Spawn

Administrator
Staff member
Verified
The article was written by
Steve Subar, President and CEO, Comodo Cybersecurity

If you read a little further, you will see that the author advocates a combo of default/deny and autocontainment. Does that sound familiar?
Good catch, I thought the phrasing sounded familiar.

It's better to remove humans from the equation, that way, no more problems.
 

Lockdown

Level 54
Verified
I disagree there. Microsoft could easily make a super secure OS at absolute expense of any convenience for the user. It would be the most secure OS. But no one would be using it. Oh, I'm basically describing Linux. Used by servers and professionals in the millions, but it's so clumsy it's basically only used by them and no one else. Windows is made for the people and when you're making something for the people, security will always suffer because they don't have the luxury of sacrificing convenience. But ignoring the huge leaps MS made for security without sacrificing much of convenience is well, just ignorant. If we look at general security with WinXP from 17 years ago and Windows 10 today, no one can deny that Windows 10 is far more secure OS while not really any less convenient than WinXP. In fact I enjoy using Windows 10 far more than I did using Windows XP. It just works better, faster, is more secure and while I liked all the colorful things and the Luna GUI, I really like the Windows 10 visual design. So, MS hit a good balance between security and convenience. But there will always be people whining over something, it's impossible to get past that when your OS is the most used in the world among consumers.
You're making the flawed argument that I pointed out earlier.

It is a fallacy that increased security automatically translates into deal-breaking inconvenience. It just ain't true. That is the ignorant position that the default allow crowd promotes and perpetuates.

An OS can be secure without being inconvenient. Chrome OS is an example. It's just a different user experience, but nevertheless meets the needs of the vast majority of people on a day-to-day basis.

Microsoft does not deserve a medal for Windows 10. It isn't that good. Sure, Windows 10 is better than Windows XP. However, that's like comparing a Ford Pinto to a Ford Model T. Not impressive.

Even now, if you look at Windows 10 Windows Defender Security you will see that some Exploit Guard, core isolation, and ransomware protection can be highly restrictive. They will block a user from doing stuff by default. Some exclusions can and might have to be made. This is no different than default deny policy. If a user can manage to create those exclusions in Windows 10 Defender Secruity, then they can do the exact same thing in SRP. Microsoft knows all about default deny and SRP as its progenitor.

I really don't care what people use. Most of what is discussed on these forums is wasted effort anyways. If people want to use default allow Windows, then that's wonderful for them. Most people come to these forums because they seek out truth. And the truth of the matter is that Windows security suxx.
 

Lockdown

Level 54
Verified
It's better to remove humans from the equation, that way, no more problems.
It is exactly that which causes all the problems. That solution is the most asinine of all. It is like saying "Don't teach people about heart disease, global warming, or radiation poisoning because the subject matter is over their heads." One thing I am sure of... as long as people are kept ignorant, and treatied like children incapable of learning or doing anything for themselves, nothing will change. Enslaving people by feeding their ignorance and laziness is not the answer.
 

RejZoR

Level 10
Verified
You're making the flawed argument that I pointed out earlier.

It is a fallacy that increased security automatically translates into deal-breaking inconvenience. It just ain't true. That is the ignorant position that the default allow crowd promotes and perpetuates.

An OS can be secure without being inconvenient. Chrome OS is an example. It's just a different user experience, but nevertheless meets the needs of the vast majority of people on a day-to-day basis.

Microsoft does not deserve a medal for Windows 10. It isn't that good. Sure, Windows 10 is better than Windows XP. However, that's like comparing a Ford Pinto to a Ford Model T. Not impressive.

Even now, if you look at Windows 10 Windows Defender Security you will see that some Exploit Guard, core isolation, and ransomware protection can be highly restrictive. They will block a user from doing stuff by default. Some exclusions can and might have to be made. This is no different than default deny policy. If a user can manage to create those exclusions in Windows 10 Defender Secruity, then they can do the exact same thing in SRP. Microsoft knows all about default deny and SRP as its progenitor.

I really don't care what people use. Most of what is discussed on these forums is wasted effort anyways. If people want to use default allow Windows, then that's wonderful for them. Most people come to these forums because they seek out truth. And the truth of the matter is that Windows security suxx.
Lol, what? First you say I make an ignorant position full of fallacies and then you basically back up my claims. Of course ChromeOS is secure, you basically can't do anything wih it outside of its ultra limited scope. Not to mention how you talk about the new security features in Windows 10 and then you confirm it that they are restrictive. Guess what, that's the security/convenience factor I was talking about. Microsoft could easily enforce all of this and render 90% of software inoperable. I'd say that's pretty inconvenient for the users. Same goes for enforcing only Microsoft Store apps to work like Chrome OS does. That's trading convenience for security. So, I really don't know where your arguments are suppose to go when you first dismiss my claims and then confirm them 2 sentences later when you want to make an argument on your own claims...

The OS you can't do anything with it will always be secure. If you can't do almost anything with it, neither will malware. It's not a difficult concept to understand...
 

Lockdown

Level 54
Verified
Lol, what? First you say I make an ignorant position full of fallacies and then you basically back up my claims. Of course ChromeOS is secure, you basically can't do anything wih it outside of its ultra limited scope. Not to mention how you talk about the new security features in Windows 10 and then you confirm it that they are restrictive. Guess what, that's the security/convenience factor I was talking about. Microsoft could easily enforce all of this and render 90% of software inoperable. I'd say that's pretty inconvenient for the users. Same goes for enforcing only Microsoft Store apps to work like Chrome OS does. That's trading convenience for security. So, I really don't know where your arguments are suppose to go when you first dismiss my claims and then confirm them 2 sentences later when you want to make an argument on your own claims...

The OS you can't do anything with it will always be secure. If you can't do almost anything with it, neither will malware. It's not a difficult concept to understand...
People who use Chrome OS and Chromebook don't think it is inconvenient. If it was so inconvenient, then they wouldn't use it. Like I pointed out, it is a different user experience than Windows. And let's be accurate here... people can download and install stuff if they want, from a garbage Google Web and Play Stores that are full of malicious stuff. The only solution is educate the user and then hopefully they will lock down the system.

There are young children that use my default deny system. If they can manage to figure out default deny, then adults surely can.

The whole negative attitude towards default deny is all mental and emotional. The debate of default allow versus default deny is essentially the debate of "What people are willing to do or want to do versus what people should do because it is good for them." We all know people are terrible at doing what is good for themselves. People are experts at wrecking themselves. And there is no better example of that than default allow. It is terrible for people. There are literally thousands of studies and tests that back that claim up if measured using an absolute measuring stick and even AV industry executives that have said default allow suxx.

Saying that default deny is too inconvenient is bogus. What the argument that is really being made is that "if a system blocks a user from downloading and installing stuff, then it is an unacceptable inconvenience."

Man, get out of here... that is exactly the solution that is needed in the first place. One thing I know for sure, as long as people blindly use default allow, the high rates of infection will continue on.
 
Last edited:

Kubla

Level 6
The exact reason why 99.99% detection rates don't matter, the technology is always behind the malware writers.
Which is why the need for better AI based anti-malware that can identify and neutralized the malware in real time instead of waiting signature based AV to updated.
 

DeepWeb

Level 21
Verified
Windows NT is Swiss cheese designed before the Internet became big. Unless they rebuild the entire kernel and how permissions are handled from ground up it will never be secure. And quite frankly we live in the post-PC era. What Windows, macOS, desktop Linux are doing will matter less and less. People spend more time on their phones than anything else and eventually we will just beam our mobile OS to a larger screen wirelessly or through a cord.
 

Lockdown

Level 54
Verified
Or you can follow what @Lockdown stated above you. Use default-deny. Better off with that then waiting for better AI/ML.
Ai\ML needs to be better.

The AV industry makes Ai\ML better.

Silly rabbits.

It is too late because the threat actors have already gotten their hands on Ai\ML and used it to stay ahead of the AV industry's "New Next Gen" Ai\ML.

"Ai\ML will make security better..."

"No it won't. It is just going to be the same status quo... where the threat actors stay ahead of the AV industry. Just more of the same old 8-ball chasing."
 

In2an3_PpG

Level 17
Content Creator
Verified
"No it won't. It is just going to be the same status quo... where the threat actors stay ahead of the AV industry. Just more of the same old 8-ball chasing."
Default-Deny is the way to go. You and others have been preaching for a long time. People just need to wake up and realize it. My parents are very close to getting over the default-deny hurdle. They understand. No reason why others should not be using some sort of DD.
 
Last edited:

Local Host

Level 11
Default-Deny is the way to go. You and others have been preaching for a long time. People just need to wake up and realize it. My parents are very close to getting over the default-deny hurdle. They understand. No reason why others should not be using some sort of DD.
What's the point of default-deny if you let the malware execute, and without the protection of a normal AV nothing will stop the payload. This is the reason default-deny is not recommended for average users, and alone it won't protect you from anything.

Now a default-deny option in the current AV suites is another story, and multiple AV companies already include it in their suites. This is obviously from an average user point of view, for people like me they both irrelevant and add nothing to my Security (I don't need a security guard at the door, when there's no one to enter).
 
Last edited:
D

Deleted member 178

I dont need to detect if stuff are legit or malicious when I deny everything by default.
Detection is an obsolete and retard mechanism whatever it is.

Default-deny is faster.
Default-deny is safer.
Default-deny is lighter.

Detection/AVs can't compete, they will always miss something, it is why they ALL implement default-deny in their AV.
Detection are for noobs, because you can't throw them default-deny when they don't even know where is the sleep button.

But for people who care to learn, once you master default-deny, you won't need any AVs. Those will shift from main protection mechanism to comfort one.
 

Solarquest

Moderator
Staff member
Malware Hunter
Verified
The problem is most people don't have a deep (enough) knowledge of windows nor of security.
MSFT could help a lot here by disabling by default dangerous attack vectors that are not needed.
Automatic updates, a good AV, basic security courses at school and outside (free or cheap) would also help a lot.
Unfortunately most user don't like warnings and at the end don't really know how to handle them.
Unfortunately default deny, sandboxing is too complicated/ "stressful" for many.
More security oriented users know or are learning what to do.
Companies are another story.....
 

Fn FiveseveN

New Member
I mostly use android as my laptop is broken and I've gone through nearly every major "antivirus/malware" app on the play store. Yet keep gettimg reoccuring malware like activity within a week to a months time span after factry resets. I've got theories how its done but the fact of the matter is most people including myself are either naive or incredibility misinformed about just how easy it is to hack someones info/computer/device or simply just employ measures to trick them into gving up said info. Its a sad state of affairs especially with grey hats out there and as OP said these AV companies simply will not admit its a losing uphill battle for their products. It taks multiple measures and self education to begin to combat this issue but where there are white hats there will always be far more black hats and with that said. This is my first post, hi guys. Came here to learn, im more street smart than techie but lately I've been readimg up on cyber security/crime every spare moment. Bit OCD but I feel like you kind of have to be when it comes to technology these days.
 

RejZoR

Level 10
Verified
Everyone defending Default-Deny, has anyone of you ever used Comodo, avast!'s Hardened Mode (Aggressive) or Microsoft SmartScreen in Block mode?

Sure, in practice, Default Deny works. Unless you happen to be a beta tester, someone who always updates things to latest versions on day zero or happens to be a developer. Then they are all absolute nightmare to work with. They keep on limiting and buggering you so much you most likely disable them quite soon. Some of these systems are pretty good for casual users (particularly avast! Hardened Mode in Aggressive setting), but as soon as you step outside of casual expectations, it becomes a huge inconvenience.

Also, everyone thinking "Ai" is the magic bullet for everything, I'm gonna give you a wake up call. The "Ai" everyone keeps plastering around like mad these days is nothing "intelligent". It's literally just tons of IF/THEN statements packed in subcategories. When you trigger initial category you tell the "Ai" what set of rules to use. And then it basically linearly goes through command tree till it gives you a somewhat expected result. "Ai" would be when something would look at a file and could actually understand what it is and why it is bad. Like for example user looking at a randomly named EXE or EXE file named similarly to Explorer.exe but isn't one and you understand that it being in wrong location fires up all the alarms. That's what makes us intelligent. The "Ai's" don't do any of it, I don't think they can even make rules to diferentiate gibberish named EXE files from meaningfully named ones (like dsafuxgdsgkfx.exe and totalscan.exe). They just tap into massive online databases and go through bunch of IF and OR statements. Sure, on the outside it gives the impression it's clever, but there is really nothing sentient or intelligent about it. We call in-game bots "Ai", but again, they just follow sets of rules and on the outside they appear intelligent. That's the state of "Ai" everything these days. To even remotely have something close to Ai you need a quantum computer which works closer to how brains of intelligent organisms operate and you'd need it on a local level and not in the cloud.
 

shmu26

Level 72
Content Creator
Trusted
Verified
I mostly use android as my laptop is broken and I've gone through nearly every major "antivirus/malware" app on the play store. Yet keep gettimg reoccuring malware like activity within a week to a months time span after factry resets. I've got theories how its done but the fact of the matter is most people including myself are either naive or incredibility misinformed about just how easy it is to hack someones info/computer/device or simply just employ measures to trick them into gving up said info. Its a sad state of affairs especially with grey hats out there and as OP said these AV companies simply will not admit its a losing uphill battle for their products. It taks multiple measures and self education to begin to combat this issue but where there are white hats there will always be far more black hats and with that said. This is my first post, hi guys. Came here to learn, im more street smart than techie but lately I've been readimg up on cyber security/crime every spare moment. Bit OCD but I feel like you kind of have to be when it comes to technology these days.
To keep a device uninfected, don't root it, and don't casually install "cool" apps, especially if they ask for special permissions, which is a bad sign.

Nine times out of ten, an android device gets infected because of stuff that the user knowingly and willingly installs on it, especially stuff coming from unreliable app sources. Although Google Play store itself has enough malware, too. So you gotta be careful with the app installs.
 

Similar Threads

Similar Threads