RE: Life just keeps getting better....
Once you have code running as system/root, your whitelisting software becomes irrelevant. Because the system that implements ACLs on anything can simply be subverted or replaced. Cheers Ken -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, 11 May 2010 11:58 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better In the context of simple whitelisting systems I agree, but in the case of something like CSA unless your fake Notepad has specific permissions to modify scvhost (for example) it will get denied. By specific I mean VERY specific. That process started by a specific user from a specific path has the ability to do a specific modification to scvhost and again only to a specific path and a specific modification. So that code can run and do things, but taking over a box or modifying a box isn't going to happen. -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 11:29 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Once code is running as system, it's irrelevant what system you try to put in place to prevent it. Whitelisting is not going to help, because the rootkit can simply report that it's notepad. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
Which implies that no protection is possible *after* a compromise. Which is not in dispute. We're talking about prevention, Ken. The point being made is that whitelisting as an approach does not suffer the inherent drawbacks of zero-day malignant code -- e.g. it won't allow it to run, thereby avoiding the doomday scenario you have articulated below. Stopping only things you know to be bad will not sufficiently scale, since by definition, you don't know about any new malware in advance. Allowing only things you know to be good to execute is far more sustainable, as it will not change to the degree that the list of malware will... -ASB: http://XeeSM.com/AndrewBaker On Wed, May 12, 2010 at 2:59 AM, Ken Schaefer k...@adopenstatic.com wrote: Once you have code running as system/root, your whitelisting software becomes irrelevant. Because the system that implements ACLs on anything can simply be subverted or replaced. Cheers Ken -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, 11 May 2010 11:58 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better In the context of simple whitelisting systems I agree, but in the case of something like CSA unless your fake Notepad has specific permissions to modify scvhost (for example) it will get denied. By specific I mean VERY specific. That process started by a specific user from a specific path has the ability to do a specific modification to scvhost and again only to a specific path and a specific modification. So that code can run and do things, but taking over a box or modifying a box isn't going to happen. -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 11:29 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Once code is running as system, it's irrelevant what system you try to put in place to prevent it. Whitelisting is not going to help, because the rootkit can simply report that it's notepad. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
Right now I'm still not too keen on McAfee's credibility... -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 11, 2010 8:16 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
I am sure that goes for a lot of their customers, we are doing double QA because of the last debacle... and we aren't alone in this approach. Mcafee's QA failure has just turned the cover back on the risk that all business are having when they have blind faith in the vendors of the products they are using to secure their networks, which has come back to bite lot of them in the arse... And from the list, it seems that other AV vendors have succumb to this issue also, and their customers have suffered, therefore our C levels are asking us to put in additional procedural controls to prevent/reduce the risk from our vendors bad DAT/Engine updates to AV to ensure business continuity and less DR exercises which caused major business disruption, downtime and financial loss. With these extra controls, we need to let them know the additional risk they are accepting via formal risk analysis/assessments by asking for the changing of the operational controls, because in some business the AV they use is the only security control they have to reduce the risk, sad as that might be, its reality for a lot of companies. Food of thought, Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Tuesday, May 11, 2010 9:19 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Right now I'm still not too keen on McAfee's credibility... -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 11, 2010 8:16 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: RE: Life just keeps getting better....
Just as IPS products are maturing to the point that signatures are only a small part of the arsenal, so AV will have to mature. The players that de-emphasize signatures for blacklisting purposes will flourish. See: http://bit.ly/bv8dpO -ASB: http://XeeSM.com/AndrewBaker Sent from my Motorola Droid On May 11, 2010 9:15 AM, Ziots, Edward ezi...@lifespan.org wrote: You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 20... Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: RE: Life just keeps getting better....
Nice article on your blog Andrew, reading it now, sent you a slide-deck offline for review... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, May 11, 2010 10:10 AM To: NT System Admin Issues Subject: Re: RE: Life just keeps getting better Just as IPS products are maturing to the point that signatures are only a small part of the arsenal, so AV will have to mature. The players that de-emphasize signatures for blacklisting purposes will flourish. See: http://bit.ly/bv8dpO -ASB: http://XeeSM.com/AndrewBaker Sent from my Motorola Droid On May 11, 2010 9:15 AM, Ziots, Edward ezi...@lifespan.org wrote: You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 20... Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
On Access, most of the rootkits on the systems have hidden themselves from AV, therefore rendering its On Access detection useless. Its not whether AV is good or not, its just a race not worth running anymore trying to fight common threat vectors with signature techniques. Been using CSA here for about 5+ yrs and its cut down the Malware/Spyware drastically, due to controlling code execution period, its hooked into the Kernel so it can't be bypassed, and has saved the bacon more than a few times. Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which leaves folks in a pickle and looking for other solutions and application whitelisting seems to be the best of the choices atm. Its not fool-proof, but again its controlling execution, and you have a method of vetting what software is good and what is bad in your environments, which is a ton better than just putting AV on the system and calling it a day... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 10:44 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
Just to amplify 6.0 is also discontinued. This last release a few weeks ago 6.0.2 is the last. It supports 64 bit and windows 7. Server up to 2008 but not R2. No other future operating systems will be supported. They will not say if any future service packs will be supported but if they break CSA you will be on your own, imho. VERY sore subject with me. :) But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner or later no question about it. Behaviour based HIPS is the only thing that will win this fight. CSA's was the best there ever was at doing this. Virtually bullet proof if implemented correctly, but alas it is gone now. Trends new one is looking pretty good. -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
I also have a presentation in PDF form that talks about what Jim is speaking with Trend-Micro. If you want to review it for yourselves to make a informed decision accordingly. Ping me offline, Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 11, 2010 10:57 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just to amplify 6.0 is also discontinued. This last release a few weeks ago 6.0.2 is the last. It supports 64 bit and windows 7. Server up to 2008 but not R2. No other future operating systems will be supported. They will not say if any future service packs will be supported but if they break CSA you will be on your own, imho. VERY sore subject with me. :) But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner or later no question about it. Behaviour based HIPS is the only thing that will win this fight. CSA's was the best there ever was at doing this. Virtually bullet proof if implemented correctly, but alas it is gone now. Trends new one is looking pretty good. -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
-Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Subject: RE: Life just keeps getting better On Access, most of the rootkits on the systems have hidden themselves from AV, therefore rendering its On Access detection useless. How does a rootkit manage to hide itself in the first place? You can only hide yourself from FSF if you have hooked the relevant system calls in the first place. On access should detect that before it happens. Its not whether AV is good or not, its just a race not worth running anymore trying to fight common threat vectors with signature techniques. Irrelevant to the point. You were talking about whitelisting vs blacklisting, and yet are unable to explain how whitelisting helps in the scenario you talked about. Suggest you understand the situation before advocating some solution that doesn't solve the problem. Cheers Ken Been using CSA here for about 5+ yrs and its cut down the Malware/Spyware drastically, due to controlling code execution period, its hooked into the Kernel so it can't be bypassed, and has saved the bacon more than a few times. Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which leaves folks in a pickle and looking for other solutions and application whitelisting seems to be the best of the choices atm. Its not fool-proof, but again its controlling execution, and you have a method of vetting what software is good and what is bad in your environments, which is a ton better than just putting AV on the system and calling it a day... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 10:44 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
On Tue, May 11, 2010 at 10:44 AM, Ken Schaefer k...@adopenstatic.com wrote: [re: vulnerabilities in AV software, especially How is whitelisting or blacklisting going to help? Answer: it's not. Whitelisting is not directly going to address the problem of vulnerabilities in anti-virus software. But I agree with the stance that looking for signatures of known bad software is fast becoming infeasible. Whitelisting and similar strategies bypasses the entire problem. Rather than try to identify software you don't want (which is potentially infinite), you identify software you do want. I like ASB's analogy by firewall policy: Deny by default, allow known good has long been the accepted best practice. It makes sense to do the same for software. LUA (Limited User Access, Microsoft's term for least privilege, i.e., running without admin rights) is already a big step in this direction. We don't let users modify C:\WINDOWS or C:\Program Files, because that's where the software lives. From there, the obvious next step is to deny execution from C:\Documents and Settings. There's the usual heavy sprinkling of compatibility headaches -- it's amazing how much software expects to execute things from %TEMP% or All Users\Application Data -- but much like LUA, while initial implementation can be a hassle, I think it will pay off big in the long run. Done right, this could vastly reduce or even eliminate the traditional anti-virus role. (For well-managed environments. Clueless home users are still screwed. :-( ) I do agree with the premise that AV software should not have security vulnerabilities. I just think that the problems are bigger than that, and the apparent way forward may make the smaller issue of AV software vulnerabilities moot, by making traditional signature-based AV software obsolete. But, if your AV was any good, it would detect the problem on access At this point I don't expect signature scanning to stop anything. Malware evolves too quickly to keep up. We have traditional AV software, we use it, we even depend on it more than I would like, but I don't expect it to keep up with the morphed-threat-of-the-minute whack-a-mole problem. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
based on recent events, I shudder to even mention this, but McAfee has acquired Solid Core their whitelist solution ( http://www.solidcore.com/ ) and is slated to have the new version be managed via ePO console On Tue, May 11, 2010 at 10:56 AM, Kennedy, Jim kennedy...@elyriaschools.org wrote: Just to amplify 6.0 is also discontinued. This last release a few weeks ago 6.0.2 is the last. It supports 64 bit and windows 7. Server up to 2008 but not R2. No other future operating systems will be supported. They will not say if any future service packs will be supported but if they break CSA you will be on your own, imho. VERY sore subject with me. :) But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner or later no question about it. Behaviour based HIPS is the only thing that will win this fight. CSA's was the best there ever was at doing this. Virtually bullet proof if implemented correctly, but alas it is gone now. Trends new one is looking pretty good. -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
Ken, Personal experience with dealing with r00ted systems that have bypassed AV controls has shown me a lot about how nefarious these attacks can be, and I am still learning a lot about the infector vectors and how to provide controls to prevent them. If AV doesn't have a signature for the attack that the current malware has employed, then its pretty trivial to do file system infection, Trojan dropping, rootkit installation etc etc, trust me the malware authors/writers are still well ahead of us in the battle and will probably continue to be for quite sometime. Also I am not advocating any approach except that AV by itself is almost worthless as a system control anymore. But when you are dealing with like 10K+ new samples a day of virus/malware then its pretty hard for any AV vendor to keep up with signatures to detect them all. I would rather not turn this into a flame war, if you disagree, that is perfectly fine, and you are well without your rights, please feel free to contact me offline we can ramble it out there accordingly. Always love a good discussion about this subject as painful as it is for business these days. Thanks EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 11:01 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Subject: RE: Life just keeps getting better On Access, most of the rootkits on the systems have hidden themselves from AV, therefore rendering its On Access detection useless. How does a rootkit manage to hide itself in the first place? You can only hide yourself from FSF if you have hooked the relevant system calls in the first place. On access should detect that before it happens. Its not whether AV is good or not, its just a race not worth running anymore trying to fight common threat vectors with signature techniques. Irrelevant to the point. You were talking about whitelisting vs blacklisting, and yet are unable to explain how whitelisting helps in the scenario you talked about. Suggest you understand the situation before advocating some solution that doesn't solve the problem. Cheers Ken Been using CSA here for about 5+ yrs and its cut down the Malware/Spyware drastically, due to controlling code execution period, its hooked into the Kernel so it can't be bypassed, and has saved the bacon more than a few times. Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which leaves folks in a pickle and looking for other solutions and application whitelisting seems to be the best of the choices atm. Its not fool-proof, but again its controlling execution, and you have a method of vetting what software is good and what is bad in your environments, which is a ton better than just putting AV on the system and calling it a day... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 10:44 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus
Re: Life just keeps getting better....
Why take it offline? If you have something to say about a subject and it is relevant to this forum, please say it here; I'm sure it is of interest to all subscribers to the list. -- Peter van Houten On the 11 May, 2010 17:12, Ziots, Edward wrote the following: Ken, Personal experience with dealing with r00ted systems that have bypassed AV controls has shown me a lot about how nefarious these attacks can be, and I am still learning a lot about the infector vectors and how to provide controls to prevent them. If AV doesn't have a signature for the attack that the current malware has employed, then its pretty trivial to do file system infection, Trojan dropping, rootkit installation etc etc, trust me the malware authors/writers are still well ahead of us in the battle and will probably continue to be for quite sometime. Also I am not advocating any approach except that AV by itself is almost worthless as a system control anymore. But when you are dealing with like 10K+ new samples a day of virus/malware then its pretty hard for any AV vendor to keep up with signatures to detect them all. I would rather not turn this into a flame war, if you disagree, that is perfectly fine, and you are well without your rights, please feel free to contact me offline we can ramble it out there accordingly. Always love a good discussion about this subject as painful as it is for business these days. Thanks EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 11:01 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Subject: RE: Life just keeps getting better On Access, most of the rootkits on the systems have hidden themselves from AV, therefore rendering its On Access detection useless. How does a rootkit manage to hide itself in the first place? You can only hide yourself from FSF if you have hooked the relevant system calls in the first place. On access should detect that before it happens. Its not whether AV is good or not, its just a race not worth running anymore trying to fight common threat vectors with signature techniques. Irrelevant to the point. You were talking about whitelisting vs blacklisting, and yet are unable to explain how whitelisting helps in the scenario you talked about. Suggest you understand the situation before advocating some solution that doesn't solve the problem. Cheers Ken Been using CSA here for about 5+ yrs and its cut down the Malware/Spyware drastically, due to controlling code execution period, its hooked into the Kernel so it can't be bypassed, and has saved the bacon more than a few times. Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which leaves folks in a pickle and looking for other solutions and application whitelisting seems to be the best of the choices atm. Its not fool-proof, but again its controlling execution, and you have a method of vetting what software is good and what is bad in your environments, which is a ton better than just putting AV on the system and calling it a day... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 10:44 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buffkurt.b...@gmail.com wrote: How to bypass almost all AV
RE: Life just keeps getting better....
Personal experience with dealing with r00ted systems that have bypassed AV controls has shown me a lot about how nefarious these attacks can be Once code is running as system, it's irrelevant what system you try to put in place to prevent it. Whitelisting is not going to help, because the rootkit can simply report that it's notepad.exe (or whatever) to your whitelisting software. The same way that a rootkit reports it's something else to your file system filter (typically what AV uses) You're a CISSP - you should know that once the system is rooted you do not own it. You have some variable % of being able to recover the system using tools, but the only guaranteed way to recover the system is to restore from known good media. And the vulnerability you were talking about requires the AV software's thread to be pre-empted, and between some code being run, and the rest being run, some user-mode variables are changed. Again: how is whitelisting going to help here? My contention is that it can't. Your explanation as to how it can? Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 11:13 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better Ken, Personal experience with dealing with r00ted systems that have bypassed AV controls has shown me a lot about how nefarious these attacks can be, and I am still learning a lot about the infector vectors and how to provide controls to prevent them. If AV doesn't have a signature for the attack that the current malware has employed, then its pretty trivial to do file system infection, Trojan dropping, rootkit installation etc etc, trust me the malware authors/writers are still well ahead of us in the battle and will probably continue to be for quite sometime. Also I am not advocating any approach except that AV by itself is almost worthless as a system control anymore. But when you are dealing with like 10K+ new samples a day of virus/malware then its pretty hard for any AV vendor to keep up with signatures to detect them all. I would rather not turn this into a flame war, if you disagree, that is perfectly fine, and you are well without your rights, please feel free to contact me offline we can ramble it out there accordingly. Always love a good discussion about this subject as painful as it is for business these days. Thanks EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 11:01 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Subject: RE: Life just keeps getting better On Access, most of the rootkits on the systems have hidden themselves from AV, therefore rendering its On Access detection useless. How does a rootkit manage to hide itself in the first place? You can only hide yourself from FSF if you have hooked the relevant system calls in the first place. On access should detect that before it happens. Its not whether AV is good or not, its just a race not worth running anymore trying to fight common threat vectors with signature techniques. Irrelevant to the point. You were talking about whitelisting vs blacklisting, and yet are unable to explain how whitelisting helps in the scenario you talked about. Suggest you understand the situation before advocating some solution that doesn't solve the problem. Cheers Ken Been using CSA here for about 5+ yrs and its cut down the Malware/Spyware drastically, due to controlling code execution period, its hooked into the Kernel so it can't be bypassed, and has saved the bacon more than a few times. Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which leaves folks in a pickle and looking for other solutions and application whitelisting seems to be the best of the choices atm. Its not fool-proof, but again its controlling execution, and you have a method of vetting what software is good and what is bad in your environments, which is a ton better than just putting AV on the system and calling it a day... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 10:44 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward
RE: Life just keeps getting better....
Agreed. This is not a flamewar. How rootkits work are well known (there's even a book you can buy from Amazon that delves into this). Windows kernel is also well documented (Window Internals, Debugging Windows etc.) Given the attack documented at the start of this thread (by Kurt), can someone *please* explain how whitelisting is going to help? Cheers Ken -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Tuesday, 11 May 2010 11:19 PM To: NT System Admin Issues Subject: Re: Life just keeps getting better Why take it offline? If you have something to say about a subject and it is relevant to this forum, please say it here; I'm sure it is of interest to all subscribers to the list. -- Peter van Houten On the 11 May, 2010 17:12, Ziots, Edward wrote the following: Ken, Personal experience with dealing with r00ted systems that have bypassed AV controls has shown me a lot about how nefarious these attacks can be, and I am still learning a lot about the infector vectors and how to provide controls to prevent them. If AV doesn't have a signature for the attack that the current malware has employed, then its pretty trivial to do file system infection, Trojan dropping, rootkit installation etc etc, trust me the malware authors/writers are still well ahead of us in the battle and will probably continue to be for quite sometime. Also I am not advocating any approach except that AV by itself is almost worthless as a system control anymore. But when you are dealing with like 10K+ new samples a day of virus/malware then its pretty hard for any AV vendor to keep up with signatures to detect them all. I would rather not turn this into a flame war, if you disagree, that is perfectly fine, and you are well without your rights, please feel free to contact me offline we can ramble it out there accordingly. Always love a good discussion about this subject as painful as it is for business these days. Thanks EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 11:01 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Subject: RE: Life just keeps getting better On Access, most of the rootkits on the systems have hidden themselves from AV, therefore rendering its On Access detection useless. How does a rootkit manage to hide itself in the first place? You can only hide yourself from FSF if you have hooked the relevant system calls in the first place. On access should detect that before it happens. Its not whether AV is good or not, its just a race not worth running anymore trying to fight common threat vectors with signature techniques. Irrelevant to the point. You were talking about whitelisting vs blacklisting, and yet are unable to explain how whitelisting helps in the scenario you talked about. Suggest you understand the situation before advocating some solution that doesn't solve the problem. Cheers Ken Been using CSA here for about 5+ yrs and its cut down the Malware/Spyware drastically, due to controlling code execution period, its hooked into the Kernel so it can't be bypassed, and has saved the bacon more than a few times. Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which leaves folks in a pickle and looking for other solutions and application whitelisting seems to be the best of the choices atm. Its not fool-proof, but again its controlling execution, and you have a method of vetting what software is good and what is bad in your environments, which is a ton better than just putting AV on the system and calling it a day... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 10:44 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code
RE: Life just keeps getting better....
In the context of simple whitelisting systems I agree, but in the case of something like CSA unless your fake Notepad has specific permissions to modify scvhost (for example) it will get denied. By specific I mean VERY specific. That process started by a specific user from a specific path has the ability to do a specific modification to scvhost and again only to a specific path and a specific modification. So that code can run and do things, but taking over a box or modifying a box isn't going to happen. -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, May 11, 2010 11:29 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Once code is running as system, it's irrelevant what system you try to put in place to prevent it. Whitelisting is not going to help, because the rootkit can simply report that it's notepad. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
+1 75000 new pieces of malware *DAILY* - and that will probably only increase, never decrease, because the automation for morphing malware will only get better. LUA + base installs + whitelisting is the only reasonable stance I can see. Layer in other protections as necessary, including HIPS, etc., but the first line of defense seems to be limiting the ability of users to run new software. Kurt On Tue, May 11, 2010 at 08:07, Ben Scott mailvor...@gmail.com wrote: On Tue, May 11, 2010 at 10:44 AM, Ken Schaefer k...@adopenstatic.com wrote: [re: vulnerabilities in AV software, especially How is whitelisting or blacklisting going to help? Answer: it's not. Whitelisting is not directly going to address the problem of vulnerabilities in anti-virus software. But I agree with the stance that looking for signatures of known bad software is fast becoming infeasible. Whitelisting and similar strategies bypasses the entire problem. Rather than try to identify software you don't want (which is potentially infinite), you identify software you do want. I like ASB's analogy by firewall policy: Deny by default, allow known good has long been the accepted best practice. It makes sense to do the same for software. LUA (Limited User Access, Microsoft's term for least privilege, i.e., running without admin rights) is already a big step in this direction. We don't let users modify C:\WINDOWS or C:\Program Files, because that's where the software lives. From there, the obvious next step is to deny execution from C:\Documents and Settings. There's the usual heavy sprinkling of compatibility headaches -- it's amazing how much software expects to execute things from %TEMP% or All Users\Application Data -- but much like LUA, while initial implementation can be a hassle, I think it will pay off big in the long run. Done right, this could vastly reduce or even eliminate the traditional anti-virus role. (For well-managed environments. Clueless home users are still screwed. :-( ) I do agree with the premise that AV software should not have security vulnerabilities. I just think that the problems are bigger than that, and the apparent way forward may make the smaller issue of AV software vulnerabilities moot, by making traditional signature-based AV software obsolete. But, if your AV was any good, it would detect the problem on access At this point I don't expect signature scanning to stop anything. Malware evolves too quickly to keep up. We have traditional AV software, we use it, we even depend on it more than I would like, but I don't expect it to keep up with the morphed-threat-of-the-minute whack-a-mole problem. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
I wonder if they're using this: http://isc.sans.org/diary.html?storyid=8236 Kurt On Tue, May 11, 2010 at 08:10, Erik Goldoff egold...@gmail.com wrote: based on recent events, I shudder to even mention this, but McAfee has acquired Solid Core their whitelist solution ( http://www.solidcore.com/ ) and is slated to have the new version be managed via ePO console On Tue, May 11, 2010 at 10:56 AM, Kennedy, Jim kennedy...@elyriaschools.org wrote: Just to amplify 6.0 is also discontinued. This last release a few weeks ago 6.0.2 is the last. It supports 64 bit and windows 7. Server up to 2008 but not R2. No other future operating systems will be supported. They will not say if any future service packs will be supported but if they break CSA you will be on your own, imho. VERY sore subject with me. :) But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner or later no question about it. Behaviour based HIPS is the only thing that will win this fight. CSA's was the best there ever was at doing this. Virtually bullet proof if implemented correctly, but alas it is gone now. Trends new one is looking pretty good. -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner or later no question about it. Behaviour based HIPS is the only thing that will win this fight. CSA's was the best there ever was at doing this. Virtually bullet proof if implemented correctly, but alas it is gone now. Trends new one is looking pretty good. I respectfully disagree. What antivirus companies still rely on signatures? I see detection rates daily, and while an AV engine is not nearly the thing it was in the past, it is still a very, very important part of the security strategy. Just wait until your next Conficker infection... Alex -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 11, 2010 10:57 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just to amplify 6.0 is also discontinued. This last release a few weeks ago 6.0.2 is the last. It supports 64 bit and windows 7. Server up to 2008 but not R2. No other future operating systems will be supported. They will not say if any future service packs will be supported but if they break CSA you will be on your own, imho. VERY sore subject with me. :) But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner or later no question about it. Behaviour based HIPS is the only thing that will win this fight. CSA's was the best there ever was at doing this. Virtually bullet proof if implemented correctly, but alas it is gone now. Trends new one is looking pretty good. -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
Mr Ziots is right as well. - Original Message - From: Alex Eckelberry al...@sunbelt-software.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Tue May 11 13:19:28 2010 Subject: RE: Life just keeps getting better But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner or later no question about it. Behaviour based HIPS is the only thing that will win this fight. CSA's was the best there ever was at doing this. Virtually bullet proof if implemented correctly, but alas it is gone now. Trends new one is looking pretty good. I respectfully disagree. What antivirus companies still rely on signatures? I see detection rates daily, and while an AV engine is not nearly the thing it was in the past, it is still a very, very important part of the security strategy. Just wait until your next Conficker infection... Alex -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 11, 2010 10:57 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just to amplify 6.0 is also discontinued. This last release a few weeks ago 6.0.2 is the last. It supports 64 bit and windows 7. Server up to 2008 but not R2. No other future operating systems will be supported. They will not say if any future service packs will be supported but if they break CSA you will be on your own, imho. VERY sore subject with me. :) But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner or later no question about it. Behaviour based HIPS is the only thing that will win this fight. CSA's was the best there ever was at doing this. Virtually bullet proof if implemented correctly, but alas it is gone now. Trends new one is looking pretty good. -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: RE: Life just keeps getting better....
Alex, the emphasis is currently on identifying known bad. Yes? No matter what the specifics of that approach, it is more fraught with peril than tracking known good for any given environment. Zero-day (new code) is meaningless in such a context. -ASB: http://XeeSM.com/AndrewBaker Sent from my Motorola Droid On May 11, 2010 1:19 PM, Alex Eckelberry al...@sunbelt-software.com wrote: But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner ... I respectfully disagree. What antivirus companies still rely on signatures? I see detection rates daily, and while an AV engine is not nearly the thing it was in the past, it is still a very, very important part of the security strategy. Just wait until your next Conficker infection... Alex -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 11, 2010 10:57 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just to amplify 6.0 is also discontinued. This las... Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is di... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
Let's not ignore the first Conficker infection while we wait for the next. CSA was the only thing that stopped it dead from day zero. Not a single CSA customer was infected in the entire world win conflicker. Most of the tradtional AV companies were many hours behind on that one if not days, and were many hours behind every variant that came out. -Original Message- From: Alex Eckelberry [mailto:al...@sunbelt-software.com] Sent: Tuesday, May 11, 2010 1:19 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just wait until your next Conficker infection... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
Ken, If you have a rootkit, GAME OVER PERIOD, we both accept that. NO control discussed is going to save you from that. Malware/Malcode, basically same thing, you say tomato, I say tomato. We both agree on if the box is rooted then it doesn't matter what you have in controls, they are all bypassed and thus box is suspect, can't be trusted, DBAN the system and start over. I think we also both agree prevention is the best strategy, but which approach/approaches are best? Depends on the environment, and the business. I am arguing from experience, and running a large network for 10+ yrs, that the failures of signature based AV have been full apparent in my eyes, the only thing that has saved us more pain in the last 6+ yrs has been a HIPS (CSA). With the number of virus/malware samples that are produced daily its making DAT updates get larger and larger, deployed more frequently, to the point you can't keep up and one bad DAT takes down an entire network, I lived this pain less than 2 weeks ago. Whitelisting: If you control the execution of the code you are running on the machine and you are working from a validated image ( full patched, signifigantly hardened) and the appropriate detective controls are applied and monitored (Auditing,Eventlog management,Patching, VA Scanning, Configuration management) you can add whitelisting in as another preventative control to ensure only code that you know to be good runs on your systems. I do see some faults in it tho, that I am not entirely comfortable with: Web Application Attack scenario's: If you trust IE/Firefox etc etc then the configuration or lack thereof of the security controls is the only thing preventing you from suffering from these attacks, it's a little better with firefox due to security extensions but to centrally manage them is not really plausible. Malcode inside DOC's, PDF's, EXCEL: This is where I really worry about, so if we trust say Adobe 9.3.2 as the latest deployment of adobe suite, and there is a new 0 Day, and someone comes up with a way to embed another malware exploit inside the PDF with Javascript, or other method, does the APP whitelist stop the code execution inside the PDF, in which you just allowed the PDF view to run accordingly. ( I like the HIPS method, via CSA more in this light because it would stop the code execution inside the document and show it in the logs, again with CSA going bye bye as discussed before need to look at other solutions that will meet the needs) But my belief that AV alone is simply not enough, and its getting almost next to useless as a preventative control, when dealing with signatures, and its heuristics engines aren't that great either. I also don't think Blacklisting is viable and is basically administratively prohibitive in some organizations, due to the time and effort just to keep up with it. Also with whitelisting just like HIPS there is a lot of heavy lifting up front to understand how to properly configure and deploy it accordingly. Plus there needs to be security metrics measuring the effectiveness of the control before the control is implemented and after its implemented, and how its affect over time as increased the security posture of the business/organization without being unduly administratively burdensome. I do like the fact that even if you are an admin the whitelisting basically blocks the execution and records what you have attempted, for further review, sometimes a little administrative action is a nice duo with a technical set of controls when trying to get secure computing through to the users. ( Again referencing BIT9 which I have demo'ed and we are seeking as a replacement to our CSA) Is whitelisting the silver bullet nope, but is AV enough, NOPE, and its getting worse, not better. HIPS is defintely an alternative, but it also has its issues, sometimes reading the CSA logs, I'd basically have to take a course in assembly language just to understand the jargon spit out in the logs about what some piece of code just tried to do or not, now you can't tell me that a all purpose Sys-admin couldn't or wouldn't make a mistake by misinterpreting the HIPS logs and allow something that should have never been allowed to execute in the first place. But this all comes down to a risk-management exercise, what works for one, won't for another, nor am I even going to condone that you forego other approaches and just go with App Whitelisting, follow the gartner bandwagon and CALGON take me away free yourself of the security concerns that plague us all. Maybe this closes the loop, or maybe it muddies up the waters a little further. If you have the solution that is a one-size fits all or a framework that can benefit the masses in this reguard please let us all know. I am sure in your experience both in business and in consulting, that you defintely might have some better insight than I do looking at it from healthcare standpoint over a 10+ yr timeline. Thanks, Will be
RE: Life just keeps getting better....
Correct, CSA did stop Conficker DOA, again one of those times it saved the company bacon Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 11, 2010 1:31 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better Let's not ignore the first Conficker infection while we wait for the next. CSA was the only thing that stopped it dead from day zero. Not a single CSA customer was infected in the entire world win conflicker. Most of the tradtional AV companies were many hours behind on that one if not days, and were many hours behind every variant that came out. -Original Message- From: Alex Eckelberry [mailto:al...@sunbelt-software.com] Sent: Tuesday, May 11, 2010 1:19 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just wait until your next Conficker infection... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
We have to keep in mind that whitelisting/blacklisting is just another layer; another tool in our arsenal. I don't think anyone is suggesting that AV go away all together, simply suggesting not relying on it completely. Joe L. Heaton Windows Server Support Group Information Technology Branch Department of Fish and Game 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284 Ken Schaefer k...@adopenstatic.com 5/11/2010 7:44 AM How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
Gartner actually put a blog post out about this today... http://blogs.gartner.com/neil_macdonald/2010/05/11/application-control-white listing-interest-is-growing-rapidly/ -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Tuesday, May 11, 2010 11:00 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better We have to keep in mind that whitelisting/blacklisting is just another layer; another tool in our arsenal. I don't think anyone is suggesting that AV go away all together, simply suggesting not relying on it completely. Joe L. Heaton Windows Server Support Group Information Technology Branch Department of Fish and Game 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284 Ken Schaefer k...@adopenstatic.com 5/11/2010 7:44 AM How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem on access Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: RE: Life just keeps getting better....
+1 Here's one of my favorite rants from one of my favorite computer security writers (in 1995!): The Six Dumbest Ideas in Computer Security http://www.ranum.com/security/computer_security/editorials/dumb/ See #2 Kurt On Tue, May 11, 2010 at 10:27, Andrew S. Baker asbz...@gmail.com wrote: Alex, the emphasis is currently on identifying known bad. Yes? No matter what the specifics of that approach, it is more fraught with peril than tracking known good for any given environment. Zero-day (new code) is meaningless in such a context. -ASB: http://XeeSM.com/AndrewBaker Sent from my Motorola Droid On May 11, 2010 1:19 PM, Alex Eckelberry al...@sunbelt-software.com wrote: But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner ... I respectfully disagree. What antivirus companies still rely on signatures? I see detection rates daily, and while an AV engine is not nearly the thing it was in the past, it is still a very, very important part of the security strategy. Just wait until your next Conficker infection... Alex -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 11, 2010 10:57 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just to amplify 6.0 is also discontinued. This las... Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is di... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
*Once code is running as system, it's irrelevant what system you try to put in place to prevent it.* True. *Whitelisting is not going to help, because the rootkit can simply report that it's notepad.exe (or whatever) to your whitelisting software.* I think we have a very different understanding of what enterprise level whitelisting technology works in terms of running code. *The same way that a rootkit reports it's something else to your file system filter (typically what AV uses)* Actually, most rootkits that I am aware of operate in a different fashion. They interject themselves into the kernel so that they can manipulate the results of any process list requests or file system requests. As Ed mentioned, no one is suggesting that there are many good options for protection *after* your machine has been infected with a rootkit. At that point, it's too late. When it comes to prevention, however, whitelisting technologies rely not on simple name comparisons, but also combinations involving executable hash, identification of parent process, file system location, etc. Where a typical AV utility is unable to identify the new rootkit app that was just built 2 hours ago and is looking to gain a foothold on your system (because of the lack of an appropriate signature or anything that triggers the heuristics), a whitelisting solution will simply prevent the rootkit executables from executing because they do not match the identification of an app that is approved for operation in the folder in question. Both of the aforementioned technologies have some caveats, but the problems with relying on being able to identify bad code continue to increase to be point of becoming counterproductive. It is certainly not sustainable. Security solutions that focus on identifying bad are subject to more change, and perform with less accuracy than those which identify the good. And they can be sustained. (TopLayer, providers of some of the fastest and most accurate IPS devices I have ever had the pleasure of testing, have deprecated the use of signatures significantly. They represent less than 10% of the effectiveness of the device) Given the current scale of the threats, we need to approach the protection differently. Signatures do not need to go away entirely (or immediately), but other approaches need to be more widespread if we hope to gain any ground on the malware writers, and stop wasting so much corporate time guarding our windows and doors. We also need time to put more effort into regulating execution and automation what used to be considered data, such as PDF files. Just like the prevelance of office macro viruses has diminished due to better controls of the application, so too must the same functionality be built for PDF readers and the apps for other popular active data types. -ASB: http://XeeSM.com/AndrewBaker On Tue, May 11, 2010 at 11:28 AM, Ken Schaefer k...@adopenstatic.com wrote: Personal experience with dealing with r00ted systems that have bypassed AV controls has shown me a lot about how nefarious these attacks can be Once code is running as system, it's irrelevant what system you try to put in place to prevent it. Whitelisting is not going to help, because the rootkit can simply report that it's notepad.exe (or whatever) to your whitelisting software. The same way that a rootkit reports it's something else to your file system filter (typically what AV uses) You're a CISSP - you should know that once the system is rooted you do not own it. You have some variable % of being able to recover the system using tools, but the only guaranteed way to recover the system is to restore from known good media. And the vulnerability you were talking about requires the AV software's thread to be pre-empted, and between some code being run, and the rest being run, some user-mode variables are changed. Again: how is whitelisting going to help here? My contention is that it can't. Your explanation as to how it can? Cheers Ken -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, 11 May 2010 11:13 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better Ken, Personal experience with dealing with r00ted systems that have bypassed AV controls has shown me a lot about how nefarious these attacks can be, and I am still learning a lot about the infector vectors and how to provide controls to prevent them. If AV doesn't have a signature for the attack that the current malware has employed, then its pretty trivial to do file system infection, Trojan dropping, rootkit installation etc etc, trust me the malware authors/writers are still well ahead of us in the battle and will probably continue to be for quite sometime. Also I am not advocating any approach except that AV by itself is almost worthless as a system control anymore. But when you are dealing with like 10K+ new samples a day of virus/malware
Re: Life just keeps getting better....
Ben, I agree with the position that Sophos has taken. Although your point about them being a not-quite-disinterested party is well noted, the fact that they believe that they personally aren't impacted, doesn't mean that they had to give their competitors a pass. It's not like they took they high road -- they basically said that it's not really a factor. -ASB: http://XeeSM.com/AndrewBaker On Tue, May 11, 2010 at 9:11 AM, Ben Scott mailvor...@gmail.com wrote: On Mon, May 10, 2010 at 12:40 AM, Kurt Buff kurt.b...@gmail.com wrote: How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: RE: Life just keeps getting better....
Bookmarked. Thanks!! I had seen this before, but not in quite a while. -ASB: http://XeeSM.com/AndrewBaker On Tue, May 11, 2010 at 3:23 PM, Kurt Buff kurt.b...@gmail.com wrote: +1 Here's one of my favorite rants from one of my favorite computer security writers (in 1995!): The Six Dumbest Ideas in Computer Security http://www.ranum.com/security/computer_security/editorials/dumb/ See #2 Kurt On Tue, May 11, 2010 at 10:27, Andrew S. Baker asbz...@gmail.com wrote: Alex, the emphasis is currently on identifying known bad. Yes? No matter what the specifics of that approach, it is more fraught with peril than tracking known good for any given environment. Zero-day (new code) is meaningless in such a context. -ASB: http://XeeSM.com/AndrewBaker Sent from my Motorola Droid On May 11, 2010 1:19 PM, Alex Eckelberry al...@sunbelt-software.com wrote: But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner ... I respectfully disagree. What antivirus companies still rely on signatures? I see detection rates daily, and while an AV engine is not nearly the thing it was in the past, it is still a very, very important part of the security strategy. Just wait until your next Conficker infection... Alex -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 11, 2010 10:57 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just to amplify 6.0 is also discontinued. This las... Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is di... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: RE: Life just keeps getting better....
Heh. I have occasion to look at his site every once in a while - just to remind me how old some of his advice is, if for no other reason. Kurt On Tue, May 11, 2010 at 13:02, Andrew S. Baker asbz...@gmail.com wrote: Bookmarked. Thanks!! I had seen this before, but not in quite a while. -ASB: http://XeeSM.com/AndrewBaker On Tue, May 11, 2010 at 3:23 PM, Kurt Buff kurt.b...@gmail.com wrote: +1 Here's one of my favorite rants from one of my favorite computer security writers (in 1995!): The Six Dumbest Ideas in Computer Security http://www.ranum.com/security/computer_security/editorials/dumb/ See #2 Kurt On Tue, May 11, 2010 at 10:27, Andrew S. Baker asbz...@gmail.com wrote: Alex, the emphasis is currently on identifying known bad. Yes? No matter what the specifics of that approach, it is more fraught with peril than tracking known good for any given environment. Zero-day (new code) is meaningless in such a context. -ASB: http://XeeSM.com/AndrewBaker Sent from my Motorola Droid On May 11, 2010 1:19 PM, Alex Eckelberry al...@sunbelt-software.com wrote: But Mr. Zoits is right, AV is pointless. It is a signature race and you wll lose that race sooner ... I respectfully disagree. What antivirus companies still rely on signatures? I see detection rates daily, and while an AV engine is not nearly the thing it was in the past, it is still a very, very important part of the security strategy. Just wait until your next Conficker infection... Alex -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 11, 2010 10:57 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Just to amplify 6.0 is also discontinued. This las... Sent: Tuesday, May 11, 2010 10:50 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better Too bad Cisco royally screwed up CSA 6.0 and is di... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Life just keeps getting better....
On Tue, May 11, 2010 at 1:31 PM, Kennedy, Jim kennedy...@elyriaschools.org wrote: Let's not ignore the first Conficker infection while we wait for the next. CSA was the only thing that stopped it dead from day zero. I would disagree with only. Conficker attacked MS08-067 autorun, and open/weak-password network shares. We patch security vulnerabilities quickly, so we were protected on MS08-067. We disable autorun[1], so we were protected there. All our shares require AD authentication, and we protect against trivial passwords. Conficker was a non-incident for us. And even the luser manually runs it off removable media case can be countered with plain old Software Restriction Policies. Not saying CSA doesn't have value (totally unfamiliar with it myself), just disagreeing with only. [1] This means actually disabling autorun, and not just following Microsoft's guidance on how to disable autorun. Microsoft got it wrong at least twice. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Life just keeps getting better....
Overblown IMHO - the example is talking about loading bad kernel code - you need to be an admin to do that - on x64 systems the bad driver would have to be signed - the AV system should have picked up the bad code being placed onto the system prior to anyone executing it - I don't see how this bypasses signature based detection. It would only, potentially, bypass some kind of HIPS based protection. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 10 May 2010 12:41 PM To: NT System Admin Issues Subject: Life just keeps getting better How to bypass almost all AV software http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php Including VIPRE, and all of the big names that I can think of. It takes a bit of effort, but it will probably be commodified shortly, I expect. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~