Once you have code running as system/root, your whitelisting software becomes irrelevant. Because the system that implements ACLs on anything can simply be subverted or replaced.
Cheers Ken -----Original Message----- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, 11 May 2010 11:58 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better.... In the context of simple whitelisting systems I agree, but in the case of something like CSA unless your fake Notepad has specific permissions to modify scvhost (for example) it will get denied. By specific I mean VERY specific. That process started by a specific user from a specific path has the ability to do a specific modification to scvhost and again only to a specific path and a specific modification. So that code can run and do things, but taking over a box or modifying a box isn't going to happen. -----Original Message----- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 11:29 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better.... Once code is running as system, it's irrelevant what system you try to put in place to prevent it. Whitelisting is not going to help, because the rootkit can simply report that it's notepad..... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~