>a) exploits in existing applications (Acrobat Reader, Adobe Flash, >Java runtime, Internet Explorer) >b) social engineering attacks, where the user is convinced to >run/install some malware that they shouldn't. Despite code signing, >users are still doing this.
>How will whitelisting help the above type of user? If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. This would also apply to social engineering. If your company has a whitelisting solution in place, code that is "not approved" won’t run. So the user can download the stupid game they love, but in the end, they won't be able to run it. A good whitelisting application has a massive repository of "good" files, and the ability to train the system by the admin, not the end-user. Alex -----Original Message----- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 12:51 AM To: NT System Admin Issues Subject: RE: Whitelisting For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. For corporate users, does whitelisting help significantly? I'm not sure that large organisations have the necessary processes in place to implement whitelisting. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Cheers Ken -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 12:42 PM To: NT System Admin Issues Subject: Re: Whitelisting Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott <crawfo...@evangel.edu> wrote: > > Possibly...even probably. But, if we ever get to a world where > whitelisting is the predominant means of execution control, the bad > guys will, out of necessity, be relegated to exploiting flaws in > applications through data files. A scanner that looks for signatures > of exploits in files will be a useful tool. Assuming of course, all > applications aren't secure. > > > Sent from my Windows Phone > ________________________________ > From: Andrew S. Baker > Sent: 4/15/2012 1:08 PM > > To: NT System Admin Issues > Subject: Re: Whitelisting > > You can't. :) > > ASB > http://XeeMe.com/AndrewBaker > Harnessing the Advantages of Technology for the SMB market… > > > > > On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R > <kz2...@googlemail.com> > wrote: >> >> How do you blacklist all possible bad data files? >> ------Original Message------ >> From: Crawford, Scott >> To: NT System Admin Issues >> ReplyTo: NT System Admin Issues >> Subject: RE: Whitelisting >> Sent: 14 Apr 2012 18:02 >> >> A combination is needed. Whitelisting for traditional executable code >> and blacklisting for data files that exploit vulnerable white listed >> applications. >> >> -----Original Message----- >> From: Alex Eckelberry [mailto:a...@eckelberry.com] >> Sent: Saturday, April 14, 2012 10:10 AM >> To: NT System Admin Issues >> Subject: Whitelisting >> >> I'm curious, what's the general feeling about about whitelisting? As >> a former AV guy, I tend to prefer blacklisting, but I'm seeing signs >> things might be changing. >> >> Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
