Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day.
No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:28 AM, James Rankin <kz2...@googlemail.com>wrote: > Agreed, if you've got a malicious Word document that exploits a flaw in MS > Word itself, then the only defence is good patching or some other form of > exploit detection. If it's a zero-day, then there's probably nothing except > exploit detection. > > Don't want to plug it too much but AppSense Application Manager does a > good job of detecting execution beyond the "expected" capabilities of an > application, but I've never been able to test it much beyond the types of > things like malicious PDFs with Java exploits or exploits that call out to > malicious dll files. Wonder how much work it would be to craft an Office > document that tries to exploit a vulnerability to see if it can stop this > sort of vector as well? > > On 16 April 2012 15:19, Alex Eckelberry <al...@eckelberry.com> wrote: > >> >But, if we ever get to a world where whitelisting is the predominant**** >> >> >means of execution control, the bad guys will, out of necessity, be**** >> >> >relegated to exploiting flaws in applications through data files.**** >> >> ** ** >> >> I don’t understand how you can have an exploit in a data file resulting >> in anything else but code execution. Data itself is harmless; it’s the >> executables that cause harm. **** >> >> ** ** >> >> There will always be code executed, in some form or another (unless I’m >> misunderstanding your point). **** >> >> ** ** >> >> Alex**** >> >> ** ** >> >> ** ** >> >> ** ** >> >> *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] >> *Sent:* Monday, April 16, 2012 12:25 AM >> >> *To:* NT System Admin Issues >> *Subject:* RE: Whitelisting**** >> >> ** ** >> >> Possibly...even probably. But, if we ever get to a world where >> whitelisting is the predominant means of execution control, the bad guys >> will, out of necessity, be relegated to exploiting flaws in applications >> through data files. A scanner that looks for signatures of exploits in >> files will be a useful tool. Assuming of course, all applications aren't >> secure. >> >> >> Sent from my Windows Phone**** >> >> ------------------------------ >> >> *From: *Andrew S. Baker >> *Sent: *4/15/2012 1:08 PM >> >> *To: *NT System Admin Issues >> *Subject: *Re: Whitelisting**** >> >> You can't. :) >> **** >> >> *ASB***** >> >> *http://XeeMe.com/AndrewBaker***** >> >> *Harnessing the Advantages of Technology for the SMB market…***** >> >> >> >> **** >> >> On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R <kz2...@googlemail.com> >> wrote:**** >> >> How do you blacklist all possible bad data files?**** >> >> ------Original Message------ >> From: Crawford, Scott >> To: NT System Admin Issues**** >> >> ReplyTo: NT System Admin Issues >> Subject: RE: Whitelisting >> >> Sent: 14 Apr 2012 18:02 >> >> A combination is needed. Whitelisting for traditional executable code and >> blacklisting for data files that exploit vulnerable white listed >> applications. >> >> -----Original Message----- >> From: Alex Eckelberry [mailto:a...@eckelberry.com] >> Sent: Saturday, April 14, 2012 10:10 AM >> To: NT System Admin Issues >> Subject: Whitelisting >> >> I'm curious, what's the general feeling about about whitelisting? As a >> former AV guy, I tend to prefer blacklisting, but I'm seeing signs things >> might be changing. >> >> Thoughts?**** >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
