it is product dependent based on their requirements. Some products will post to a worker queue and cancel the operation from a post-operation event, others will do it on the pre-operation. Once again, it is product dependent and is based around their requirements. Regardless, there's no guarantee that every request will be processed... it depends on what the product wants to do whether it cares enough or based on paging/other verification methods. It might not bother if the operation came from a process it trusts (for example - be it a Windows one or not). All depends on the product as its product implemented. What Lockdown said: Most of the time, what he said is going to be accurate. It's an accurate representation of what is going on. An Anti-Virus isn't going to inspect [B]all [/B]the files on the system unless it needs to. If you install an Anti-Virus product, the real-time protection component won't be scanning a file on the environment unless the real-time component is triggered to scan it according to the configuration criteria... so it isn't going to randomly scan all the files on the environment. Even if you were to use the on-demand scanner for a full system scan, it will not necessarily scan absolutely everything. Just because you're told everything is being scanned doesn't mean it really is. It depends on the product and how the vendor wants to deal with it, the configuration for the real-time protection component and how everything combines together. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
