Re: Obfuscated web pages

Thu, 21 Feb 2008 10:23:54 -0800 

aha!
Theoretical DOM inspectors may work in theory-land but it is unlikely they'd work in in real world. 

Besides that, let's focus back on the original question:


If there anything that successfully detects/prevents *obfuscated* 
malicious web content from executing at the endpoint?



Not as far as I know, although there are endpoint security product that 
address this issue I don't have an answer as to how accurate or effective 
they are.


Regarding the hypothetical Checkpoint IPS-1 (formerly NFR) approach:


Do you really think that writing a JavaScript interpreter in N-code and 
running it inline is a plausible solution?


-ivan

Mike Barkett wrote:

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Gary Flynn
Sent: Thursday, February 14, 2008 4:18 PM

I suspect that no vendors support this feature ( actual code
execution in some sort of sandbox ) and I was just trying to
verify it.



Gary - Actually, the Check Point IPS-1 (formerly NFR) sensor engine has, for
many years, executed protections in a "sandbox" so that no single protection
can dominate the processor(s).  So, if someone were to write N-code to try
to interpret generalized code, it would operate in that same sandbox, for
lack of a better term.  This even applies inline.  However, just to be
clear, off the shelf, IPS-1 does not do any of the theoretical DOM
validation stuff previously mentioned in this thread.


-MAB

--
Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512


--
"Buy the ticket, take the ride" -HST

Ivan Arce
CTO

CORE SECURITY TECHNOLOGIES
http://www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.

------------------------------------------------------------------------
























					Reply via email to