Whitelisting Vs Blacklisting Vs AV.

I know the answer but I want to hear your views on this. What’s better?


Please Specify your answer. :slight_smile:


WL b/c you can make sure EVERYTHING is blocked except for those on the whitelist which are safe and those that you trust.

some AV’s just can’t keep up with all the new malware being created/modified.

AV = blacklisting so I won’t go further on that… and take only blacklisting vs whitelisting

pro :

  • not many pop-ups
  • almost certain that it’s bad

Cons :

  • misses the ones that are not in database

Whitelisting :


  • Can prevent 99% of the malware
  • Gives you full control of the pc

Cons :

  • Could trigger a lot of pop-ups

Just my opinion


Cool… Keep em coming people.


Agree with Xan, white listing is the way to go!
Xman :-TU (:KWL)

The WL pop ups go away after they learn all your apps. then you only get them once in a while.
its just the initial start of all those pop ups
that is a pain.

Why would you do only one?
A classical AV uses a blacklist of virus signatures to eliminate known bad guys from further processing. The residue ends up in your machine for popups and elimination by HIPS programs like D+. New bad guys get passed on because of completeness/timeliness of the blacklist.
A whitelist uses a safe programs library to identify known good guys, but can later generate popups for not only all of the bad guys but good guys not recognized because of completeness/timeliness of the whitelist.
Why would you not eliminate the known bad guys, so they don’t get stored on your machine and attempt to execute later, and also identify the known good guys, so the user doesn’t get as many popups? Then the user only needs to deal with executables not on either list. Shouldn’t you be trying to minimize the confusion load on the user?
Shouldn’t the quality of your HIPS and comparison engine/database maintenance control the effectiveness of your antivirus/antispyware?

Why would you do only one?
That's why I don't vote. I just gave the blacklisting vs whitelisting approach. But in the end, you [b]WILL[/b] need blacklisting also, as humans make mistakes ...


If Threatcast is reintroduced in CIS the whitelist will be rebuilt so quickly that with the thousands of acceptable apps that Comodo has already stockpiled and also through continuing user cooperation this continually compiled whitelist will forever protect users from any malware as long as the submission of unknown apps is a continued process and analyzed as safe by competent personnel and promptly added to the whitelist database

Regards guys :■■■■
Xman (:KWL)

I like this vote as it educates people to the new concept of how current AVs work and the 21st alternative to this 20th century technology!

This thread is not about use this and not the other one but a way of educating imo and a good one to get the grey cells thinking about our security.

You know what I think… your name is not in the list, you are not coming in!!! And yes, we will make this more user friendly so that users’ simply install and forget (and let this app which has whitelisting as its first line of defense) this app. I will predict that we will have this app in 2009! (:NRD)


As I am surely confident that you WILL integrate Threatcast into CIS Melih, “We Salute You” as the group AC DC would say and also as NIKE would also say, “Just Do It!”
It’s really the way to go…

Comodo Rocks :-TU (:CLP)
Xman (:KWL) (R)

I would say Whitelisting + HIPS + AV (I guess AV could be considered an advanced form of blacklist).

Whitelisting has the obvious advantage to automatically enable hips policy learning (training) and reduce the waste of CPU cycles once a policy is built.
In fact from that moment onward there would be no need to scan that app anymore.

AV could be useful to check if non whitelisted apps are dangerous before launching/installing them.
If the AV doesn’t recognize them the HIPS grant another layer of protection.

CFP Trusted vendor introduced another kind of whitelist. Using digital signatures it is possible to whitelist all vendor apps even if they are not whitelisted (eg new releases).
(I guess using digital certs it would be possible to implement also an untrusted vendor feature)

As for ThreatCast even if a community driven HIPS it is already implemented by other 3rd party products I guess it will only cover the timegap between a new application release until that app will be safelisted by Comodo.

I would still prefer to disable TC and rely on Comodo official whitelists.
If possible I would like to improve My pending list and enable it back in all CFP modes to make it easy to submit files to comodo even if the user don’t rely on CleanPC mode.