We have to keep in mind that whitelisting/blacklisting is just another layer; another tool in our arsenal. I don't think anyone is suggesting that AV go away all together, simply suggesting not relying on it completely.
Joe L. Heaton Windows Server Support Group Information Technology Branch Department of Fish and Game 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284 >>> Ken Schaefer <k...@adopenstatic.com> 5/11/2010 7:44 AM >>> How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem "on access" Cheers Ken -----Original Message----- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better.... You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better.... On Mon, May 10, 2010 at 12:40 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > How to bypass almost all AV software > > http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~