Why do you need AV if you have Default Deny Protection?

I know 2 reasons

  1. To reduce the potential popups for any malware (so that CIS won’t ask you about a malware as it knows its a malware thanks to the AV)

  2. In the unlikely event of a user allowing a malware that is known to the AV, the AV can detect it.

3)AV scanning is also important for files in transit state. (Thanks to RejZor)
For example, you download a file and burn it to CD directly and send that CD to a friend

4)AV blacklisting heuristic can potentially notify the users about applications that should not manually added to safe files (Thanks to Endymion)

Any other reason why you would need an AV with a system like CIS which has Default Deny Protection system?


An AV can detect trouble even before trying to run a harmful program. Doing a scan (file\folder\disk) or simply opening a folder is enough to detect malware. These scenarios reduces the risk of the user making mistakes even more (down to 0, I’d say).

AV scanning is also important for files in transit state.
For example, you download a file and burn it to CD directly and send that CD to a friend.
The downloaded files were never executed so D+ never really evaluated them. However AV scanned them as soon as you downloaded them. This way you keep others safe from malicious files (in case they for some reason don’t run antivirus software).


An AV is important because people do not know when to allow an alert or not as Defense+ pops up for too many software.
Of course, if we know that the files are safe, we can simply allow them, but then why do we need any security software.
We could simply surf safe, keep system patched and install only safe applications.

I would take a simple example to illustrate the difficulty faced by users: Suppose a friend of mine gives me a software on a pen drive. If the USB drive is infected Defense+ will catch the virus but if the USB drive is clean, Defense+ will still pop up for the software.
This is why an AV is important to facilitate users and determine whether there is malware or not.


Very good point - AVs are excellent for transient data (scanned on creation) and D+ is excellent for data execution.

AV blacklisting heuristic can potentially notify the users about applications that should not manually added to safe files.

Blacklisting detection for kernel drivers still provides valuable info for safety assessments but whitelisting provide more guarantees whereas when in doubt D+ could allow users to prevent the driver loading.

In general AV enforce the assumption if not detected it may be safe whereas whitelisting can confirm if a file it is not malicious.

Although a blacklisting AVs alone with default allow approach can encourage novices to rely on unsafe practices and install whatever they find on the Internet apparently persuading them to believe that security it would be not their responsibility but an AV responsibility alone.

AV scanning is also the only way to combat “Fake AV” crapware because they don’t perform any malicious actions, they just try to trick users into buying non functional software.

If there was a much larger whitelist then D+ would only alert you for actions that need your attention.
Sorry, I’m not with the whole 5 million signature thing… I think the work would have been better spent on a whitelist…

The currently high number of signatures will be greatly reduced when CIMA based heuristics are added.

In such case you need behavior analyzer and not HIPS with huge whitelist.

I agree that whitelisting provide better security than blacklisting alone. Anyway in case an application is not whitelisted D+ behavioral heuristic also contributes to the color coded alerts Severity levels whereas CIMA could potentially outline behaviors without having the users run an application.

The approach provided by CIS use blacklisting, whitelisting and default deny and thus provide a way for the users to be involved about their security although this is something many users were persuaded to deem unnecessary for many years lured by blacklisting only approaches believing that a single click was all the effort they needed to be secure.

Nobody has an innate security knowledge and there is much to security which could be learned using D+ alone (w/o whitelisting and blacklisting) whereas when users are willing to learn they would be able to score their security practices themselves making use of security softwares as tools and not as butlers.

A HIPS if properly used should keep you clean…

The AV is good since it removes the risk of human errors… If the AV pops Iam almost confident that almost all the users will click remove/quarantine… If the HIPS pops some will still just click allow without reading… =/

There are people failing to see why D+ pops several times for one application.

I don’t belive those even read the alerts… For these users A AV might be a handy extra layer… =)

I would like to add Microsoft findings when researching how users deal with and react tp UAC. It turns out that more than two alerts in a session, with session being anything between a couple of minutes until many hours, users start to get annoyed. Hence Microsoft changed the UAC for Windows 7 approximately reducing the alert by some 30 %.

2) In the unlikely event of a user allowing a malware that is known to the AV, the AV can detect it.
I have had the unlucky event a couple of years ago where I downloaded a file from ZD Net that turned out to be spyware infected even though ZD Net told it was freeware. Sometimes you simply bump into a mistake by a trusted source.

Yep UAC could annoy but UAC prompts were design to annoy.
UAC prompts usually provide only information that an application feature need admin privileges and continually ask each time you need that specific feature.

I guess even ZD Net used an AV to check that file for spyware. Even the practice of relying on trusted sources can have some drawbacks although reducing many risks cannot address all of them. A reasonable way to address more risks is to make efficient use of multiple layer of protections and continually improve security policies and awareness.

There is no absolute recipe and each user ought to search for the one wich provide them acceptable tradeoff between security and ease.

I quite agree,UAC was one of Microsoft’s better innovations to protect the careless user from themselves.

You have the AV for the same reasons you put good locks on the door and still have a burglar alarm. Multiple levels of threat prevention and detection. Even if by some clever chance one of the detection or prevention levels is compromised, chances are very high the others will alert you to the threat before damage is done.

You need both…

A file either belongs to a whitelist or blacklist!

So you need both for a proper security


Melihs comment in the last post, confirms i think, that Comodo intends to introduce a behavior blocker for sure in version 4. Melih states “you need both” ( a behavior analyzer and a hips). I wholeheartedly agree as the Behavior side of things helps with usability as well as security.


CIS already got a behavior analyzer.

Although there could be blatantly malicious behaviors (and CIS security considerations already point them out) it is not that behavior blocking is like black and white detection.

One of the implication raised by Microsoft UAC was that many developers of legitimate apps used security-critical functions even when there were less privileged alternatives.

Thus in some cases there are legitimate apps leveraging on Security critical behaviors (D+ red alerts = High Severity) although these types of behavior/actions could be also abused by malwares whereas in cases no legitimate app is likely to use a specific Security critical behavior D+ security consideration explicitly mention it is a behavior used by malware along with a Red alert (Red alert + explicit mention that “Defense+ Malware heuristic analysis has detected a possible malware behavior” in security considerations)

CIS behavior analyzer score security related behaviors with a three grade severity level (yellow, orange and red) indeed is more fine grained than malicious/not malicious paradigm that is usually carried by means of blacklisting and whitelisting.