Looking for configuration with high security and good performance

I’m a long time CIS user but I’m getting more and more confused by how to best configure CIS with all the many options between AV, FW, HIPS, Sandbox, etc.

I’m looking for a configuration that has a high level of protection without too much of a performance hit (good balance).

Is anybody willing to share their config file that has such a balanced setup?

Hello Scubamaster. I have split your post from the A very good document about making Default Deny practical. topic and moved it here.

Anybody ???

Just use the default proactive config and decide if you want to keep auto-containment enabled or not, then add the Windows directory to the AV scan exclusions. Also change VirusScope to only monitor contained applications.

Thanks futuretech. Is the proactive configuration the standard one that is installed at a CIS update?

Yes it is one of the three standard stock configs when you install CIS.