subject:"Whitelisting"

 To drive the point home - If I had to choose between whitelisting 
 applications and blacklisting data, I'd choose whitelisting applications, 
 every time.

Why would you have to make a choice? They are not mutually exclusive options. 

To drive the point home - those words do not mean what I think you believe 
they mean.

 Whitelisting helps those who help themselves (corporately or individually). 
 Think of it as evolution in action.

Those people generally don't run into problems in the first place. Digital 
signatures, signed kernel mode code etc. can be used to verify that software 
you are running is mostly legitimate. 

The tools already exist for whitelisting applications running on your home 
computer - even Windows includes Software Restriction Policies, Applocker etc, 
but I doubt you've implemented it - it's simply too much hassle to create a 
digital signature of each and every single executable you want to allow, and 
then restrict each and every .dll or resource file that the .exe is allowed to 
load into its process space, and then also ensure that every application 
doesn't provide some shared memory space or other way for code to end up inside 
the permitted process. 

Cheers
Ken


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, 16 April 2012 2:14 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote:
 -Original Message-
 From: Kurt Buff [mailto:kurt.b...@gmail.com]
 Subject: Re: Whitelisting

 On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote:
 For the SOHO end user, the vast bulk of infections are either:
 a) exploits in existing applications (Acrobat Reader, Adobe Flash, 
 Java runtime, Internet Explorer)
 b) social engineering attacks, where the user is convinced to run/install 
 some malware that they shouldn't. Despite code signing, users are still 
 doing this.

 How will whitelisting help the above type of user? I can't see how 
 it does - they will always have the ability to override whatever 
 recommendation the AV (or protection application) provides.

Simple - they won't have to worry about file.doc.exe (or
VBS|JS|JAR|DLL|etc) embedded in their emails, or the random
executables from the various web sites either are deliberately set up, 
or have been subverted, to issue malware. Those are actually the larger 
threat, AFAICT.

 So, it doesn't help with any exploits of existing apps, browser plug ins etc.

 And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that 
 BritnesSpearsNaked.exe is actually a legitimate file, and then tells his 
 WhiteListing application that it should be added to the white list, then 
 it'll still run. And Joe User will still be screwed.

 And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded 
 that it's from his good Nigerian Prince friend Joanne User, and runs it, and 
 tells his WhiteListing application that is should be added to the white list, 
 then it'll still run fine.

 We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, 
 that warn users that the application might be something bad. Yet users still 
 allow this applications to run. With Whitelisting, you are also requiring 
 that the user decide what is legitimate and what is not. And users will 
 continue to be socially engineering into believing that malware are 
 legitimate files. Just like today.


 Whitelisting will slow application development/deployment even more, 
 and will just result in more applications like Access and Excel that 
 provide a semi-IDE to the end user that allows them to develop their own 
 code/functionality. And resulting opportunities for code exploit.

 Bummer for them. Opportunity for those who can, and who can help them.

 Perhaps. Or maybe there's no ROI developing the feature in the first place.

 Or maybe exploits will just move to another area (Excel, Access application 
 etc) that whitelisting doesn't cover.

 You're not addressing the point at all.

Whitelisting helps those who help themselves (corporately or individually). 
Think of it as evolution in action.

After that, then yes, bad data is a problem. But bad data is the smaller 
problem. That *is* the point.

To drive the point home - If I had to choose between whitelisting applications 
and blacklisting data, I'd choose whitelisting applications, every time. I'll 
still have some risk in my environment, but that's, to me, acceptable.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage

RE: Whitelisting

2012-04-16 Thread Ziots, Edward

One of the things I see mentioned below is the malicious browser based attacks 
( BHO's, Malicious JavaScript, etc etc) and that is one area of weakness I see 
in the whitelisting solution. Other than that I agree it’s the right way to go. 
Being on the other side of Blacklisting, HIPS etc etc, it is a diminishing 
return over time when you have to write rule after rule to allow software to do 
things that aren't good coding practices, or worse, just to get the software to 
run. 

The other thing I would feel might be a weakness in the whitelisting solution, 
is if I allow a piece of software to run, and that software runs as a service 
and that service is remotely exploitable, than I can usurp the computer or any 
computer running that software, because I have exploited a trusted process. 
Again how can the whitelisting solution protect you from what you already have 
trusted if its flawed. Again layers of defense is still a valid argument here..

Z

Edward Ziots
CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org


-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, April 16, 2012 2:24 AM
To: NT System Admin Issues
Subject: RE: Whitelisting

 To drive the point home - If I had to choose between whitelisting 
 applications and blacklisting data, I'd choose whitelisting applications, 
 every time.

Why would you have to make a choice? They are not mutually exclusive options. 

To drive the point home - those words do not mean what I think you believe 
they mean.

 Whitelisting helps those who help themselves (corporately or individually). 
 Think of it as evolution in action.

Those people generally don't run into problems in the first place. Digital 
signatures, signed kernel mode code etc. can be used to verify that software 
you are running is mostly legitimate. 

The tools already exist for whitelisting applications running on your home 
computer - even Windows includes Software Restriction Policies, Applocker etc, 
but I doubt you've implemented it - it's simply too much hassle to create a 
digital signature of each and every single executable you want to allow, and 
then restrict each and every .dll or resource file that the .exe is allowed to 
load into its process space, and then also ensure that every application 
doesn't provide some shared memory space or other way for code to end up inside 
the permitted process. 

Cheers
Ken


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Monday, 16 April 2012 2:14 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote:
 -Original Message-
 From: Kurt Buff [mailto:kurt.b...@gmail.com]
 Subject: Re: Whitelisting

 On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote:
 For the SOHO end user, the vast bulk of infections are either:
 a) exploits in existing applications (Acrobat Reader, Adobe Flash, 
 Java runtime, Internet Explorer)
 b) social engineering attacks, where the user is convinced to run/install 
 some malware that they shouldn't. Despite code signing, users are still 
 doing this.

 How will whitelisting help the above type of user? I can't see how 
 it does - they will always have the ability to override whatever 
 recommendation the AV (or protection application) provides.

Simple - they won't have to worry about file.doc.exe (or
VBS|JS|JAR|DLL|etc) embedded in their emails, or the random
executables from the various web sites either are deliberately set up, 
or have been subverted, to issue malware. Those are actually the larger 
threat, AFAICT.

 So, it doesn't help with any exploits of existing apps, browser plug ins etc.

 And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that 
 BritnesSpearsNaked.exe is actually a legitimate file, and then tells his 
 WhiteListing application that it should be added to the white list, then 
 it'll still run. And Joe User will still be screwed.

 And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded 
 that it's from his good Nigerian Prince friend Joanne User, and runs it, and 
 tells his WhiteListing application that is should be added to the white list, 
 then it'll still run fine.

 We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, 
 that warn users that the application might be something bad. Yet users still 
 allow this applications to run. With Whitelisting, you are also requiring 
 that the user decide what is legitimate and what is not. And users will 
 continue to be socially engineering into believing that malware are 
 legitimate files. Just like today.


 Whitelisting will slow application development/deployment even more, 
 and will just result in more applications like Access and Excel that 
 provide a semi-IDE to the end user that allows them to develop their own 
 code/functionality. And resulting opportunities for code

Re: Whitelisting

2012-04-16 Thread James Rankin

An example of using whitelisting technologies in the enterprise

http://appsensebigot.blogspot.co.uk/2012/03/replacing-your-antivirus-software-with.html

On 16 April 2012 12:46, Ziots, Edward ezi...@lifespan.org wrote:

 One of the things I see mentioned below is the malicious browser based
 attacks ( BHO's, Malicious JavaScript, etc etc) and that is one area of
 weakness I see in the whitelisting solution. Other than that I agree it’s
 the right way to go. Being on the other side of Blacklisting, HIPS etc
 etc, it is a diminishing return over time when you have to write rule after
 rule to allow software to do things that aren't good coding practices, or
 worse, just to get the software to run.

 The other thing I would feel might be a weakness in the whitelisting
 solution, is if I allow a piece of software to run, and that software runs
 as a service and that service is remotely exploitable, than I can usurp the
 computer or any computer running that software, because I have exploited a
 trusted process. Again how can the whitelisting solution protect you from
 what you already have trusted if its flawed. Again layers of defense is
 still a valid argument here..

 Z

 Edward Ziots
 CISSP, Security +, Network +
 Security Engineer
 Lifespan Organization
 ezi...@lifespan.org


 -Original Message-
 From: Ken Schaefer [mailto:k...@adopenstatic.com]
 Sent: Monday, April 16, 2012 2:24 AM
 To: NT System Admin Issues
 Subject: RE: Whitelisting

  To drive the point home - If I had to choose between whitelisting
 applications and blacklisting data, I'd choose whitelisting applications,
 every time.

 Why would you have to make a choice? They are not mutually exclusive
 options.

 To drive the point home - those words do not mean what I think you
 believe they mean.

  Whitelisting helps those who help themselves (corporately or
 individually). Think of it as evolution in action.

 Those people generally don't run into problems in the first place. Digital
 signatures, signed kernel mode code etc. can be used to verify that
 software you are running is mostly legitimate.

 The tools already exist for whitelisting applications running on your home
 computer - even Windows includes Software Restriction Policies, Applocker
 etc, but I doubt you've implemented it - it's simply too much hassle to
 create a digital signature of each and every single executable you want to
 allow, and then restrict each and every .dll or resource file that the .exe
 is allowed to load into its process space, and then also ensure that every
 application doesn't provide some shared memory space or other way for code
 to end up inside the permitted process.

 Cheers
 Ken


 -Original Message-
 From: Kurt Buff [mailto:kurt.b...@gmail.com]
 Sent: Monday, 16 April 2012 2:14 PM
 To: NT System Admin Issues
 Subject: Re: Whitelisting

 On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote:
  -Original Message-
  From: Kurt Buff [mailto:kurt.b...@gmail.com]
  Subject: Re: Whitelisting
 
  On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com
 wrote:
  For the SOHO end user, the vast bulk of infections are either:
  a) exploits in existing applications (Acrobat Reader, Adobe Flash,
  Java runtime, Internet Explorer)
  b) social engineering attacks, where the user is convinced to
 run/install some malware that they shouldn't. Despite code signing, users
 are still doing this.
 
  How will whitelisting help the above type of user? I can't see how
  it does - they will always have the ability to override whatever
 recommendation the AV (or protection application) provides.
 
 Simple - they won't have to worry about file.doc.exe (or
 VBS|JS|JAR|DLL|etc) embedded in their emails, or the random
 executables from the various web sites either are deliberately set up,
 or have been subverted, to issue malware. Those are actually the larger
 threat, AFAICT.
 
  So, it doesn't help with any exploits of existing apps, browser plug ins
 etc.
 
  And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that
 BritnesSpearsNaked.exe is actually a legitimate file, and then tells his
 WhiteListing application that it should be added to the white list, then
 it'll still run. And Joe User will still be screwed.
 
  And if Joe User gets CheckOutDancingPigs.vbs in his email, and is
 persuaded that it's from his good Nigerian Prince friend Joanne User, and
 runs it, and tells his WhiteListing application that is should be added to
 the white list, then it'll still run fine.
 
  We already have UAC, and AV, and Smart Screen, and Integrity Level
 warnings, that warn users that the application might be something bad. Yet
 users still allow this applications to run. With Whitelisting, you are also
 requiring that the user decide what is legitimate and what is not. And
 users will continue to be socially engineering into believing that malware
 are legitimate files. Just like today.
 
 
  Whitelisting will slow

RE: Whitelisting

2012-04-16 Thread Alex Eckelberry

But, if we ever get to a world where whitelisting is the predominant

means of execution control, the bad guys will, out of necessity, be

relegated to exploiting flaws in applications through data files.

 

I don't understand how you can have an exploit in a data file resulting in
anything else but code execution.  Data itself is harmless; it's the
executables that cause harm. 

 

There will always be code executed, in some form or another (unless I'm
misunderstanding your point). 

 

Alex

 

 

 

From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, April 16, 2012 12:25 AM
To: NT System Admin Issues
Subject: RE: Whitelisting

 

Possibly...even probably. But, if we ever get to a world where whitelisting
is the predominant means of execution control, the bad guys will, out of
necessity, be relegated to exploiting flaws in applications through data
files. A scanner that looks for signatures of exploits in files will be a
useful tool. Assuming of course, all applications aren't secure.

Sent from my Windows Phone

  _  

From: Andrew S. Baker
Sent: 4/15/2012 1:08 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

You can't. :)



ASB


http://XeeMe.com/AndrewBaker


Harnessing the Advantages of Technology for the SMB market.





On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com
wrote:

How do you blacklist all possible bad data files?

--Original Message--
From: Crawford, Scott
To: NT System Admin Issues

ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and
blacklisting for data files that exploit vulnerable white listed
applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com]
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a
former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
might be changing.

Thoughts?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-16 Thread Alex Eckelberry

a) exploits in existing applications (Acrobat Reader, Adobe Flash,
Java runtime, Internet Explorer)
b) social engineering attacks, where the user is convinced to
run/install some malware that they shouldn't. Despite code signing,
users are still doing this.

How will whitelisting help the above type of user?


If it's an exploit, it's going to launch code.  The code won't run in a 
whitelisting environment unless it's approved by the admin. 

This would also apply to social engineering.  If your company has a 
whitelisting solution in place, code that is not approved won’t run.  So the 
user can download the stupid game they love, but in the end, they won't be able 
to run it. 

A good whitelisting application has a massive repository of good files, and 
the ability to train the system by the admin, not the end-user. 

Alex



-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, April 16, 2012 12:51 AM
To: NT System Admin Issues
Subject: RE: Whitelisting

For the SOHO end user, the vast bulk of infections are either:
a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java 
runtime, Internet Explorer)
b) social engineering attacks, where the user is convinced to run/install some 
malware that they shouldn't. Despite code signing, users are still doing this.

How will whitelisting help the above type of user? I can't see how it does - 
they will always have the ability to override whatever recommendation the AV 
(or protection application) provides.

For corporate users, does whitelisting help significantly? I'm not sure that 
large organisations have the necessary processes in place to implement 
whitelisting. Whitelisting will slow application development/deployment even 
more, and will just result in more applications like Access and Excel that 
provide a semi-IDE to the end user that allows them to develop their own 
code/functionality. And resulting opportunities for code exploit.

Cheers
Ken

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Monday, 16 April 2012 12:42 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

Um, really - you can't do it. Signatures (blacklists) for data files are a 
folly - worse than trying to blacklist executables.

Your point is taken that if application/executable whitelisting is good that 
malware will become nothing more than bad data files, but that then becomes a 
problem of fixing the applications. Sanitizing inpyu

And, fixing applications and their buffer overflows, heap overflows, integer 
under/overflows, etc., is a far smaller problem space than trying to blacklist 
data files.

I'll take that problem vs. trying to allow folks to execute any random binary 
that catches their eye.

None of it is easy, but whitelisting apps will be exponentially easier than 
blacklisting data.

Kurt

On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote:

 Possibly...even probably. But, if we ever get to a world where 
 whitelisting is the predominant means of execution control, the bad 
 guys will, out of necessity, be relegated to exploiting flaws in 
 applications through data files. A scanner that looks for signatures 
 of exploits in files will be a useful tool. Assuming of course, all 
 applications aren't secure.


 Sent from my Windows Phone
 
 From: Andrew S. Baker
 Sent: 4/15/2012 1:08 PM

 To: NT System Admin Issues
 Subject: Re: Whitelisting

 You can't. :)

 ASB
 http://XeeMe.com/AndrewBaker
 Harnessing the Advantages of Technology for the SMB market…




 On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R 
 kz2...@googlemail.com
 wrote:

 How do you blacklist all possible bad data files?
 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues
 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting
 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code 
 and blacklisting for data files that exploit vulnerable white listed 
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As 
 a former AV guy, I tend to prefer blacklisting, but I'm seeing signs 
 things might be changing.

 Thoughts?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana

Re: Whitelisting

2012-04-16 Thread James Rankin

Agreed, if you've got a malicious Word document that exploits a flaw in MS
Word itself, then the only defence is good patching or some other form of
exploit detection. If it's a zero-day, then there's probably nothing except
exploit detection.

Don't want to plug it too much but AppSense Application Manager does a good
job of detecting execution beyond the expected capabilities of an
application, but I've never been able to test it much beyond the types of
things like malicious PDFs with Java exploits or exploits that call out to
malicious dll files. Wonder how much work it would be to craft an Office
document that tries to exploit a vulnerability to see if it can stop this
sort of vector as well?

On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote:

 But, if we ever get to a world where whitelisting is the predominant

 means of execution control, the bad guys will, out of necessity, be

 relegated to exploiting flaws in applications through data files.

 ** **

 I don’t understand how you can have an exploit in a data file resulting in
 anything else but code execution.  Data itself is harmless; it’s the
 executables that cause harm. 

 ** **

 There will always be code executed, in some form or another (unless I’m
 misunderstanding your point). 

 ** **

 Alex

 ** **

 ** **

 ** **

 *From:* Crawford, Scott [mailto:crawfo...@evangel.edu]
 *Sent:* Monday, April 16, 2012 12:25 AM

 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting

 ** **

 Possibly...even probably. But, if we ever get to a world where
 whitelisting is the predominant means of execution control, the bad guys
 will, out of necessity, be relegated to exploiting flaws in applications
 through data files. A scanner that looks for signatures of exploits in
 files will be a useful tool. Assuming of course, all applications aren't
 secure.


 Sent from my Windows Phone

 --

 *From: *Andrew S. Baker
 *Sent: *4/15/2012 1:08 PM

 *To: *NT System Admin Issues
 *Subject: *Re: Whitelisting

 You can't. :)
 

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages of Technology for the SMB market…*



 

 On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com
 wrote:

 How do you blacklist all possible bad data files?

 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues

 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting

 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code and
 blacklisting for data files that exploit vulnerable white listed
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As a
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
 might be changing.

 Thoughts?

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~

 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin




-- 
http://appsensebigot.blogspot.co.uk

IMPORTANT INFORMATION/DISCLAIMER

I certainly don't have time to monitor the content of e-mail sent and
received via this account for the purposes of ensuring compliance with
anyone's policies and procedures. I am pretty sure that somewhere in UK
legislation there is some politically-correct drivel that stipulates I must
never send or store e-mails or attachments that are obscene, indecent,
sexist, racist, defamatory, abusive, in breach of copyright, encrypted,
amusing, overly long, slightly opinionated, anonymous, likely to harm
animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent
minority (such as extraterrestrial eggplants). Emails of this nature sent
in or out of this account may be intercepted and stopped by the system, but
it's a long shot. This being the UK, even if I was prosecuted for breach of
said email guidelines, I'd probably walk with a suspended sentence anyway

Re: Whitelisting

*I don’t understand how you can have an exploit in a data file resulting
in anything else but code execution. *

Exactly.

We've had epic battles about this very point on more than one occasion,
however, so...

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Mon, Apr 16, 2012 at 10:19 AM, Alex Eckelberry al...@eckelberry.comwrote:

 But, if we ever get to a world where whitelisting is the predominant

 means of execution control, the bad guys will, out of necessity, be

 relegated to exploiting flaws in applications through data files.

 ** **

 I don’t understand how you can have an exploit in a data file resulting in
 anything else but code execution.  Data itself is harmless; it’s the
 executables that cause harm. 

 ** **

 There will always be code executed, in some form or another (unless I’m
 misunderstanding your point). 

 ** **

 Alex

 ** **

 ** **

 ** **

 *From:* Crawford, Scott [mailto:crawfo...@evangel.edu]
 *Sent:* Monday, April 16, 2012 12:25 AM

 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting

 ** **

 Possibly...even probably. But, if we ever get to a world where
 whitelisting is the predominant means of execution control, the bad guys
 will, out of necessity, be relegated to exploiting flaws in applications
 through data files. A scanner that looks for signatures of exploits in
 files will be a useful tool. Assuming of course, all applications aren't
 secure.


 Sent from my Windows Phone

 --

 *From: *Andrew S. Baker
 *Sent: *4/15/2012 1:08 PM

 *To: *NT System Admin Issues
 *Subject: *Re: Whitelisting

 You can't. :)
 

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages of Technology for the SMB market…*



 

 On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com
 wrote:

 How do you blacklist all possible bad data files?

 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues

 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting

 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code and
 blacklisting for data files that exploit vulnerable white listed
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As a
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
 might be changing.

 Thoughts?




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-16 Thread Alex Eckelberry

A BHO is a DLL, in other words, a PE file.  As is an OCX.  These would 
be/should be covered by a competent whitelisting solution. 

AFAIK, Javascript can't do much malicious in and of itself except crash your 
browser or do other weird stuff.   Where it is malicious is when it can execute 
Windows code locally  (or Mac code, if running on a Mac machine).   

-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Monday, April 16, 2012 7:47 AM
To: NT System Admin Issues
Subject: RE: Whitelisting

One of the things I see mentioned below is the malicious browser based attacks 
( BHO's, Malicious JavaScript, etc etc) and that is one area of weakness I see 
in the whitelisting solution. Other than that I agree it’s the right way to go. 
Being on the other side of Blacklisting, HIPS etc etc, it is a diminishing 
return over time when you have to write rule after rule to allow software to do 
things that aren't good coding practices, or worse, just to get the software to 
run. 

The other thing I would feel might be a weakness in the whitelisting solution, 
is if I allow a piece of software to run, and that software runs as a service 
and that service is remotely exploitable, than I can usurp the computer or any 
computer running that software, because I have exploited a trusted process. 
Again how can the whitelisting solution protect you from what you already have 
trusted if its flawed. Again layers of defense is still a valid argument here..

Z

Edward Ziots
CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org


-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Monday, April 16, 2012 2:24 AM
To: NT System Admin Issues
Subject: RE: Whitelisting

 To drive the point home - If I had to choose between whitelisting 
 applications and blacklisting data, I'd choose whitelisting applications, 
 every time.

Why would you have to make a choice? They are not mutually exclusive options. 

To drive the point home - those words do not mean what I think you believe 
they mean.

 Whitelisting helps those who help themselves (corporately or individually). 
 Think of it as evolution in action.

Those people generally don't run into problems in the first place. Digital 
signatures, signed kernel mode code etc. can be used to verify that software 
you are running is mostly legitimate. 

The tools already exist for whitelisting applications running on your home 
computer - even Windows includes Software Restriction Policies, Applocker etc, 
but I doubt you've implemented it - it's simply too much hassle to create a 
digital signature of each and every single executable you want to allow, and 
then restrict each and every .dll or resource file that the .exe is allowed to 
load into its process space, and then also ensure that every application 
doesn't provide some shared memory space or other way for code to end up inside 
the permitted process. 

Cheers
Ken


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Monday, 16 April 2012 2:14 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote:
 -Original Message-
 From: Kurt Buff [mailto:kurt.b...@gmail.com]
 Subject: Re: Whitelisting

 On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote:
 For the SOHO end user, the vast bulk of infections are either:
 a) exploits in existing applications (Acrobat Reader, Adobe Flash, 
 Java runtime, Internet Explorer)
 b) social engineering attacks, where the user is convinced to run/install 
 some malware that they shouldn't. Despite code signing, users are still 
 doing this.

 How will whitelisting help the above type of user? I can't see how 
 it does - they will always have the ability to override whatever 
 recommendation the AV (or protection application) provides.

Simple - they won't have to worry about file.doc.exe (or
VBS|JS|JAR|DLL|etc) embedded in their emails, or the random
executables from the various web sites either are deliberately set up, 
or have been subverted, to issue malware. Those are actually the larger 
threat, AFAICT.

 So, it doesn't help with any exploits of existing apps, browser plug ins etc.

 And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that 
 BritnesSpearsNaked.exe is actually a legitimate file, and then tells his 
 WhiteListing application that it should be added to the white list, then 
 it'll still run. And Joe User will still be screwed.

 And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded 
 that it's from his good Nigerian Prince friend Joanne User, and runs it, and 
 tells his WhiteListing application that is should be added to the white list, 
 then it'll still run fine.

 We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, 
 that warn users that the application might be something bad. Yet users still 
 allow

Re: Whitelisting

Yes, but if the bad data is used to perform a buffer overflow so that
custom *code* can be executed to do nefarious acts, then that last step
will fail because the custom malicious code is not authorized to run --
even in a zero day.

No, it doesn't solve every last malware issue known to man, and there can
be some management overhead depending on the implentation, but it addresses
more issues than blacklisting does, and does so more effectively.

Of course, we've been saying the same thing for a while here:
http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html

http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html


* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote:

 Agreed, if you've got a malicious Word document that exploits a flaw in MS
 Word itself, then the only defence is good patching or some other form of
 exploit detection. If it's a zero-day, then there's probably nothing except
 exploit detection.

 Don't want to plug it too much but AppSense Application Manager does a
 good job of detecting execution beyond the expected capabilities of an
 application, but I've never been able to test it much beyond the types of
 things like malicious PDFs with Java exploits or exploits that call out to
 malicious dll files. Wonder how much work it would be to craft an Office
 document that tries to exploit a vulnerability to see if it can stop this
 sort of vector as well?

 On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote:

 But, if we ever get to a world where whitelisting is the predominant

 means of execution control, the bad guys will, out of necessity, be

 relegated to exploiting flaws in applications through data files.

 ** **

 I don’t understand how you can have an exploit in a data file resulting
 in anything else but code execution.  Data itself is harmless; it’s the
 executables that cause harm. 

 ** **

 There will always be code executed, in some form or another (unless I’m
 misunderstanding your point). 

 ** **

 Alex

 ** **

 ** **

 ** **

 *From:* Crawford, Scott [mailto:crawfo...@evangel.edu]
 *Sent:* Monday, April 16, 2012 12:25 AM

 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting

 ** **

 Possibly...even probably. But, if we ever get to a world where
 whitelisting is the predominant means of execution control, the bad guys
 will, out of necessity, be relegated to exploiting flaws in applications
 through data files. A scanner that looks for signatures of exploits in
 files will be a useful tool. Assuming of course, all applications aren't
 secure.


 Sent from my Windows Phone

 --

 *From: *Andrew S. Baker
 *Sent: *4/15/2012 1:08 PM

 *To: *NT System Admin Issues
 *Subject: *Re: Whitelisting

 You can't. :)
 

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages of Technology for the SMB market…*



 

 On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com
 wrote:

 How do you blacklist all possible bad data files?

 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues

 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting

 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code and
 blacklisting for data files that exploit vulnerable white listed
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As a
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
 might be changing.

 Thoughts?




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

Here's one typical scenario:

   - WinWord.exe has a a buffer overflow vulnerability.
   - WinWord.exe is a whitelisted app, so the vulnerability can be
   exploited.
   - Bad guy creates a hand-crafted data file that takes advantage of the
   buffer overflow vulnerability
   - User opens bad data file, which exploits the vulnerability


In a traditional environment, the exploit of the vulnerability would likely
include the uploading or installation of some files to the exploited
machine for the purpose of controlling it more directly.

In an environment that makes use of whitelisting technology, the code that
is spawned by the exploit (either because it is embodied in the bad data,
or because it is downloaded from some remote server) will be unable to run
-- because it is not an approved application/code.

This is a key benefit of whitelisting.

Now, if the malware exploit only attempts to make use of existing files
(CMD, etc) then these executions will be subject to whether or not they are
approved from a whitelisting perspective, but the scope of the exploit is
still *greatly* reduced.  (Read Only or Blocked Attack vs full system
compromise)



* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.comwrote:

 Ah yes, I recall this debate before.

 So it's not that if you used a Word exploit, for example, you could get
 winword.exe to do bad stuff under the context of that process - it would
 have to be remote code execution under its own badapp.exe - which even if
 you called it winword.exe would get caught by a hash value rule or check
 for signed code, am I thinking along the right lines?


 On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote:

 Yes, but if the bad data is used to perform a buffer overflow so that
 custom *code* can be executed to do nefarious acts, then that last step
 will fail because the custom malicious code is not authorized to run --
 even in a zero day.

 No, it doesn't solve every last malware issue known to man, and there can
 be some management overhead depending on the implentation, but it addresses
 more issues than blacklisting does, and does so more effectively.

 Of course, we've been saying the same thing for a while here:

 http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html


 http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html


 * *

 *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
 Technology for the SMB market…

 *



 On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote:

 Agreed, if you've got a malicious Word document that exploits a flaw in
 MS Word itself, then the only defence is good patching or some other form
 of exploit detection. If it's a zero-day, then there's probably nothing
 except exploit detection.

 Don't want to plug it too much but AppSense Application Manager does a
 good job of detecting execution beyond the expected capabilities of an
 application, but I've never been able to test it much beyond the types of
 things like malicious PDFs with Java exploits or exploits that call out to
 malicious dll files. Wonder how much work it would be to craft an Office
 document that tries to exploit a vulnerability to see if it can stop this
 sort of vector as well?

 On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote:

 But, if we ever get to a world where whitelisting is the predominant**
 **

 means of execution control, the bad guys will, out of necessity, be***
 *

 relegated to exploiting flaws in applications through data files.

 ** **

 I don’t understand how you can have an exploit in a data file resulting
 in anything else but code execution.  Data itself is harmless; it’s the
 executables that cause harm. 

 ** **

 There will always be code executed, in some form or another (unless I’m
 misunderstanding your point). 

 ** **

 Alex

 ** **

 ** **

 ** **

 *From:* Crawford, Scott [mailto:crawfo...@evangel.edu]
 *Sent:* Monday, April 16, 2012 12:25 AM

 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting

 ** **

 Possibly...even probably. But, if we ever get to a world where
 whitelisting is the predominant means of execution control, the bad guys
 will, out of necessity, be relegated to exploiting flaws in applications
 through data files. A scanner that looks for signatures of exploits in
 files will be a useful tool. Assuming of course, all applications aren't
 secure.


 Sent from my Windows Phone

 --

 *From: *Andrew S. Baker
 *Sent: *4/15/2012 1:08 PM

 *To: *NT System Admin Issues
 *Subject: *Re: Whitelisting

 You can't. :)
 

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages of Technology for the SMB market…*



 

 On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com

Re: Whitelisting

2012-04-16 Thread James Rankin

Thanks for clarifying that

On 16 April 2012 16:25, Andrew S. Baker asbz...@gmail.com wrote:

 Here's one typical scenario:

- WinWord.exe has a a buffer overflow vulnerability.
- WinWord.exe is a whitelisted app, so the vulnerability can be
exploited.
- Bad guy creates a hand-crafted data file that takes advantage of the
buffer overflow vulnerability
- User opens bad data file, which exploits the vulnerability


 In a traditional environment, the exploit of the vulnerability would
 likely include the uploading or installation of some files to the exploited
 machine for the purpose of controlling it more directly.

 In an environment that makes use of whitelisting technology, the code that
 is spawned by the exploit (either because it is embodied in the bad data,
 or because it is downloaded from some remote server) will be unable to run
 -- because it is not an approved application/code.

 This is a key benefit of whitelisting.

 Now, if the malware exploit only attempts to make use of existing files
 (CMD, etc) then these executions will be subject to whether or not they are
 approved from a whitelisting perspective, but the scope of the exploit is
 still *greatly* reduced.  (Read Only or Blocked Attack vs full system
 compromise)



 * *

 *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
 Technology for the SMB market…

 *



 On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.comwrote:

 Ah yes, I recall this debate before.

 So it's not that if you used a Word exploit, for example, you could get
 winword.exe to do bad stuff under the context of that process - it would
 have to be remote code execution under its own badapp.exe - which even if
 you called it winword.exe would get caught by a hash value rule or check
 for signed code, am I thinking along the right lines?


 On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote:

 Yes, but if the bad data is used to perform a buffer overflow so that
 custom *code* can be executed to do nefarious acts, then that last step
 will fail because the custom malicious code is not authorized to run --
 even in a zero day.

 No, it doesn't solve every last malware issue known to man, and there
 can be some management overhead depending on the implentation, but it
 addresses more issues than blacklisting does, and does so more effectively.

 Of course, we've been saying the same thing for a while here:

 http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html


 http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html


 * *

 *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
 Technology for the SMB market…

 *



 On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote:

 Agreed, if you've got a malicious Word document that exploits a flaw in
 MS Word itself, then the only defence is good patching or some other form
 of exploit detection. If it's a zero-day, then there's probably nothing
 except exploit detection.

 Don't want to plug it too much but AppSense Application Manager does a
 good job of detecting execution beyond the expected capabilities of an
 application, but I've never been able to test it much beyond the types of
 things like malicious PDFs with Java exploits or exploits that call out to
 malicious dll files. Wonder how much work it would be to craft an Office
 document that tries to exploit a vulnerability to see if it can stop this
 sort of vector as well?

 On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote:

 But, if we ever get to a world where whitelisting is the predominant*
 ***

 means of execution control, the bad guys will, out of necessity, be**
 **

 relegated to exploiting flaws in applications through data files.

 ** **

 I don’t understand how you can have an exploit in a data file
 resulting in anything else but code execution.  Data itself is harmless;
 it’s the executables that cause harm. 

 ** **

 There will always be code executed, in some form or another (unless
 I’m misunderstanding your point). 

 ** **

 Alex

 ** **

 ** **

 ** **

 *From:* Crawford, Scott [mailto:crawfo...@evangel.edu]
 *Sent:* Monday, April 16, 2012 12:25 AM

 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting

 ** **

 Possibly...even probably. But, if we ever get to a world where
 whitelisting is the predominant means of execution control, the bad guys
 will, out of necessity, be relegated to exploiting flaws in applications
 through data files. A scanner that looks for signatures of exploits in
 files will be a useful tool. Assuming of course, all applications aren't
 secure.


 Sent from my Windows Phone

 --

 *From: *Andrew S. Baker
 *Sent: *4/15/2012 1:08 PM

 *To: *NT System Admin Issues
 *Subject: *Re: Whitelisting

 You can't. :)
 

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages

Re: Whitelisting

2012-04-16 Thread Ben Scott

On Mon, Apr 16, 2012 at 10:21 AM, Alex Eckelberry al...@eckelberry.com wrote:
 If it's an exploit, it's going to launch code.  The code
 won't run in a whitelisting environment unless it's approved by the admin.

CMD /C DEL C:\*.* /S /Q /F /A

  I expect you whitelist CMD.EXE, no?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

Data is harmless unless that data is actually formed in such a way to exploit 
a vulnerability in an application. If so, you've got a whitelisted application 
executing arbitrary code from a data file.

From: Alex Eckelberry [mailto:al...@eckelberry.com]
Sent: Monday, April 16, 2012 9:19 AM
To: NT System Admin Issues
Subject: RE: Whitelisting

But, if we ever get to a world where whitelisting is the predominant
means of execution control, the bad guys will, out of necessity, be
relegated to exploiting flaws in applications through data files.

I don't understand how you can have an exploit in a data file resulting in 
anything else but code execution.  Data itself is harmless; it's the 
executables that cause harm.

There will always be code executed, in some form or another (unless I'm 
misunderstanding your point).

Alex

From: Crawford, Scott 
[mailto:crawfo...@evangel.edu]mailto:[mailto:crawfo...@evangel.edu]
Sent: Monday, April 16, 2012 12:25 AM
To: NT System Admin Issues
Subject: RE: Whitelisting

Possibly...even probably. But, if we ever get to a world where whitelisting is 
the predominant means of execution control, the bad guys will, out of 
necessity, be relegated to exploiting flaws in applications through data files. 
A scanner that looks for signatures of exploits in files will be a useful tool. 
Assuming of course, all applications aren't secure.

Sent from my Windows Phone

From: Andrew S. Baker
Sent: 4/15/2012 1:08 PM
To: NT System Admin Issues
Subject: Re: Whitelisting
You can't. :)
ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
How do you blacklist all possible bad data files?
--Original Message--
From: Crawford, Scott
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.commailto:a...@eckelberry.com]
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.

Thoughts?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

Why does the code that is spawned need to download some payload or use existing 
files?  Why can't it make its own win32 calls?

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, April 16, 2012 10:26 AM
To: NT System Admin Issues
Subject: Re: Whitelisting

Here's one typical scenario:

  *   WinWord.exe has a a buffer overflow vulnerability.
  *   WinWord.exe is a whitelisted app, so the vulnerability can be exploited.
  *   Bad guy creates a hand-crafted data file that takes advantage of the 
buffer overflow vulnerability
  *   User opens bad data file, which exploits the vulnerability

In a traditional environment, the exploit of the vulnerability would likely 
include the uploading or installation of some files to the exploited machine 
for the purpose of controlling it more directly.

In an environment that makes use of whitelisting technology, the code that is 
spawned by the exploit (either because it is embodied in the bad data, or 
because it is downloaded from some remote server) will be unable to run -- 
because it is not an approved application/code.

This is a key benefit of whitelisting.

Now, if the malware exploit only attempts to make use of existing files (CMD, 
etc) then these executions will be subject to whether or not they are approved 
from a whitelisting perspective, but the scope of the exploit is still greatly 
reduced.  (Read Only or Blocked Attack vs full system compromise)

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Mon, Apr 16, 2012 at 11:12 AM, James Rankin 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
Ah yes, I recall this debate before.

So it's not that if you used a Word exploit, for example, you could get 
winword.exe to do bad stuff under the context of that process - it would have 
to be remote code execution under its own badapp.exe - which even if you called 
it winword.exe would get caught by a hash value rule or check for signed code, 
am I thinking along the right lines?

On 16 April 2012 15:54, Andrew S. Baker 
asbz...@gmail.commailto:asbz...@gmail.com wrote:
Yes, but if the bad data is used to perform a buffer overflow so that custom 
*code* can be executed to do nefarious acts, then that last step will fail 
because the custom malicious code is not authorized to run -- even in a zero 
day.

No, it doesn't solve every last malware issue known to man, and there can be 
some management overhead depending on the implentation, but it addresses more 
issues than blacklisting does, and does so more effectively.

Of course, we've been saying the same thing for a while here:
http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html
http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Mon, Apr 16, 2012 at 10:28 AM, James Rankin 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
Agreed, if you've got a malicious Word document that exploits a flaw in MS Word 
itself, then the only defence is good patching or some other form of exploit 
detection. If it's a zero-day, then there's probably nothing except exploit 
detection.

Don't want to plug it too much but AppSense Application Manager does a good job 
of detecting execution beyond the expected capabilities of an application, 
but I've never been able to test it much beyond the types of things like 
malicious PDFs with Java exploits or exploits that call out to malicious dll 
files. Wonder how much work it would be to craft an Office document that tries 
to exploit a vulnerability to see if it can stop this sort of vector as well?
On 16 April 2012 15:19, Alex Eckelberry 
al...@eckelberry.commailto:al...@eckelberry.com wrote:
But, if we ever get to a world where whitelisting is the predominant
means of execution control, the bad guys will, out of necessity, be
relegated to exploiting flaws in applications through data files.

I don't understand how you can have an exploit in a data file resulting in 
anything else but code execution.  Data itself is harmless; it's the 
executables that cause harm.

There will always be code executed, in some form or another (unless I'm 
misunderstanding your point).

Alex

From: Crawford, Scott 
[mailto:crawfo...@evangel.edumailto:crawfo...@evangel.edu]
Sent: Monday, April 16, 2012 12:25 AM

To: NT System Admin Issues
Subject: RE: Whitelisting

Possibly...even probably. But, if we ever get to a world where whitelisting is 
the predominant means of execution control, the bad guys will, out of 
necessity, be relegated to exploiting flaws in applications through data files. 
A scanner that looks for signatures of exploits in files will be a useful tool. 
Assuming of course, all applications aren't secure.

Sent from my Windows Phone

From: Andrew S. Baker
Sent: 4/15/2012 1:08 PM

To: NT System Admin Issues
Subject

Re: Whitelisting

Because it is *data*.

Data doesn't make calls.  Code does.That's been the gist of the
argument from the very beginning.

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.eduwrote:

  Why does the code that is spawned need to download some payload or use
 existing files?  Why can’t it make its own win32 calls?

 ** **

 *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
 *Sent:* Monday, April 16, 2012 10:26 AM

 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting

 ** **

 Here's one typical scenario:

- WinWord.exe has a a buffer overflow vulnerability.
- WinWord.exe is a whitelisted app, so the vulnerability can be
exploited.
- Bad guy creates a hand-crafted data file that takes advantage of the
buffer overflow vulnerability
- User opens bad data file, which exploits the vulnerability

  ** **

 In a traditional environment, the exploit of the vulnerability would
 likely include the uploading or installation of some files to the exploited
 machine for the purpose of controlling it more directly.

 ** **

 In an environment that makes use of whitelisting technology, the code that
 is spawned by the exploit (either because it is embodied in the bad data,
 or because it is downloaded from some remote server) will be unable to run
 -- because it is not an approved application/code.

 ** **

 This is a key benefit of whitelisting.

 ** **

 Now, if the malware exploit only attempts to make use of existing files
 (CMD, etc) then these executions will be subject to whether or not they are
 approved from a whitelisting perspective, but the scope of the exploit is
 still *greatly* reduced.  (Read Only or Blocked Attack vs full system
 compromise)

 ** **

 ** **

 ** **

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages of Technology for the SMB market…*



 

 On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.com
 wrote:

 Ah yes, I recall this debate before.

 So it's not that if you used a Word exploit, for example, you could get
 winword.exe to do bad stuff under the context of that process - it would
 have to be remote code execution under its own badapp.exe - which even if
 you called it winword.exe would get caught by a hash value rule or check
 for signed code, am I thinking along the right lines?

 ** **

 On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote:

 Yes, but if the bad data is used to perform a buffer overflow so that
 custom *code* can be executed to do nefarious acts, then that last step
 will fail because the custom malicious code is not authorized to run --
 even in a zero day.

 ** **

 No, it doesn't solve every last malware issue known to man, and there can
 be some management overhead depending on the implentation, but it addresses
 more issues than blacklisting does, and does so more effectively.

 ** **

 Of course, we've been saying the same thing for a while here:


 http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html
  


 http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html
 

 ** **

 ** **

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages of Technology for the SMB market…*



 

 On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.com
 wrote:

  Agreed, if you've got a malicious Word document that exploits a flaw in
 MS Word itself, then the only defence is good patching or some other form
 of exploit detection. If it's a zero-day, then there's probably nothing
 except exploit detection.

 Don't want to plug it too much but AppSense Application Manager does a
 good job of detecting execution beyond the expected capabilities of an
 application, but I've never been able to test it much beyond the types of
 things like malicious PDFs with Java exploits or exploits that call out to
 malicious dll files. Wonder how much work it would be to craft an Office
 document that tries to exploit a vulnerability to see if it can stop this
 sort of vector as well?

 On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote:

But, if we ever get to a world where whitelisting is the predominant**
 **

 means of execution control, the bad guys will, out of necessity, be

 relegated to exploiting flaws in applications through data files.

  

 I don’t understand how you can have an exploit in a data file resulting in
 anything else but code execution.  Data itself is harmless; it’s the
 executables that cause harm. 

  

 There will always be code executed, in some form or another (unless I’m
 misunderstanding your point). 

  

 Alex

  

  

  

 *From:* Crawford, Scott [mailto:crawfo...@evangel.edu]
 *Sent:* Monday, April 16

RE: Whitelisting

Data is code. Code is data. They're both strings of 1's and 0's. The only 
difference is what is interpreting that string.

If data is data, how is it able to cause winword.exe to download a payload?

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, April 16, 2012 11:30 AM
To: NT System Admin Issues
Subject: Re: Whitelisting

Because it is data.

Data doesn't make calls.  Code does.That's been the gist of the argument 
from the very beginning.

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott 
crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote:
Why does the code that is spawned need to download some payload or use existing 
files?  Why can't it make its own win32 calls?

From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com]
Sent: Monday, April 16, 2012 10:26 AM

To: NT System Admin Issues
Subject: Re: Whitelisting

Here's one typical scenario:

  *   WinWord.exe has a a buffer overflow vulnerability.
  *   WinWord.exe is a whitelisted app, so the vulnerability can be exploited.
  *   Bad guy creates a hand-crafted data file that takes advantage of the 
buffer overflow vulnerability
  *   User opens bad data file, which exploits the vulnerability

In a traditional environment, the exploit of the vulnerability would likely 
include the uploading or installation of some files to the exploited machine 
for the purpose of controlling it more directly.

In an environment that makes use of whitelisting technology, the code that is 
spawned by the exploit (either because it is embodied in the bad data, or 
because it is downloaded from some remote server) will be unable to run -- 
because it is not an approved application/code.

This is a key benefit of whitelisting.

Now, if the malware exploit only attempts to make use of existing files (CMD, 
etc) then these executions will be subject to whether or not they are approved 
from a whitelisting perspective, but the scope of the exploit is still greatly 
reduced.  (Read Only or Blocked Attack vs full system compromise)

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Mon, Apr 16, 2012 at 11:12 AM, James Rankin 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
Ah yes, I recall this debate before.

So it's not that if you used a Word exploit, for example, you could get 
winword.exe to do bad stuff under the context of that process - it would have 
to be remote code execution under its own badapp.exe - which even if you called 
it winword.exe would get caught by a hash value rule or check for signed code, 
am I thinking along the right lines?

On 16 April 2012 15:54, Andrew S. Baker 
asbz...@gmail.commailto:asbz...@gmail.com wrote:
Yes, but if the bad data is used to perform a buffer overflow so that custom 
*code* can be executed to do nefarious acts, then that last step will fail 
because the custom malicious code is not authorized to run -- even in a zero 
day.

No, it doesn't solve every last malware issue known to man, and there can be 
some management overhead depending on the implentation, but it addresses more 
issues than blacklisting does, and does so more effectively.

Of course, we've been saying the same thing for a while here:
http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html
http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Mon, Apr 16, 2012 at 10:28 AM, James Rankin 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
Agreed, if you've got a malicious Word document that exploits a flaw in MS Word 
itself, then the only defence is good patching or some other form of exploit 
detection. If it's a zero-day, then there's probably nothing except exploit 
detection.

Don't want to plug it too much but AppSense Application Manager does a good job 
of detecting execution beyond the expected capabilities of an application, 
but I've never been able to test it much beyond the types of things like 
malicious PDFs with Java exploits or exploits that call out to malicious dll 
files. Wonder how much work it would be to craft an Office document that tries 
to exploit a vulnerability to see if it can stop this sort of vector as well?
On 16 April 2012 15:19, Alex Eckelberry 
al...@eckelberry.commailto:al...@eckelberry.com wrote:
But, if we ever get to a world where whitelisting is the predominant
means of execution control, the bad guys will, out of necessity, be
relegated to exploiting flaws in applications through data files.

I don't understand how you can have an exploit in a data file resulting in 
anything else but code execution.  Data itself is harmless; it's the 
executables that cause harm.

There will always be code executed, in some form or another (unless I'm 
misunderstanding your

Re: Whitelisting

*Data is code. Code is data. They’re both strings of 1’s and 0’s. *

No, they are most certainly not the same.

*The only difference is what is interpreting that string. *

And that's a huge difference.

*If data is data, how is it able to cause winword.exe to download a
payload?*

Well, here's an oversimplification of how buffer overflows work:

1. An executable opens up a data file for manipulation
2. Because the input buffer is not adequately validated, the data (which
is larger than the area allowed by the buffer), ends up overwriting a
critical area *of the host executable's execution area* with new 1s and
0s.
3. The code which should normally execute at the conclusion of the data
input is now replaced by some code stub which will do what the attacker
wants.
4. This allows the host executable to now do something else
than originally intended (or crash, which is what happens more often than
not)

Now, while this might seem like it gives one the completely co-opt the
functions of the host executable for ones own purpose, in practice, this is
very, very hard to do for anything but the simplest functionality. If you
overwrite too much code, you'll just cause the host to die, which is
essentially a DoS attack. Instead, the common practice is to use this
limited area that was overwritten to call down a more robust piece of
malware to get more malignant work done. (Or, alternately, to make use of
already installed executables where that might make sense.)

WinWord.exe, in our example, can be induced to download a payload because
it was legitimately opening a data file which corrupted a portion of its
application space because it did not properly validate its buffer space and
thus protect itself. The initial action (File Open) is caused by a human.

The DATA did not execute, but allowed for the laying down of CODE which
could be executed.

More detailed analysis can be found here:

- http://en.wikipedia.org/wiki/Buffer_overflow
-

http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html
-

http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.eduwrote:

Data is code. Code is data. They’re both strings of 1’s and 0’s. The
only difference is what is interpreting that string.

** **

If data is data, how is it able to cause winword.exe to download a payload?

** **

*From:* Andrew S. Baker [mailto:asbz...@gmail.com]
*Sent:* Monday, April 16, 2012 11:30 AM

*To:* NT System Admin Issues
*Subject:* Re: Whitelisting

** **

Because it is *data*.

** **

Data doesn't make calls. Code does.That's been the gist of the
argument from the very beginning.

** **

*ASB*

*http://XeeMe.com/AndrewBaker*

*Harnessing the Advantages of Technology for the SMB market…*

On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu
wrote:

Why does the code that is spawned need to download some payload or use
existing files? Why can’t it make its own win32 calls?

*From:* Andrew S. Baker [mailto:asbz...@gmail.com]
*Sent:* Monday, April 16, 2012 10:26 AM

*To:* NT System Admin Issues

*Subject:* Re: Whitelisting

Here's one typical scenario:

- WinWord.exe has a a buffer overflow vulnerability.
- WinWord.exe is a whitelisted app, so the vulnerability can be
exploited.
- Bad guy creates a hand-crafted data file that takes advantage of the
buffer overflow vulnerability
- User opens bad data file, which exploits the vulnerability

In a traditional environment, the exploit of the vulnerability would
likely include the uploading or installation of some files to the exploited
machine for the purpose of controlling it more directly.

In an environment that makes use of whitelisting technology, the code that
is spawned by the exploit (either because it is embodied in the bad data,
or because it is downloaded from some remote server) will be unable to run
-- because it is not an approved application/code.

This is a key benefit of whitelisting.

Now, if the malware exploit only attempts to make use of existing files
(CMD, etc) then these executions will be subject to whether or not they are
approved from a whitelisting perspective, but the scope of the exploit is
still *greatly* reduced. (Read Only or Blocked Attack vs full system
compromise)

*ASB*

*http://XeeMe.com/AndrewBaker*

*Harnessing the Advantages of Technology for the SMB market…*

** **

On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.com
wrote:

Ah yes, I recall this debate before.

So it's

Re: Whitelisting

2012-04-16 Thread Rankin, James R

Great info ASB, thanks, very relevant to a lot of work I've been doing.

---Blackberried

-Original Message-
From: Andrew S. Baker asbz...@gmail.com
Date: Mon, 16 Apr 2012 14:27:56 
To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com
Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com
Subject: Re: Whitelisting

*Data is code. Code is data. They’re both strings of 1’s and 0’s. *

No, they are most certainly not the same.

*The only difference is what is interpreting that string. *

And that's a huge difference.

*If data is data, how is it able to cause winword.exe to download a
payload?*

Well, here's an oversimplification of how buffer overflows work:

   1. An executable opens up a data file for manipulation
   2. Because the input buffer is not adequately validated, the data (which
   is larger than the area allowed by the buffer), ends up overwriting a
   critical area *of the host executable's execution area* with new 1s and
   0s.
   3. The code which should normally execute at the conclusion of the data
   input is now replaced by some code stub which will do what the attacker
   wants.
   4. This allows the host executable to now do something else
   than originally intended (or crash, which is what happens more often than
   not)

Now, while this might seem like it gives one the completely co-opt the
functions of the host executable for ones own purpose, in practice, this is
very, very hard to do for anything but the simplest functionality.  If you
overwrite too much code, you'll just cause the host to die, which is
essentially a DoS attack.  Instead, the common practice is to use this
limited area that was overwritten to call down a more robust piece of
malware to get more malignant work done.  (Or, alternately, to make use of
already installed executables where that might make sense.)

WinWord.exe, in our example, can be induced to download a payload because
it was legitimately opening a data file which corrupted a portion of its
application space because it did not properly validate its buffer space and
thus protect itself.  The initial action (File Open) is caused by a human.

The DATA did not execute, but allowed for the laying down of CODE which
could be executed.

More detailed analysis can be found here:

   - http://en.wikipedia.org/wiki/Buffer_overflow
   -

http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html
   -

http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*

On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.eduwrote:

  Data is code. Code is data. They’re both strings of 1’s and 0’s. The
 only difference is what is interpreting that string.

 ** **

 If data is data, how is it able to cause winword.exe to download a payload?

 ** **

 *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
 *Sent:* Monday, April 16, 2012 11:30 AM

 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting

 ** **

 Because it is *data*.   

 ** **

 Data doesn't make calls.  Code does.That's been the gist of the
 argument from the very beginning.

 ** **

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages of Technology for the SMB market…*

 On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu
 wrote:

 Why does the code that is spawned need to download some payload or use
 existing files?  Why can’t it make its own win32 calls?

 *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
 *Sent:* Monday, April 16, 2012 10:26 AM

 *To:* NT System Admin Issues

 *Subject:* Re: Whitelisting

 Here's one typical scenario:

- WinWord.exe has a a buffer overflow vulnerability.
- WinWord.exe is a whitelisted app, so the vulnerability can be
exploited.
- Bad guy creates a hand-crafted data file that takes advantage of the
buffer overflow vulnerability
- User opens bad data file, which exploits the vulnerability

 In a traditional environment, the exploit of the vulnerability would
 likely include the uploading or installation of some files to the exploited
 machine for the purpose of controlling it more directly.

 In an environment that makes use of whitelisting technology, the code that
 is spawned by the exploit (either because it is embodied in the bad data,
 or because it is downloaded from some remote server) will be unable to run
 -- because it is not an approved application/code.

 This is a key benefit of whitelisting.

 Now, if the malware exploit only attempts to make use of existing files
 (CMD, etc) then these executions will be subject to whether or not they are
 approved from a whitelisting perspective, but the scope of the exploit is
 still *greatly

Re: Whitelisting

2012-04-16 Thread Kurt Buff

On Sun, Apr 15, 2012 at 23:24, Ken Schaefer k...@adopenstatic.com wrote:
 To drive the point home - If I had to choose between whitelisting 
 applications and blacklisting data, I'd choose whitelisting applications, 
 every time.

 Why would you have to make a choice? They are not mutually exclusive options.

You are correct, they are not, and I'd prefer to be able to do both,
but it sharpens the point. I think blacklisting is basically a dead
technology, even though it's all I have at the moment. When the bad
guys can morph executables in minutes and blast them out via email or
compromised web sites (and other modes, too) many times a day, it's
gone beyond whack-a-mole.

snip

 Whitelisting helps those who help themselves (corporately or individually). 
 Think of it as evolution in action.

 Those people generally don't run into problems in the first place. Digital 
 signatures, signed kernel mode code etc. can be used to verify that software 
 you are running is mostly legitimate.

Digital signatures, signed kernel mode code, etc., are whitelisting.

 The tools already exist for whitelisting applications running on your home 
 computer - even Windows includes Software Restriction Policies, Applocker 
 etc, but I doubt you've implemented it - it's simply too much hassle to 
 create a digital signature of each and every single executable you want to 
 allow, and then restrict each and every .dll or resource file that the .exe 
 is allowed to load into its process space, and then also ensure that every 
 application doesn't provide some shared memory space or other way for code to 
 end up inside the permitted process.


You are correct- I haven't implemented them yet for our users. But, I
am doing so for myself. I've put my user account and my machine into a
test OU, and am applying policies that are more restrictive than what
apply to standard users now. I do understand how difficult it is. I
recently ran md5sum against one of our older standard image machines,
prior to deployment (booted from a USB stick to have complete access),
and redirected the hashes into a text file. I ran the machine through
a round of patches, and did an md5sum again, then ran a diff. It was
amazing how many files changed.

NSA has put up a good approach, however, that might be workable - but
for it to be really useful, users should not have admin rights, among
other things. It also specifies SRP, as opposed to BitLocker - I'm
sure that can be factored in.
http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-16 Thread Ben Scott

On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.com wrote:
 If it's an exploit, it's going to launch code.  The code
 won't run in a whitelisting environment unless it's approved by the admin.

CMD /C DEL C:\*.* /S /Q /F /A

 A - Wouldn't work so nicely in 2008 and above, due to lack of elevated
 rights

 B - Limited use infection  (since it destroys itself)

  You're missing the point.  You're arguing against the example,
rather than the principle.  Namely: It's possible to use a whitelisted
application as an attack vector.[1]

  You're also making another mistake -- you're seeing protection of
the system as an end, rather than a means.  Nobody cares if the OS is
intact if all the data is gone.  We protect the OS because we use the
OS to protect the assets, not just for the sake of having a protected
OS.

-- Ben

[1] To the original question: This doesn't mean blacklisting, i.e.,
trying to identify and exclude known bad software, is the better
alternative.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

Your buffer overflow example illustrates the point. What is being over-written 
into the host's execution area? Answer: code/data/1's and 0's from the data 
file. Having never written a buffer overflow attack, I'll take your word that 
it's very, very hard to do for anything but the simplest functionality. 
However, the size of that resulting code isn't really the point. The point is 
that arbitrary code is being run.

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, April 16, 2012 1:28 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

Data is code. Code is data. They're both strings of 1's and 0's.

No, they are most certainly not the same.

The only difference is what is interpreting that string.

And that's a huge difference.

If data is data, how is it able to cause winword.exe to download a payload?

Well, here's an oversimplification of how buffer overflows work:

  1.  An executable opens up a data file for manipulation
  2.  Because the input buffer is not adequately validated, the data (which is 
larger than the area allowed by the buffer), ends up overwriting a critical 
area of the host executable's execution area with new 1s and 0s.
  3.  The code which should normally execute at the conclusion of the data 
input is now replaced by some code stub which will do what the attacker wants.
  4.  This allows the host executable to now do something else than originally 
intended (or crash, which is what happens more often than not)

Now, while this might seem like it gives one the completely co-opt the 
functions of the host executable for ones own purpose, in practice, this is 
very, very hard to do for anything but the simplest functionality.  If you 
overwrite too much code, you'll just cause the host to die, which is 
essentially a DoS attack.  Instead, the common practice is to use this limited 
area that was overwritten to call down a more robust piece of malware to get 
more malignant work done.  (Or, alternately, to make use of already installed 
executables where that might make sense.)

WinWord.exe, in our example, can be induced to download a payload because it 
was legitimately opening a data file which corrupted a portion of its 
application space because it did not properly validate its buffer space and 
thus protect itself.  The initial action (File Open) is caused by a human.

The DATA did not execute, but allowed for the laying down of CODE which could 
be executed.

More detailed analysis can be found here:

  *   http://en.wikipedia.org/wiki/Buffer_overflow
  *   
http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html
  *   
http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott 
crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote:
Data is code. Code is data. They're both strings of 1's and 0's. The only 
difference is what is interpreting that string.

If data is data, how is it able to cause winword.exe to download a payload?

From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com]
Sent: Monday, April 16, 2012 11:30 AM

To: NT System Admin Issues
Subject: Re: Whitelisting

Because it is data.

Data doesn't make calls.  Code does.That's been the gist of the argument 
from the very beginning.

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott 
crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote:
Why does the code that is spawned need to download some payload or use existing 
files?  Why can't it make its own win32 calls?

From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com]
Sent: Monday, April 16, 2012 10:26 AM

To: NT System Admin Issues
Subject: Re: Whitelisting

Here's one typical scenario:

  *   WinWord.exe has a a buffer overflow vulnerability.
  *   WinWord.exe is a whitelisted app, so the vulnerability can be exploited.
  *   Bad guy creates a hand-crafted data file that takes advantage of the 
buffer overflow vulnerability
  *   User opens bad data file, which exploits the vulnerability

In a traditional environment, the exploit of the vulnerability would likely 
include the uploading or installation of some files to the exploited machine 
for the purpose of controlling it more directly.

In an environment that makes use of whitelisting technology, the code that is 
spawned by the exploit (either because it is embodied in the bad data, or 
because it is downloaded from some remote server) will be unable to run -- 
because it is not an approved application/code.

This is a key benefit of whitelisting.

Now, if the malware exploit only attempts to make use of existing files (CMD, 
etc) then these executions will be subject to whether or not they are approved 
from a whitelisting perspective

RE: Whitelisting

The user being socially engineered *is* the admin - it's a SOHO environment. It 
was the *line* just above what you quoted: For the SOHO end user, the vast 
bulk of infections are either:

These types of users are being socially engineered *today* despite AV, code 
signing, UAC and any number of other warnings. They *still* insist on running 
BritneySpearsNaked.exe

So, my question remains? How does whitelisting help that type of user? 


-Original Message-
From: Alex Eckelberry [mailto:al...@eckelberry.com] 
Sent: Monday, 16 April 2012 10:21 PM
To: NT System Admin Issues
Subject: RE: Whitelisting

a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java 
runtime, Internet Explorer)
b) social engineering attacks, where the user is convinced to 
run/install some malware that they shouldn't. Despite code signing, 
users are still doing this.

How will whitelisting help the above type of user?


If it's an exploit, it's going to launch code.  The code won't run in a 
whitelisting environment unless it's approved by the admin. 

This would also apply to social engineering.  If your company has a 
whitelisting solution in place, code that is not approved won’t run.  So the 
user can download the stupid game they love, but in the end, they won't be able 
to run it. 

A good whitelisting application has a massive repository of good files, and 
the ability to train the system by the admin, not the end-user. 

Alex



-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Monday, April 16, 2012 12:51 AM
To: NT System Admin Issues
Subject: RE: Whitelisting

For the SOHO end user, the vast bulk of infections are either:
a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java 
runtime, Internet Explorer)
b) social engineering attacks, where the user is convinced to run/install some 
malware that they shouldn't. Despite code signing, users are still doing this.

How will whitelisting help the above type of user? I can't see how it does - 
they will always have the ability to override whatever recommendation the AV 
(or protection application) provides.

For corporate users, does whitelisting help significantly? I'm not sure that 
large organisations have the necessary processes in place to implement 
whitelisting. Whitelisting will slow application development/deployment even 
more, and will just result in more applications like Access and Excel that 
provide a semi-IDE to the end user that allows them to develop their own 
code/functionality. And resulting opportunities for code exploit.

Cheers
Ken

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Monday, 16 April 2012 12:42 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

Um, really - you can't do it. Signatures (blacklists) for data files are a 
folly - worse than trying to blacklist executables.

Your point is taken that if application/executable whitelisting is good that 
malware will become nothing more than bad data files, but that then becomes a 
problem of fixing the applications. Sanitizing inpyu

And, fixing applications and their buffer overflows, heap overflows, integer 
under/overflows, etc., is a far smaller problem space than trying to blacklist 
data files.

I'll take that problem vs. trying to allow folks to execute any random binary 
that catches their eye.

None of it is easy, but whitelisting apps will be exponentially easier than 
blacklisting data.

Kurt

On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote:

 Possibly...even probably. But, if we ever get to a world where 
 whitelisting is the predominant means of execution control, the bad 
 guys will, out of necessity, be relegated to exploiting flaws in 
 applications through data files. A scanner that looks for signatures 
 of exploits in files will be a useful tool. Assuming of course, all 
 applications aren't secure.


 Sent from my Windows Phone
 
 From: Andrew S. Baker
 Sent: 4/15/2012 1:08 PM

 To: NT System Admin Issues
 Subject: Re: Whitelisting

 You can't. :)

 ASB
 http://XeeMe.com/AndrewBaker
 Harnessing the Advantages of Technology for the SMB market…




 On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R 
 kz2...@googlemail.com
 wrote:

 How do you blacklist all possible bad data files?
 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues
 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting
 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code 
 and blacklisting for data files that exploit vulnerable white listed 
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As 
 a former AV guy, I tend to prefer blacklisting, but I'm seeing signs

RE: Whitelisting

The first statement is wrong - there is no difference between data and code - 
they are just ones and zeros.

Now, an application, can, tell an OS that certain memory addresses contain code 
that should not be executed.
But some other application, loading exactly the same ones and zeros, can tell 
the OS that it should be executable.

Cheers
Ken

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, 17 April 2012 2:28 AM
To: NT System Admin Issues
Subject: Re: Whitelisting

Data is code. Code is data. They're both strings of 1's and 0's.

No, they are most certainly not the same.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

*Your buffer overflow example illustrates the point. *

It really doesn't illustrate what you think it does, but there's no point
in me going down this route any longer.

You've chosen to selectively read what I've posted, and ignored clear
examples that disagreed with your premise. We'll just have to agree to
disagree on this.

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

On Mon, Apr 16, 2012 at 6:23 PM, Crawford, Scott crawfo...@evangel.eduwrote:

Your buffer overflow example illustrates the point. What is being
over-written into the host’s execution area? Answer: code/data/1’s and 0’s
from the data file. Having never written a buffer overflow attack, I’ll
take your word that it’s “very, very hard to do for anything but the
simplest functionality”. However, the size of that resulting code isn’t
really the point. The point is that arbitrary code is being run.

** **

*From:* Andrew S. Baker [mailto:asbz...@gmail.com]
*Sent:* Monday, April 16, 2012 1:28 PM

*To:* NT System Admin Issues
*Subject:* Re: Whitelisting

** **

***Data is code. Code is data. They’re both strings of 1’s and 0’s.
*

** **

No, they are most certainly not the same.

** **

*The only difference is what is interpreting that string.** *

** **

And that's a huge difference.

** **

***If data is data, how is it able to cause winword.exe to download a
payload?*

** **

Well, here's an oversimplification of how buffer overflows work:

** **

1. An executable opens up a data file for manipulation
2. Because the input buffer is not adequately validated, the data
(which is larger than the area allowed by the buffer), ends up overwriting
a critical area *of the host executable's execution area* with new 1s
and 0s.
3. The code which should normally execute at the conclusion of the
data input is now replaced by some code stub which will do what the
attacker wants.
4. This allows the host executable to now do something else
than originally intended (or crash, which is what happens more often than
not)

** **

The DATA did not execute, but allowed for the laying down of CODE which
could be executed.

** **

More detailed analysis can be found here:

- http://en.wikipedia.org/wiki/Buffer_overflow
-

http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html

http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work

** **

*ASB*

*http://XeeMe.com/AndrewBaker*

*Harnessing the Advantages of Technology for the SMB market…*

On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.edu
wrote:

Data is code. Code is data. They’re both strings of 1’s and 0’s. The only
difference is what is interpreting that string.

If data is data, how is it able to cause winword.exe to download a payload?

*From:* Andrew S. Baker [mailto:asbz...@gmail.com]
*Sent:* Monday, April 16, 2012 11:30 AM

*To:* NT System Admin Issues
*Subject:* Re: Whitelisting

Because it is *data*.

Data doesn't make calls. Code does.That's been the gist of the
argument from the very beginning.

*ASB*

*http://XeeMe.com/AndrewBaker*

*Harnessing the Advantages of Technology for the SMB market…*

** **

On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu
wrote:

Why does the code that is spawned need to download some payload or use
existing files? Why can’t it make its own win32 calls?

*From:* Andrew S. Baker [mailto:asbz...@gmail.com]
*Sent:* Monday, April 16, 2012 10:26 AM

*To:* NT System Admin Issues

*Subject:* Re: Whitelisting

Here's one typical scenario:

- WinWord.exe has a a buffer overflow vulnerability.
- WinWord.exe is a whitelisted app, so

Re: Whitelisting

It doesn't help someone who has the authority to override the controls.

But, thankfully, that's a smaller percentage than people who don't have
that authority.

AV also doesn't help the people who won't install it or update it.  But it
has managed to help others.

UAC doesn't help people who turn it off, etc.

We can only help the most people who want to be helped, or who have no
ability to undo the help.   The rest, I will call consulting customers.
 (for a while, anyway)

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Mon, Apr 16, 2012 at 11:07 PM, Ken Schaefer k...@adopenstatic.com wrote:

 The user being socially engineered *is* the admin - it's a SOHO
 environment. It was the *line* just above what you quoted: For the SOHO
 end user, the vast bulk of infections are either:

 These types of users are being socially engineered *today* despite AV,
 code signing, UAC and any number of other warnings. They *still* insist on
 running BritneySpearsNaked.exe

 So, my question remains? How does whitelisting help that type of user?


 -Original Message-
 From: Alex Eckelberry [mailto:al...@eckelberry.com]
 Sent: Monday, 16 April 2012 10:21 PM
 To: NT System Admin Issues
 Subject: RE: Whitelisting

 a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java
 runtime, Internet Explorer)
 b) social engineering attacks, where the user is convinced to
 run/install some malware that they shouldn't. Despite code signing,
 users are still doing this.

 How will whitelisting help the above type of user?


 If it's an exploit, it's going to launch code.  The code won't run in a
 whitelisting environment unless it's approved by the admin.

 This would also apply to social engineering.  If your company has a
 whitelisting solution in place, code that is not approved won’t run.  So
 the user can download the stupid game they love, but in the end, they won't
 be able to run it.

 A good whitelisting application has a massive repository of good files,
 and the ability to train the system by the admin, not the end-user.

 Alex



 -Original Message-
 From: Ken Schaefer [mailto:k...@adopenstatic.com]
 Sent: Monday, April 16, 2012 12:51 AM
 To: NT System Admin Issues
 Subject: RE: Whitelisting

 For the SOHO end user, the vast bulk of infections are either:
 a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java
 runtime, Internet Explorer)
 b) social engineering attacks, where the user is convinced to run/install
 some malware that they shouldn't. Despite code signing, users are still
 doing this.

 How will whitelisting help the above type of user? I can't see how it does
 - they will always have the ability to override whatever recommendation the
 AV (or protection application) provides.

 For corporate users, does whitelisting help significantly? I'm not sure
 that large organisations have the necessary processes in place to implement
 whitelisting. Whitelisting will slow application development/deployment
 even more, and will just result in more applications like Access and Excel
 that provide a semi-IDE to the end user that allows them to develop their
 own code/functionality. And resulting opportunities for code exploit.

 Cheers
 Ken

 -Original Message-
 From: Kurt Buff [mailto:kurt.b...@gmail.com]
 Sent: Monday, 16 April 2012 12:42 PM
 To: NT System Admin Issues
 Subject: Re: Whitelisting

 Um, really - you can't do it. Signatures (blacklists) for data files are a
 folly - worse than trying to blacklist executables.

 Your point is taken that if application/executable whitelisting is good
 that malware will become nothing more than bad data files, but that then
 becomes a problem of fixing the applications. Sanitizing inpyu

 And, fixing applications and their buffer overflows, heap overflows,
 integer under/overflows, etc., is a far smaller problem space than trying
 to blacklist data files.

 I'll take that problem vs. trying to allow folks to execute any random
 binary that catches their eye.

 None of it is easy, but whitelisting apps will be exponentially easier
 than blacklisting data.

 Kurt

 On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu
 wrote:
 
  Possibly...even probably. But, if we ever get to a world where
  whitelisting is the predominant means of execution control, the bad
  guys will, out of necessity, be relegated to exploiting flaws in
  applications through data files. A scanner that looks for signatures
  of exploits in files will be a useful tool. Assuming of course, all
 applications aren't secure.
 
 
  Sent from my Windows Phone
  
  From: Andrew S. Baker
  Sent: 4/15/2012 1:08 PM
 
  To: NT System Admin Issues
  Subject: Re: Whitelisting
 
  You can't. :)
 
  ASB
  http://XeeMe.com/AndrewBaker
  Harnessing the Advantages of Technology for the SMB market…
 
 
 
 
  On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R
  kz2

RE: Whitelisting

How about I just load another bit of code into the process space of the 
existing, whitelisted application (e.g. a .dll). Then there is no need to spawn 
any separate executable process.

Unless you are intending to fingerprint every single file on the system, we're 
back to square one.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, 16 April 2012 11:26 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

Here's one typical scenario:

  *   WinWord.exe has a a buffer overflow vulnerability.
  *   WinWord.exe is a whitelisted app, so the vulnerability can be exploited.
  *   Bad guy creates a hand-crafted data file that takes advantage of the 
buffer overflow vulnerability
  *   User opens bad data file, which exploits the vulnerability

In a traditional environment, the exploit of the vulnerability would likely 
include the uploading or installation of some files to the exploited machine 
for the purpose of controlling it more directly.

In an environment that makes use of whitelisting technology, the code that is 
spawned by the exploit (either because it is embodied in the bad data, or 
because it is downloaded from some remote server) will be unable to run -- 
because it is not an approved application/code.

This is a key benefit of whitelisting.

Now, if the malware exploit only attempts to make use of existing files (CMD, 
etc) then these executions will be subject to whether or not they are approved 
from a whitelisting perspective, but the scope of the exploit is still greatly 
reduced.  (Read Only or Blocked Attack vs full system compromise)



ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...



On Mon, Apr 16, 2012 at 11:12 AM, James Rankin 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
Ah yes, I recall this debate before.

So it's not that if you used a Word exploit, for example, you could get 
winword.exe to do bad stuff under the context of that process - it would have 
to be remote code execution under its own badapp.exe - which even if you called 
it winword.exe would get caught by a hash value rule or check for signed code, 
am I thinking along the right lines?

On 16 April 2012 15:54, Andrew S. Baker 
asbz...@gmail.commailto:asbz...@gmail.com wrote:
Yes, but if the bad data is used to perform a buffer overflow so that custom 
*code* can be executed to do nefarious acts, then that last step will fail 
because the custom malicious code is not authorized to run -- even in a zero 
day.

No, it doesn't solve every last malware issue known to man, and there can be 
some management overhead depending on the implentation, but it addresses more 
issues than blacklisting does, and does so more effectively.

Of course, we've been saying the same thing for a while here:
http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html
http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html


ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...



On Mon, Apr 16, 2012 at 10:28 AM, James Rankin 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
Agreed, if you've got a malicious Word document that exploits a flaw in MS Word 
itself, then the only defence is good patching or some other form of exploit 
detection. If it's a zero-day, then there's probably nothing except exploit 
detection.

Don't want to plug it too much but AppSense Application Manager does a good job 
of detecting execution beyond the expected capabilities of an application, 
but I've never been able to test it much beyond the types of things like 
malicious PDFs with Java exploits or exploits that call out to malicious dll 
files. Wonder how much work it would be to craft an Office document that tries 
to exploit a vulnerability to see if it can stop this sort of vector as well?
On 16 April 2012 15:19, Alex Eckelberry 
al...@eckelberry.commailto:al...@eckelberry.com wrote:
But, if we ever get to a world where whitelisting is the predominant
means of execution control, the bad guys will, out of necessity, be
relegated to exploiting flaws in applications through data files.

I don't understand how you can have an exploit in a data file resulting in 
anything else but code execution.  Data itself is harmless; it's the 
executables that cause harm.

There will always be code executed, in some form or another (unless I'm 
misunderstanding your point).

Alex



From: Crawford, Scott 
[mailto:crawfo...@evangel.edumailto:crawfo...@evangel.edu]
Sent: Monday, April 16, 2012 12:25 AM

To: NT System Admin Issues
Subject: RE: Whitelisting

Possibly...even probably. But, if we ever get to a world where whitelisting is 
the predominant means of execution control, the bad guys will, out of 
necessity, be relegated to exploiting flaws in applications through data files. 
A scanner that looks for signatures of exploits in files will be a useful tool. 
Assuming of course, all applications

RE: Whitelisting

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Tuesday, 17 April 2012 2:57 AM
To: NT System Admin Issues
Subject: Re: Whitelisting

 Whitelisting helps those who help themselves (corporately or individually). 
 Think of it as evolution in action.

Those people generally don't run into problems in the first place.

 Digital signatures, signed kernel mode code etc. can be used to verify that 
 software

 you are running is mostly legitimate.

Digital signatures, signed kernel mode code, etc., are whitelisting.

And the point I'm making is that these whitelisting technologies are *not* 
helping make the problem I'm describing go away.

1.   For SOHO environment, the end user simply overrides the warnings

a.   Only when the end user cannot override the settings (e.g. Windows x64 
kernel code signing requirements) has any major improvement occurred

   i.  I doubt 
that this type of central control by Microsoft would be tolerated for user mode 
applications

 ii.  It could 
still be bypassed by packaging a CA cert with the malware – I’m surprised that 
this isn’t more prevalent.

2.   For corporate environment of small size, the “administrator” is 
responsible for managing this on behalf of their users. Many smaller orgs are 
probably over staffed, so there is bandwidth to manage this

3.   In the enterprise, this can’t be centrally controlled without 
impacting business agility. So the response from software vendors will be to 
create more applications like Access which allow *end users* to develop 
applications. How are you going to stop malicious applications like this? It’s 
just like spam – a never ending, escalating war.

You are correct- I haven't implemented them yet for our users. But, I am doing 
so for myself. I've put my user account and my machine into a test OU, and am 
applying policies that are more restrictive than what apply to standard users 
now. I do understand how difficult it is. I recently ran md5sum against one of 
our older standard image machines, prior to deployment (booted from a USB stick 
to have complete access), and redirected the hashes into a text file. I ran the 
machine through a round of patches, and did an md5sum again, then ran a diff. 
It was amazing how many files changed.

And this is just files on a disk. Are you also going to monitor which files are 
loaded by which processes (e.g. which .dll files are loaded by which .exe 
files?) Not just what the on-disk signatures, but an actual mapping of .dlls 
used by which .exe? Otherwise, a new, malicious dll file can be loaded into an 
existing, trusted, application.

Cheers

Ken

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

Let's try another one: I use an exploit (or even just VBA automation) in Word 
to password protect all your files. You need to pay me to get them back (or 
maybe I don't care whether you get them back, I just like inflicting pain - aka 
like most mass market viruses)

Does whitelisting address this scenario? No.
Are exploits just going to move from the problem space solved by whitelisting 
and to a new area that is not addressed by this technology? Yes

It's just like spam (and every other area where we have a constantly escalated 
war of technology). Yet for some reason we don't seem to be learning that 
lesson.

Cheers
Ken

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, 17 April 2012 11:07 AM
To: NT System Admin Issues
Subject: Re: Whitelisting

For any given environment, there will be less known good items that I want to 
run, than known bad ones that I don't, not to mention all the unknown bad ones 
that I don't know about yet.

Managing the smaller list is *better*, not *perfect*.

I haven't missed the point.  A flawed example is just that -- flawed.  But, 
going beyond that and focusing on the principle itself, the blacklist is ALSO 
vulnerable to the same issue.

So, do you settle for the us both sharing your example problem, plus you having 
a host of other ones that are greater than mine?  Or do you acknowledge that 
the approach I favor creates a smaller attack surface area?


ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...



On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott 
mailvor...@gmail.commailto:mailvor...@gmail.com wrote:
On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker 
asbz...@gmail.commailto:asbz...@gmail.com wrote:
 If it's an exploit, it's going to launch code.  The code
 won't run in a whitelisting environment unless it's approved by the admin.

CMD /C DEL C:\*.* /S /Q /F /A

 A - Wouldn't work so nicely in 2008 and above, due to lack of elevated
 rights

 B - Limited use infection  (since it destroys itself)
 You're missing the point.  You're arguing against the example,
rather than the principle.  Namely: It's possible to use a whitelisted
application as an attack vector.[1]

 You're also making another mistake -- you're seeing protection of
the system as an end, rather than a means.  Nobody cares if the OS is
intact if all the data is gone.  We protect the OS because we use the
OS to protect the assets, not just for the sake of having a protected
OS.

-- Ben

[1] To the original question: This doesn't mean blacklisting, i.e.,
trying to identify and exclude known bad software, is the better
alternative.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-15 Thread Andrew S. Baker

I believe that *whitelisting* is the approach to focus on.

http://Home.ASBzone.com/ASB/archive/2010/05/10/it-s-time-to-re-evaluate-host-based-security.aspxhttp://home.asbzone.com/ASB/archive/2010/05/10/it-s-time-to-re-evaluate-host-based-security.aspx


* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Sat, Apr 14, 2012 at 11:10 AM, Alex Eckelberry a...@eckelberry.comwrote:

 I'm curious, what's the general feeling about about whitelisting?  As a
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
 might be changing.

 Thoughts?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-15 Thread Andrew S. Baker

Data files should neither be whitelisted nor blacklisted.

That is not how you deal with buffer overruns (which is the primary
mechanism by which bad data is used to exploit an app vulnerability).

Using lists to determine good/bad data is unmanageable from the start.

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Sat, Apr 14, 2012 at 1:48 PM, Crawford, Scott crawfo...@evangel.eduwrote:

   good question, but it's MUCH easier than whitelisting all good data
 files.

 I would expect the blacklist scanner to look for signatures of application
 exploits.

 Sent from my Windows Phone
  --
 From: Rankin, James R
 Sent: 4/14/2012 12:25 PM

 To: NT System Admin Issues
 Subject: Re: Whitelisting

  How do you blacklist all possible bad data files?
 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues
 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting
 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code and
 blacklisting for data files that exploit vulnerable white listed
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As a
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
 might be changing.

 Thoughts?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-15 Thread Andrew S. Baker

You can't. :)

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.comwrote:

 How do you blacklist all possible bad data files?
 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues
 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting
 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code and
 blacklisting for data files that exploit vulnerable white listed
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As a
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
 might be changing.

 Thoughts?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-15 Thread Micheal Espinola Jr

I prefer whitelisting.

--
Espi




On Sat, Apr 14, 2012 at 8:29 AM, Michael B. Smith mich...@smithcons.comwrote:

 I think whitelisting is the right direction.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 11:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As a
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
 might be changing.

 Thoughts?
 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-15 Thread Crawford, Scott

Possibly...even probably. But, if we ever get to a world where whitelisting is 
the predominant means of execution control, the bad guys will, out of 
necessity, be relegated to exploiting flaws in applications through data files. 
A scanner that looks for signatures of exploits in files will be a useful tool. 
Assuming of course, all applications aren't secure.

Sent from my Windows Phone

From: Andrew S. Baker
Sent: 4/15/2012 1:08 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

You can't. :)


ASB
http://XeeMe.com/AndrewBaker
Harnessing the Advantages of Technology for the SMB market…





On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
How do you blacklist all possible bad data files?
--Original Message--
From: Crawford, Scott
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.commailto:a...@eckelberry.com]
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.

Thoughts?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-15 Thread Kurt Buff

Um, really - you can't do it. Signatures (blacklists) for data files
are a folly - worse than trying to blacklist executables.

Your point is taken that if application/executable whitelisting is
good that malware will become nothing more than bad data files, but
that then becomes a problem of fixing the applications. Sanitizing
inpyu

And, fixing applications and their buffer overflows, heap overflows,
integer under/overflows, etc., is a far smaller problem space than
trying to blacklist data files.

I'll take that problem vs. trying to allow folks to execute any random
binary that catches their eye.

None of it is easy, but whitelisting apps will be exponentially easier
than blacklisting data.

Kurt

On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote:

 Possibly...even probably. But, if we ever get to a world where
 whitelisting is the predominant means of execution control, the bad guys
 will, out of necessity, be relegated to exploiting flaws in applications
 through data files. A scanner that looks for signatures of exploits in files
 will be a useful tool. Assuming of course, all applications aren't secure.


 Sent from my Windows Phone
 
 From: Andrew S. Baker
 Sent: 4/15/2012 1:08 PM

 To: NT System Admin Issues
 Subject: Re: Whitelisting

 You can't. :)

 ASB
 http://XeeMe.com/AndrewBaker
 Harnessing the Advantages of Technology for the SMB market…




 On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com
 wrote:

 How do you blacklist all possible bad data files?
 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues
 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting
 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code and
 blacklisting for data files that exploit vulnerable white listed
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As a
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things
 might be changing.

 Thoughts?

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-15 Thread Ken Schaefer

For the SOHO end user, the vast bulk of infections are either:
a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java 
runtime, Internet Explorer)
b) social engineering attacks, where the user is convinced to run/install some 
malware that they shouldn't. Despite code signing, users are still doing this.

How will whitelisting help the above type of user? I can't see how it does - 
they will always have the ability to override whatever recommendation the AV 
(or protection application) provides.

For corporate users, does whitelisting help significantly? I'm not sure that 
large organisations have the necessary processes in place to implement 
whitelisting. Whitelisting will slow application development/deployment even 
more, and will just result in more applications like Access and Excel that 
provide a semi-IDE to the end user that allows them to develop their own 
code/functionality. And resulting opportunities for code exploit.

Cheers
Ken

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, 16 April 2012 12:42 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

Um, really - you can't do it. Signatures (blacklists) for data files are a 
folly - worse than trying to blacklist executables.

Your point is taken that if application/executable whitelisting is good that 
malware will become nothing more than bad data files, but that then becomes a 
problem of fixing the applications. Sanitizing inpyu

And, fixing applications and their buffer overflows, heap overflows, integer 
under/overflows, etc., is a far smaller problem space than trying to blacklist 
data files.

I'll take that problem vs. trying to allow folks to execute any random binary 
that catches their eye.

None of it is easy, but whitelisting apps will be exponentially easier than 
blacklisting data.

Kurt

On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote:

 Possibly...even probably. But, if we ever get to a world where 
 whitelisting is the predominant means of execution control, the bad 
 guys will, out of necessity, be relegated to exploiting flaws in 
 applications through data files. A scanner that looks for signatures 
 of exploits in files will be a useful tool. Assuming of course, all 
 applications aren't secure.


 Sent from my Windows Phone
 
 From: Andrew S. Baker
 Sent: 4/15/2012 1:08 PM

 To: NT System Admin Issues
 Subject: Re: Whitelisting

 You can't. :)

 ASB
 http://XeeMe.com/AndrewBaker
 Harnessing the Advantages of Technology for the SMB market…




 On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R 
 kz2...@googlemail.com
 wrote:

 How do you blacklist all possible bad data files?
 --Original Message--
 From: Crawford, Scott
 To: NT System Admin Issues
 ReplyTo: NT System Admin Issues
 Subject: RE: Whitelisting
 Sent: 14 Apr 2012 18:02

 A combination is needed. Whitelisting for traditional executable code 
 and blacklisting for data files that exploit vulnerable white listed 
 applications.

 -Original Message-
 From: Alex Eckelberry [mailto:a...@eckelberry.com]
 Sent: Saturday, April 14, 2012 10:10 AM
 To: NT System Admin Issues
 Subject: Whitelisting

 I'm curious, what's the general feeling about about whitelisting?  As 
 a former AV guy, I tend to prefer blacklisting, but I'm seeing signs 
 things might be changing.

 Thoughts?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-15 Thread Kurt Buff

On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote:
 For the SOHO end user, the vast bulk of infections are either:
 a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java 
 runtime, Internet Explorer)
 b) social engineering attacks, where the user is convinced to run/install 
 some malware that they shouldn't. Despite code signing, users are still doing 
 this.

 How will whitelisting help the above type of user? I can't see how it does - 
 they
 will always have the ability to override whatever recommendation the AV (or 
 protection application) provides.

Simple - they won't have to worry about file.doc.exe (or
VBS|JS|JAR|DLL|etc) embedded in their emails, or the random
executables from the various web sites either are deliberately set up,
or have been subverted, to issue malware. Those are actually the
larger threat, AFAICT.

 For corporate users, does whitelisting help significantly?

I believe it can, and should.

 I'm not sure that large organisations have the necessary processes in place 
 to implement whitelisting.

I'm sure they don't. It's a skill they have to learn, if they want to
protect themselves.

 Whitelisting will slow application development/deployment even more, and will 
 just
 result in more applications like Access and Excel that provide a semi-IDE to 
 the
 end user that allows them to develop their own code/functionality. And 
 resulting opportunities for code exploit.

Bummer for them. Opportunity for those who can, and who can help them.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-15 Thread Ken Schaefer

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Subject: Re: Whitelisting

On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote:
 For the SOHO end user, the vast bulk of infections are either:
 a) exploits in existing applications (Acrobat Reader, Adobe Flash, 
 Java runtime, Internet Explorer)
 b) social engineering attacks, where the user is convinced to run/install 
 some malware that they shouldn't. Despite code signing, users are still 
 doing this.

 How will whitelisting help the above type of user? I can't see how it 
 does - they will always have the ability to override whatever recommendation 
 the AV (or protection application) provides.

Simple - they won't have to worry about file.doc.exe (or
VBS|JS|JAR|DLL|etc) embedded in their emails, or the random
executables from the various web sites either are deliberately set up, or have 
been subverted, to issue malware. Those are actually the larger threat, AFAICT.

So, it doesn't help with any exploits of existing apps, browser plug ins etc.

And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that 
BritnesSpearsNaked.exe is actually a legitimate file, and then tells his 
WhiteListing application that it should be added to the white list, then it'll 
still run. And Joe User will still be screwed.

And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded 
that it's from his good Nigerian Prince friend Joanne User, and runs it, and 
tells his WhiteListing application that is should be added to the white list, 
then it'll still run fine.

We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, 
that warn users that the application might be something bad. Yet users still 
allow this applications to run. With Whitelisting, you are also requiring that 
the user decide what is legitimate and what is not. And users will continue to 
be socially engineering into believing that malware are legitimate files. Just 
like today.

 Whitelisting will slow application development/deployment even more, 
 and will just result in more applications like Access and Excel that 
 provide a semi-IDE to the end user that allows them to develop their own 
 code/functionality. And resulting opportunities for code exploit.

 Bummer for them. Opportunity for those who can, and who can help them.

Perhaps. Or maybe there's no ROI developing the feature in the first place.

Or maybe exploits will just move to another area (Excel, Access application 
etc) that whitelisting doesn't cover. 

You're not addressing the point at all.

Cheers
Ken

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Whitelisting

2012-04-14 Thread Alex Eckelberry

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-14 Thread Michael B. Smith

I think whitelisting is the right direction.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com] 
Sent: Saturday, April 14, 2012 11:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-14 Thread Rankin, James R

Whitelisting (or greylisting) is the only way forward. Malware evolves too fast 
for blacklisting ever to be effective. There are also programs not listed as 
malware that are still malicious to some degree, and blacklisting can never 
protect against these.

--Original Message--
From: Alex Eckelberry
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: Whitelisting
Sent: 14 Apr 2012 16:10

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

---Blackberried

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-14 Thread Ben Scott

On Sat, Apr 14, 2012 at 11:10 AM, Alex Eckelberry a...@eckelberry.com wrote:
 I'm curious, what's the general feeling about about whitelisting?  As a 
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things 
 might be changing.

  IMNSHO: Tightly controlling what software can be run will always be
far more effective than trying to identify every possible bad thing in
the world.  The hard part is usually doing it.  Many orgs don't have
good software management.  The small ones can't afford it, and the
large ones find the problem to hard to coordinate.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-14 Thread Ben M. Schorr

Same reason that blacklisting doesn't work for spam prevention either - 
spammers just find ways around the lists and it turns into a constant battle of 
trying to quickly blacklist the new terms/addresses only to find that the bad 
guys change them as fast as you can blacklist them.

Ben M. Schorr
Roland Schorr  Tower
www.rolandschorr.com | www.officeforlawyers.com | Twitter: @bschorr

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Saturday, April 14, 2012 9:07
To: NT System Admin Issues
Subject: Re: Whitelisting

On Sat, Apr 14, 2012 at 11:10 AM, Alex Eckelberry a...@eckelberry.com wrote:
 I'm curious, what's the general feeling about about whitelisting?  As a 
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things 
 might be changing.

  IMNSHO: Tightly controlling what software can be run will always be far more 
effective than trying to identify every possible bad thing in the world.  The 
hard part is usually doing it.  Many orgs don't have good software management.  
The small ones can't afford it, and the large ones find the problem to hard to 
coordinate.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-14 Thread Crawford, Scott

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com] 
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-14 Thread Rankin, James R

How do you blacklist all possible bad data files?  
--Original Message--
From: Crawford, Scott
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com] 
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
---Blackberried
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

2012-04-14 Thread Crawford, Scott

good question, but it's MUCH easier than whitelisting all good data files.

I would expect the blacklist scanner to look for signatures of application 
exploits.

Sent from my Windows Phone

From: Rankin, James R
Sent: 4/14/2012 12:25 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

How do you blacklist all possible bad data files?
--Original Message--
From: Crawford, Scott
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com]
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.

Thoughts?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
---Blackberried
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-14 Thread Rankin, James R

Interesting to see what mitigation can be done against data file exploits other 
than AV and patching. Might have a look into this a bit closer.

---Blackberried

-Original Message-
From: Crawford, Scott crawfo...@evangel.edu
Date: Sat, 14 Apr 2012 17:48:46 
To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com
Reply-To: NT System Admin Issues 
ntsysadmin@lyris.sunbelt-software.comSubject: RE: Whitelisting

good question, but it's MUCH easier than whitelisting all good data files.

I would expect the blacklist scanner to look for signatures of application 
exploits.

Sent from my Windows Phone

From: Rankin, James R
Sent: 4/14/2012 12:25 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

How do you blacklist all possible bad data files?
--Original Message--
From: Crawford, Scott
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com]
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.

Thoughts?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
---Blackberried
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

2012-04-14 Thread Kurt Buff

On Sat, Apr 14, 2012 at 08:10, Alex Eckelberry a...@eckelberry.com wrote:
 I'm curious, what's the general feeling about about whitelisting?  As a 
 former AV guy, I tend to prefer blacklisting, but I'm seeing signs things 
 might be changing.

 Thoughts?

http://www.ranum.com/security/computer_security/editorials/dumb/
Numbers 1 and 2, for this discussion, but everyone should take to
heart all of them

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Fwd: SANS NewsBites Vol. 13 : NSA's Application Whitelisting Breakthrough

2012-02-14 Thread Kurt Buff

Mucho snippage...

Not huge news, but perhaps a useful technique.

BTW, see also: http://isc.sans.edu/diary.html?storyid=8236 for a
different approach.

Kurt


TOP OF THE NEWS
 --NSA's Application Whitelisting Breakthrough
(February 10, 2012)
The National Security Agency (NSA) has developed an approach to
application whitelisting that consumes considerably fewer resources to
deploy than standard whitelisting techniques. Instead of purchasing
expensive software and employing people to update whitelists, the NSA's
approach focuses on specific areas of computers where downloaded
applications are permitted to execute.
http://www.nextgov.com/nextgov/ng_20120210_8712.php?oref=topnews
http://gcn.com/articles/2012/02/13/nsa-whitelisting-apps-secure-systems.aspx
[Editors' Note (Ullrich, Paller): Application whitelisting still hasn't
reached the mainstream adoption it deserves. If you thought it was too
hard to implement because of false positives, consider this as a wake
up call that (you have no idea what's running on your systems, and) you
can stop rogue software and cost-effectively. Yes it has weaknesses
(like in-memory scanning), but they are dwarfed by the benefits. Now
someone please come up with a good whitelisting solution for OS X.]

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SANS NewsBites Vol. 13 : NSA's Application Whitelisting Breakthrough

2012-02-14 Thread Ben Scott

On Tue, Feb 14, 2012 at 3:08 PM, Kurt Buff kurt.b...@gmail.com wrote:
 Not huge news, but perhaps a useful technique.
 http://www.nextgov.com/nextgov/ng_20120210_8712.php

  It's absolutely a useful technique.  It's something I've been doing
(and even occasionally advocating) for years.

  The theory is simple: Don't let software run from unauthorized
locations.  Don't let users modify the authorized locations.

  Implementation concept: Set permissions such that users can't write
to locations where programs can run from.  For example, don't let them
write to C:\Program Files or C:\WINDOWS.  Then use Software
Restrictions Policy (SRP) to only allow execute from those locations.
Now executables in user's profile folders, temp directories, etc.,
can't run.  So even if a user downloads malicious or unauthorized
software to their home directory, the system will refuse to run it.

  It is akin to the Unix-world's practice of mounting /tmp and /home
with the noexec option, although Microsoft's approach with SRP gives
you much more fine-grained control.

  One potential pitfall: SRP uses file extensions to determine
executable status.  Windows sometimes uses file content to determine
executable status.  For example, a Portable Executable renamed to have
a .LNK extension will be executed anyway, depending on how you invoke
it.  So for SRP to close all holes, you have to apply it to *.LNK
files, which means users' desktop shortcuts and Recent Items lists
break.  Pick your poison.

  I suspect the major reason that large organizations pay such big
money for application whitelisting solutions is that they have poor
control over software.  One admin does one thing, another does
something else, and there's no central control.  Plus lots of crap
software that wants to write to system locations.  (I'd call it
legacy software but let's face it, crap like that is pushed out
brand new every day.)  So they try and buy products to fix the mess.
While this approach is not without value, I can't help but think of Ed
Crowley's maxim on technological solutions and behavioral problems.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting Pros Cons?

2011-11-17 Thread Crawford, Scott

In the end if white listing replaced anti-virus then attackers would simply 
raise the bar and make sure that their vulnerability exploits did not simply 
download and directly execute executable code. They would do behaviors in 
memory to simply defeat and bypass white listing technology.

This is the point I've been trying (with mixed success) to make. My suggestion 
has been to also add blacklisting to look for malicious signatures within the 
pdf, jpg, etc.  It seems to me that any given application vulnerability will be 
exploitable through a relatively easy to identify signature. Obviously, the 
payload could be any number of things, but the actual exploitation should be 
much easier to identify than the plethora of AV signatures that continually 
mutate. One could further reduce the number of signatures to keep on hand by 
only looking for exploits in recent versions of applications.

From: Marc Maiffret [mailto:mmaiff...@eeye.com]
Sent: Wednesday, November 16, 2011 11:01 PM
To: NT System Admin Issues
Subject: RE: Whitelisting Pros  Cons?

Thoughts on AV, white listing, and endpoint security futures... and yes in my 
classic terrible grammar, stream of conscious, style of writing... sorry 
NTSYSADMIN'ers! :)

Anti-virus does an amazing job for what it was originally created for: The 
prevention of known bad files.

The problem is that most malware these days is highly dynamic and as such we 
are increasingly living in a world of unknown malware and AV was not made to 
prevent unknown malware.

Anti-virus vendors are trying to Band-Aid their signature problem by having new 
systems that hopefully generate signatures faster. This is all the stuff the AV 
companies advertise around their cloud information sharing systems etc... AV 
still requires some level of companies to be compromised to know there is a new 
piece of malware that needs a signature. The cloud stuff (I forget everyone's 
marketing terms) helps to make it so that AV can create a signature but 
hopefully with less companies compromised and in a shorter amount of time.

White listing can help prevent unknown malware because it can prevent unknown 
executable code from executing.

This is of course not without time to manage, configure, and make sure all your 
legitimate apps at first deployment, and over the course of time, are properly 
white listed. But we will skip the management aspect for now and focus on what 
works prevention wise and what the limitations are.

Stepping back from a solution perspective let's look at the problem: Systems 
being compromised and infected with malware.

The majority of malware infections happen from one of two ways:

1.   User exploitation - User simply runs a piece of malicious code 
(web/usb/email/etc) and no exploit is involved, only trickery.

2.   Vulnerability exploitation - User is either targeted or through normal 
web browsing, and is infected with malware via an exploit leveraging an unknown 
or unpatched software vulnerability.

User Exploitation - This is a very common reason that malware ends up on 
systems. Think of all of the times you have had to clean up systems with fake 
anti-virus type of software etc... This is an area where anti-virus is simply 
failing because when the malware is delivered to one of your users it is being 
handed off by a server that is doing automated morphing of the executable in a 
way as to evade anti-virus signatures. I.E. The malicious executable has the 
exact same behavior on every system but the signature of that executable is 
different for every system it is delivered to. White listing is very helpful in 
preventing this type of malware because essentially it is a user running an 
unknown program and by virtue of white listing your blocking all unknown 
programs. This is why you will hear people talk about having installed these 
solutions and their level of malware has simply gone down.

Vulnerability Exploitation - The other way systems are compromised is not by 
users just clicking on things but by attackers actively leveraging unknown or 
unpatched software vulnerabilities. In this case what ends up happening is a 
user will receive something like a PDF document via email or will be served 
malicious javascript/html/etc via a website and in either case there will be an 
exploit that leverages a vulnerability within some software you have installed 
on the system. When the exploit takes place it will start to leverage a 
software vulnerability typically to run malicious code within the memory space 
of the vulnerable software.

I.E. A user is browsing a website, embedded javascript spawns a window with an 
Adobe PDF files, the PDF file automatically loads, exploit code leverages a 
vulnerability within the PDF, exploit code starts running malicious shellcode 
within that Adobe program, that exploit shellcode then delivers its payload.

The payload is typically the exploit downloading a malicious executable from 
another website

Re: Whitelisting Pros Cons?

2011-11-17 Thread Rankin, James R

Defense in depth, the layered approach is the only way. White/greylisting is 
much more effective but in the end having multiple layers is the only way to be 
truly secure. However application management CAN reduce your reliance (and 
therefore performance and management overhead) on realtime AV scanning. As more 
servers, apps and desktops become virtual, performance is key. Switching to 
scheduled scans only is the next step.

But you must always have multiple layers. Its not a duplication of effort when 
you are faced with adapting and evolving threats.

Sent from my SR-71 Blackbird

-Original Message-
From: Crawford, Scott crawfo...@evangel.edu
Date: Thu, 17 Nov 2011 19:58:50 
To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com
Reply-To: NT System Admin Issues 
ntsysadmin@lyris.sunbelt-software.comSubject: RE: Whitelisting Pros  Cons?

In the end if white listing replaced anti-virus then attackers would simply 
raise the bar and make sure that their vulnerability exploits did not simply 
download and directly execute executable code. They would do behaviors in 
memory to simply defeat and bypass white listing technology.

This is the point I've been trying (with mixed success) to make. My suggestion 
has been to also add blacklisting to look for malicious signatures within the 
pdf, jpg, etc.  It seems to me that any given application vulnerability will be 
exploitable through a relatively easy to identify signature. Obviously, the 
payload could be any number of things, but the actual exploitation should be 
much easier to identify than the plethora of AV signatures that continually 
mutate. One could further reduce the number of signatures to keep on hand by 
only looking for exploits in recent versions of applications.

From: Marc Maiffret [mailto:mmaiff...@eeye.com]
Sent: Wednesday, November 16, 2011 11:01 PM
To: NT System Admin Issues
Subject: RE: Whitelisting Pros  Cons?

Thoughts on AV, white listing, and endpoint security futures... and yes in my 
classic terrible grammar, stream of conscious, style of writing... sorry 
NTSYSADMIN'ers! :)

Anti-virus does an amazing job for what it was originally created for: The 
prevention of known bad files.

The problem is that most malware these days is highly dynamic and as such we 
are increasingly living in a world of unknown malware and AV was not made to 
prevent unknown malware.

Anti-virus vendors are trying to Band-Aid their signature problem by having new 
systems that hopefully generate signatures faster. This is all the stuff the AV 
companies advertise around their cloud information sharing systems etc... AV 
still requires some level of companies to be compromised to know there is a new 
piece of malware that needs a signature. The cloud stuff (I forget everyone's 
marketing terms) helps to make it so that AV can create a signature but 
hopefully with less companies compromised and in a shorter amount of time.

White listing can help prevent unknown malware because it can prevent unknown 
executable code from executing.

This is of course not without time to manage, configure, and make sure all your 
legitimate apps at first deployment, and over the course of time, are properly 
white listed. But we will skip the management aspect for now and focus on what 
works prevention wise and what the limitations are.

Stepping back from a solution perspective let's look at the problem: Systems 
being compromised and infected with malware.

The majority of malware infections happen from one of two ways:

1.   User exploitation - User simply runs a piece of malicious code 
(web/usb/email/etc) and no exploit is involved, only trickery.

2.   Vulnerability exploitation - User is either targeted or through normal 
web browsing, and is infected with malware via an exploit leveraging an unknown 
or unpatched software vulnerability.

User Exploitation - This is a very common reason that malware ends up on 
systems. Think of all of the times you have had to clean up systems with fake 
anti-virus type of software etc... This is an area where anti-virus is simply 
failing because when the malware is delivered to one of your users it is being 
handed off by a server that is doing automated morphing of the executable in a 
way as to evade anti-virus signatures. I.E. The malicious executable has the 
exact same behavior on every system but the signature of that executable is 
different for every system it is delivered to. White listing is very helpful in 
preventing this type of malware because essentially it is a user running an 
unknown program and by virtue of white listing your blocking all unknown 
programs. This is why you will hear people talk about having installed these 
solutions and their level of malware has simply gone down.

Vulnerability Exploitation - The other way systems are compromised is not by 
users just clicking on things but by attackers actively leveraging unknown or 
unpatched software vulnerabilities

RE: Whitelisting Pros Cons?

2011-11-16 Thread Marc Maiffret

Thoughts on AV, white listing, and endpoint security futures... and yes in my 
classic terrible grammar, stream of conscious, style of writing... sorry 
NTSYSADMIN'ers! :)

Anti-virus does an amazing job for what it was originally created for: The 
prevention of known bad files.

The problem is that most malware these days is highly dynamic and as such we 
are increasingly living in a world of unknown malware and AV was not made to 
prevent unknown malware.

Anti-virus vendors are trying to Band-Aid their signature problem by having new 
systems that hopefully generate signatures faster. This is all the stuff the AV 
companies advertise around their cloud information sharing systems etc... AV 
still requires some level of companies to be compromised to know there is a new 
piece of malware that needs a signature. The cloud stuff (I forget everyone's 
marketing terms) helps to make it so that AV can create a signature but 
hopefully with less companies compromised and in a shorter amount of time.

White listing can help prevent unknown malware because it can prevent unknown 
executable code from executing.

This is of course not without time to manage, configure, and make sure all your 
legitimate apps at first deployment, and over the course of time, are properly 
white listed. But we will skip the management aspect for now and focus on what 
works prevention wise and what the limitations are.

Stepping back from a solution perspective let's look at the problem: Systems 
being compromised and infected with malware.

The majority of malware infections happen from one of two ways:

1.   User exploitation - User simply runs a piece of malicious code 
(web/usb/email/etc) and no exploit is involved, only trickery.

2.   Vulnerability exploitation - User is either targeted or through normal 
web browsing, and is infected with malware via an exploit leveraging an unknown 
or unpatched software vulnerability.

User Exploitation - This is a very common reason that malware ends up on 
systems. Think of all of the times you have had to clean up systems with fake 
anti-virus type of software etc... This is an area where anti-virus is simply 
failing because when the malware is delivered to one of your users it is being 
handed off by a server that is doing automated morphing of the executable in a 
way as to evade anti-virus signatures. I.E. The malicious executable has the 
exact same behavior on every system but the signature of that executable is 
different for every system it is delivered to. White listing is very helpful in 
preventing this type of malware because essentially it is a user running an 
unknown program and by virtue of white listing your blocking all unknown 
programs. This is why you will hear people talk about having installed these 
solutions and their level of malware has simply gone down.

Vulnerability Exploitation - The other way systems are compromised is not by 
users just clicking on things but by attackers actively leveraging unknown or 
unpatched software vulnerabilities. In this case what ends up happening is a 
user will receive something like a PDF document via email or will be served 
malicious javascript/html/etc via a website and in either case there will be an 
exploit that leverages a vulnerability within some software you have installed 
on the system. When the exploit takes place it will start to leverage a 
software vulnerability typically to run malicious code within the memory space 
of the vulnerable software.

I.E. A user is browsing a website, embedded javascript spawns a window with an 
Adobe PDF files, the PDF file automatically loads, exploit code leverages a 
vulnerability within the PDF, exploit code starts running malicious shellcode 
within that Adobe program, that exploit shellcode then delivers its payload.

The payload is typically the exploit downloading a malicious executable from 
another website and then running that malicious executable which then Trojans a 
system etc... The problem is that the exploit code does not have to download 
another executable and rather it could keep performing malicious operations 
within the vulnerable application (Adobe) and since no new executable code is 
created, the whitelisting security software does not come into play. The point 
being that white listing is helpful against a lot of today's vulnerability 
exploitation because the payload delivered by most vulnerability exploits is to 
download an unknown executable and run it, which white listing will obviously 
stop.

In the end if white listing replaced anti-virus then attackers would simply 
raise the bar and make sure that their vulnerability exploits did not simply 
download and directly execute executable code. They would do behaviors in 
memory to simply defeat and bypass white listing technology.

Vulnerability/exploit prevention is critical and is always missed in 
discussions because everyone gets caught up in chasing the symptom (malware

RE: Whitelisting Pros Cons?

2011-11-15 Thread Joseph Heaton

Would it be better to have a tool that only does whitelisting, or a software 
more like Viewfinity, where you can do both white and black lists, and also 
elevate permissions for applications that aren't on either list, but are needed 
by a few people, which wouldn't warrant putting it on the whitelist?

 Stu Sjouwerman s...@sunbelt-software.com 11/14/2011 2:16 PM 

Thanks Micheal. Anyone experience with any of the Whitelisting products in this 
InfoWorld Review?
 
http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 
 

Bit9 Parity Suite 5.01
10
8
9
9
10
9.4
EXCELLENT

30%
15%
25%
10%
20%

CoreTrace Bouncer 5
9
9
9
8
9
8.9
VERY GOOD

30%
15%
25%
10%
20%

Lumension Application Control
8
9
8
9
9
8.5
VERY GOOD

30%
15%
25%
10%
20%

McAfee Application Control 5.0
9
9
9
8
8
8.7
VERY GOOD

30%
15%
25%
10%
20%

SignaCert Enterprise Trust Services 3.0

 
 
 
From:Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Monday, November 14, 2011 5:10 PM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?
 
Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith 
doesnt cut it.  You have to protect yourself and your assets, and whitelisting 
is the best way to do it.

--
Espi
 
 



On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com 
wrote:
I'm referring to Whitelisting in the context of security.  About 10 years ago, 
the ratio
Good code versus malware was perhaps 90 good 10 bad.  In that scenario, it 
makes
sense to keep the bad code out. But over the last 10 years, with automated 
malware
variant generation, the tables have turned, and there is actually more malware 
than
good code out there. So in -that- scenario it might make sense to only allow 
good code
and implement application control. Only that which is allowed, will run.

I'd like your feedback - input - discussion on this !

Warm regards,

Stu


-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org] 
Sent: Monday, November 14, 2011 11:22 AM
To: NT System Admin Issues

Subject: Re: Whitelisting Pros  Cons?

Are you asking about web content filtering, email filtering, or some other type 
of whitelisting?


--Matt Ross
Ephrata School District


- Original Message -
From: Stu Sjouwerman
[mailto:s...@sunbelt-software.com] 
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com] 
Sent: Mon, 14 Nov 2011
08:14:57 -0800
Subject: Whitelisting Pros  Cons?


 Guys, I am writing an article for WServerNews, and would like your
 public input.

 What is your experience with Whitelisting, which products you
 tried/use, and what experience you are having with this, likes and hates are 
 all welcome !!

 Warm regards,

 Stu

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/ 
 or send an email to listmana...@lyris.sunbeltsoftware.com 
 with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin

 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting Pros Cons? - Lumension

Anyone experience with Lumension? This seems to be one of the bigger players.
Did some testing with this perhaps?

Warm regards,

Stu

From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
Sent: Tuesday, November 15, 2011 10:47 AM
To: NT System Admin Issues
Subject: RE: Whitelisting Pros  Cons?

Would it be better to have a tool that only does whitelisting, or a software 
more like Viewfinity, where you can do both white and black lists, and also 
elevate permissions for applications that aren't on either list, but are needed 
by a few people, which wouldn't warrant putting it on the whitelist?

 Stu Sjouwerman 
 s...@sunbelt-software.commailto:s...@sunbelt-software.com 11/14/2011 
 2:16 PM 
Thanks Micheal. Anyone experience with any of the Whitelisting products in this 
InfoWorld Review?

http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?

Bit9 Parity Suite 5.01

10

8

9

9

10

9.4
EXCELLENT

30%

15%

25%

10%

20%

CoreTrace Bouncer 5

9

9

9

8

9

8.9
VERY GOOD

30%

15%

25%

10%

20%

Lumension Application Control

8

9

8

9

9

8.5
VERY GOOD

30%

15%

25%

10%

20%

McAfee Application Control 5.0

9

9

9

8

8

8.7
VERY GOOD

30%

15%

25%

10%

20%

SignaCert Enterprise Trust Services 3.0

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
Sent: Monday, November 14, 2011 5:10 PM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith 
doesnt cut it.  You have to protect yourself and your assets, and whitelisting 
is the best way to do it.

--
Espi

On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman 
s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote:
I'm referring to Whitelisting in the context of security.  About 10 years ago, 
the ratio
Good code versus malware was perhaps 90 good 10 bad.  In that scenario, it 
makes
sense to keep the bad code out. But over the last 10 years, with automated 
malware
variant generation, the tables have turned, and there is actually more malware 
than
good code out there. So in -that- scenario it might make sense to only allow 
good code
and implement application control. Only that which is allowed, will run.

I'd like your feedback - input - discussion on this !

Warm regards,

Stu

-Original Message-
From: Matthew W. Ross 
[mailto:mr...@ephrataschools.orgmailto:mr...@ephrataschools.org]
Sent: Monday, November 14, 2011 11:22 AM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Are you asking about web content filtering, email filtering, or some other type 
of whitelisting?

--Matt Ross
Ephrata School District

- Original Message -
From: Stu Sjouwerman
[mailto:s...@sunbelt-software.commailto:s...@sunbelt-software.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Mon, 14 Nov 2011
08:14:57 -0800
Subject: Whitelisting Pros  Cons?
 Guys, I am writing an article for WServerNews, and would like your
 public input.

 What is your experience with Whitelisting, which products you
 tried/use, and what experience you are having with this, likes and hates are 
 all welcome !!

 Warm regards,

 Stu

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to 
 listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana

Re: Whitelisting Pros Cons? - Lumension

2011-11-15 Thread James Rankin

Can't believe that AppSense AM isn't in there as one of the test subjects.
I think the issue is that most people use them for the Environment Manager
(EM) feature of the suite so AppSense are treated more as a competitor in
the UEM (User Environment Management) market rather than against other
applications that do whitelisting, but the whitelisting product is (IMHO)
their strongest. If they were willing to run the rule over AppLocker for
that survey, then AM should surely have been included - most people who
work with Application Manager brand it as AppLocker on steroids, which is
slightly unfair seeing though it can do a lot more feature-wise.

On 15 November 2011 16:07, Stu Sjouwerman s...@sunbelt-software.com wrote:

 

 Anyone experience with Lumension? This seems to be one of the bigger
 players.

 Did some testing with this perhaps?

 ** **

 Warm regards,

 ** **

 Stu 

 ** **

 *From:* Joseph Heaton [mailto:jhea...@dfg.ca.gov]
 *Sent:* Tuesday, November 15, 2011 10:47 AM
 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting Pros  Cons?

 ** **

 Would it be better to have a tool that only does whitelisting, or a
 software more like Viewfinity, where you can do both white and black lists,
 and also elevate permissions for applications that aren't on either list,
 but are needed by a few people, which wouldn't warrant putting it on the
 whitelist?

  Stu Sjouwerman s...@sunbelt-software.com 11/14/2011 2:16 PM 

 Thanks Micheal. Anyone experience with any of the Whitelisting products in
 this InfoWorld Review?

 ** **


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

 ** **

 ** **

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

 ** **

 ** **

 ** **

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM
 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

 ** **

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

 ** **

 ** **

 ** **

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm referring to Whitelisting in the context of security.  About 10 years
 ago, the ratio
 Good code versus malware was perhaps 90 good 10 bad.  In that scenario,
 it makes
 sense to keep the bad code out. But over the last 10 years, with automated
 malware
 variant generation, the tables have turned, and there is actually more
 malware than
 good code out there. So in -that- scenario it might make sense to only
 allow good code
 and implement application control. Only that which is allowed, will run.

 I'd like your feedback - input - discussion on this !

 Warm regards,

 Stu


 -Original Message-
 From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
 Sent: Monday, November 14, 2011 11:22 AM
 To: NT System Admin Issues

 Subject: Re: Whitelisting Pros  Cons?

 Are you asking about web content filtering, email filtering, or some other
 type of whitelisting?


 --Matt Ross
 Ephrata School District


 - Original Message -
 From: Stu Sjouwerman
 [mailto:s...@sunbelt-software.com]
 To: NT System Admin Issues
 [mailto:ntsysadmin@lyris.sunbelt-software.com]
 Sent: Mon, 14 Nov 2011
 08:14:57 -0800
 Subject: Whitelisting Pros  Cons?

  Guys, I am writing an article for WServerNews, and would like your
  public input.
 
  What is your experience with Whitelisting, which products you
  tried/use, and what experience you are having with this, likes and hates
 are all welcome !!
 
  Warm regards,
 
  Stu
 
  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~
 
  ---
  To manage subscriptions click here:
  http://lyris.sunbelt-software.com/read/my_forums/
  or send an email to listmana...@lyris.sunbeltsoftware.com
  with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin


 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com

Re: Whitelisting Pros Cons?

The greater the flexibility of the tool, the less tools you need to manage
your security.

Relying on 1 tool is not wise, but having to manage 12 slightly overlapping
tools is its own nightmare.

Getting it down to 3 or 4 tools is useful.

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Tue, Nov 15, 2011 at 10:46 AM, Joseph Heaton jhea...@dfg.ca.gov wrote:

 Would it be better to have a tool that only does whitelisting, or a
 software more like Viewfinity, where you can do both white and black lists,
 and also elevate permissions for applications that aren't on either list,
 but are needed by a few people, which wouldn't warrant putting it on the
 whitelist?

  Stu Sjouwerman s...@sunbelt-software.com 11/14/2011 2:16 PM 

  Thanks Micheal. Anyone experience with any of the Whitelisting products
 in this InfoWorld Review?

 ** **


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

 ** **

 ** **

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

 ** **

 ** **

 ** **

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM
 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

 ** **

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

 ** **

 ** **



 

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm referring to Whitelisting in the context of security.  About 10 years
 ago, the ratio
 Good code versus malware was perhaps 90 good 10 bad.  In that scenario,
 it makes
 sense to keep the bad code out. But over the last 10 years, with automated
 malware
 variant generation, the tables have turned, and there is actually more
 malware than
 good code out there. So in -that- scenario it might make sense to only
 allow good code
 and implement application control. Only that which is allowed, will run.

 I'd like your feedback - input - discussion on this !

 Warm regards,

 Stu


 -Original Message-
 From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
 Sent: Monday, November 14, 2011 11:22 AM
 To: NT System Admin Issues

 Subject: Re: Whitelisting Pros  Cons?

 Are you asking about web content filtering, email filtering, or some other
 type of whitelisting?


 --Matt Ross
 Ephrata School District


 - Original Message -
 From: Stu Sjouwerman
 [mailto:s...@sunbelt-software.com]
 To: NT System Admin Issues
 [mailto:ntsysadmin@lyris.sunbelt-software.com]
 Sent: Mon, 14 Nov 2011
 08:14:57 -0800
 Subject: Whitelisting Pros  Cons?

 

  Guys, I am writing an article for WServerNews, and would like your
  public input.
 
  What is your experience with Whitelisting, which products you
  tried/use, and what experience you are having with this, likes and hates
 are all welcome !!
 
  Warm regards,
 
  Stu
 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting Pros Cons?

2011-11-15 Thread Doug Hampshire

Clearly these results are flawed if McAfee Anything gets higher than a -3
in any category. :-)

On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman
s...@sunbelt-software.comwrote:

 Thanks Micheal. Anyone experience with any of the Whitelisting products in
 this InfoWorld Review?

 ** **


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

 ** **

 ** **

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

 ** **

 ** **

 ** **

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM

 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

 ** **

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

 ** **

 ** **



 

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm referring to Whitelisting in the context of security.  About 10 years
 ago, the ratio
 Good code versus malware was perhaps 90 good 10 bad.  In that scenario,
 it makes
 sense to keep the bad code out. But over the last 10 years, with automated
 malware
 variant generation, the tables have turned, and there is actually more
 malware than
 good code out there. So in -that- scenario it might make sense to only
 allow good code
 and implement application control. Only that which is allowed, will run.

 I'd like your feedback - input - discussion on this !

 Warm regards,

 Stu


 -Original Message-
 From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
 Sent: Monday, November 14, 2011 11:22 AM
 To: NT System Admin Issues

 Subject: Re: Whitelisting Pros  Cons?

 Are you asking about web content filtering, email filtering, or some other
 type of whitelisting?


 --Matt Ross
 Ephrata School District


 - Original Message -
 From: Stu Sjouwerman
 [mailto:s...@sunbelt-software.com]
 To: NT System Admin Issues
 [mailto:ntsysadmin@lyris.sunbelt-software.com]
 Sent: Mon, 14 Nov 2011
 08:14:57 -0800
 Subject: Whitelisting Pros  Cons?

 

  Guys, I am writing an article for WServerNews, and would like your
  public input.
 
  What is your experience with Whitelisting, which products you
  tried/use, and what experience you are having with this, likes and hates
 are all welcome !!
 
  Warm regards,
 
  Stu
 
  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~
 
  ---
  To manage subscriptions click here:
  http://lyris.sunbelt-software.com/read/my_forums/
  or send an email to listmana...@lyris.sunbeltsoftware.com
  with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin


 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

 ** **

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting Pros Cons?

Oh, this an acquisition, that is why it's having such a high score!   LOL

From: Doug Hampshire [mailto:dhampsh...@gmail.com]
Sent: Tuesday, November 15, 2011 1:13 PM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Clearly these results are flawed if McAfee Anything gets higher than a -3 in 
any category. :-)
On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman 
s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote:
Thanks Micheal. Anyone experience with any of the Whitelisting products in this 
InfoWorld Review?

http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?

Bit9 Parity Suite 5.01

10

8

9

9

10

9.4
EXCELLENT

30%

15%

25%

10%

20%

CoreTrace Bouncer 5

9

9

9

8

9

8.9
VERY GOOD

30%

15%

25%

10%

20%

Lumension Application Control

8

9

8

9

9

8.5
VERY GOOD

30%

15%

25%

10%

20%

McAfee Application Control 5.0

9

9

9

8

8

8.7
VERY GOOD

30%

15%

25%

10%

20%

SignaCert Enterprise Trust Services 3.0

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.commailto:michealespin...@gmail.com]
Sent: Monday, November 14, 2011 5:10 PM

To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith 
doesnt cut it.  You have to protect yourself and your assets, and whitelisting 
is the best way to do it.

--
Espi

On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman 
s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote:
I'm referring to Whitelisting in the context of security.  About 10 years ago, 
the ratio
Good code versus malware was perhaps 90 good 10 bad.  In that scenario, it 
makes
sense to keep the bad code out. But over the last 10 years, with automated 
malware
variant generation, the tables have turned, and there is actually more malware 
than
good code out there. So in -that- scenario it might make sense to only allow 
good code
and implement application control. Only that which is allowed, will run.

I'd like your feedback - input - discussion on this !

Warm regards,

Stu

-Original Message-
From: Matthew W. Ross 
[mailto:mr...@ephrataschools.orgmailto:mr...@ephrataschools.org]
Sent: Monday, November 14, 2011 11:22 AM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Are you asking about web content filtering, email filtering, or some other type 
of whitelisting?

--Matt Ross
Ephrata School District

- Original Message -
From: Stu Sjouwerman
[mailto:s...@sunbelt-software.commailto:s...@sunbelt-software.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Mon, 14 Nov 2011
08:14:57 -0800
Subject: Whitelisting Pros  Cons?
 Guys, I am writing an article for WServerNews, and would like your
 public input.

 What is your experience with Whitelisting, which products you
 tried/use, and what experience you are having with this, likes and hates are 
 all welcome !!

 Warm regards,

 Stu

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to 
 listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE

Re: Whitelisting Pros Cons?

2011-11-15 Thread Kurt Buff

McAfee has done a bit of that in the past couple of years - witness their
pickup of the Sidewinder firewall line with the purchase of Secure
Computing a couple of years ago, along with WebWasher, SnapGear and
IronMail.

Kurt

On Tue, Nov 15, 2011 at 11:09, Stu Sjouwerman s...@sunbelt-software.comwrote:

 Oh, this an acquisition, that is why it’s having such a high score!   LOL
 

 ** **

 *From:* Doug Hampshire [mailto:dhampsh...@gmail.com]
 *Sent:* Tuesday, November 15, 2011 1:13 PM

 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

 ** **

 Clearly these results are flawed if McAfee Anything gets higher than a -3
 in any category. :-)

 On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 Thanks Micheal. Anyone experience with any of the Whitelisting products in
 this InfoWorld Review?

  


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

  

  

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

  

  

  

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM


 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

  

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

  

  

 ** **

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm referring to Whitelisting in the context of security.  About 10 years
 ago, the ratio
 Good code versus malware was perhaps 90 good 10 bad.  In that scenario,
 it makes
 sense to keep the bad code out. But over the last 10 years, with automated
 malware
 variant generation, the tables have turned, and there is actually more
 malware than
 good code out there. So in -that- scenario it might make sense to only
 allow good code
 and implement application control. Only that which is allowed, will run.

 I'd like your feedback - input - discussion on this !

 Warm regards,

 Stu


 -Original Message-
 From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
 Sent: Monday, November 14, 2011 11:22 AM
 To: NT System Admin Issues

 Subject: Re: Whitelisting Pros  Cons?

 Are you asking about web content filtering, email filtering, or some other
 type of whitelisting?


 --Matt Ross
 Ephrata School District


 - Original Message -
 From: Stu Sjouwerman
 [mailto:s...@sunbelt-software.com]
 To: NT System Admin Issues
 [mailto:ntsysadmin@lyris.sunbelt-software.com]
 Sent: Mon, 14 Nov 2011
 08:14:57 -0800
 Subject: Whitelisting Pros  Cons?

  Guys, I am writing an article for WServerNews, and would like your
  public input.
 
  What is your experience with Whitelisting, which products you
  tried/use, and what experience you are having with this, likes and hates
 are all welcome !!
 
  Warm regards,
 
  Stu
 
  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~
 
  ---
  To manage subscriptions click here:
  http://lyris.sunbelt-software.com/read/my_forums/
  or send an email to listmana...@lyris.sunbeltsoftware.com
  with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin


 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

  

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana

Re: Would you drop AV for Whitelisting / Application Control?

2011-11-15 Thread Kurt Buff

On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman s...@sunbelt-software.com wrote:

 So I’m asking a bunch of questions here, because I’m looking at writing this
 story from a few different angles. If the ratio Malware to good code is 80 – 
 20
 (which it is +/- at the moment) why not drop AV all together and lock down 
 those
 workstations and only allow good code to run?   Saves budget.

 Your view? Input?

 Stu

Does it really save budget? I ask this though I'm thoroughly in favor
of application whitelisting [1]

The whitelist publisher should

 o- Have a comprehensive set of known apps up front
 o- Make it easy for an administrator to add apps to the whitelist
for some obscure program that's crucial
 o- Have a subscription mechanism to update their whitelist frequently
 o- Have a way for a subscriber to submit an executable for
analysis to be included/excluded from the whitelist

Absent the above, the blacklisters probably have an advantage in terms
of effort expended by the sysadmin, by virtue of the nearly hourly
updates they publish.

Kurt

[1] I don't yet have experience with whitelisting. Given our
relatively recent EA with MSFT, I plan to make some time to explore it
by setting up Applocker on a test OU and subjecting myself to the
pain.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Would you drop AV for Whitelisting / Application Control?

2011-11-15 Thread Bourque Daniel

Developper's stations...   
 
I don't know how you can lock them down...
 


De : Stu Sjouwerman [mailto:s...@sunbelt-software.com] 
Envoyé : 15 novembre 2011 14:19
À : NT System Admin Issues
Objet : Would you drop AV for Whitelisting / Application Control?



So I'm asking a bunch of questions here, because I'm looking at writing this

story from a few different angles. If the ratio Malware to good code is 80 - 20

(which it is +/- at the moment) why not drop AV all together and lock down those

workstations and only allow good code to run?   Saves budget.

 

Your view? Input?


Stu 

 

 

 

 

 

From: Stu Sjouwerman 
Sent: Tuesday, November 15, 2011 2:10 PM
To: NT System Admin Issues
Subject: RE: Whitelisting Pros  Cons?

 

Oh, this an acquisition, that is why it's having such a high score!   LOL 

 

From: Doug Hampshire [mailto:dhampsh...@gmail.com] 
Sent: Tuesday, November 15, 2011 1:13 PM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

 

Clearly these results are flawed if McAfee Anything gets higher than a -3 in 
any category. :-)

On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com 
wrote:

Thanks Micheal. Anyone experience with any of the Whitelisting products in this 
InfoWorld Review?

 

http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?

 

 

Bit9 Parity Suite 5.01

10

8

9

9

10

9.4

EXCELLENT

30%

15%

25%

10%

20%


CoreTrace Bouncer 5

9

9

9

8

9

8.9

VERY GOOD

30%

15%

25%

10%

20%


Lumension Application Control

8

9

8

9

9

8.5

VERY GOOD

30%

15%

25%

10%

20%


McAfee Application Control 5.0

9

9

9

8

8

8.7

VERY GOOD

30%

15%

25%

10%

20%


SignaCert Enterprise Trust Services 3.0



 

 

 

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Monday, November 14, 2011 5:10 PM


To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

 

Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith 
doesnt cut it.  You have to protect yourself and your assets, and whitelisting 
is the best way to do it.

--
Espi

 

 

 

On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com 
wrote:

I'm referring to Whitelisting in the context of security.  About 10 years ago, 
the ratio
Good code versus malware was perhaps 90 good 10 bad.  In that scenario, it 
makes
sense to keep the bad code out. But over the last 10 years, with automated 
malware
variant generation, the tables have turned, and there is actually more malware 
than
good code out there. So in -that- scenario it might make sense to only allow 
good code
and implement application control. Only that which is allowed, will run.

I'd like your feedback - input - discussion on this !

Warm regards,

Stu


-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
Sent: Monday, November 14, 2011 11:22 AM
To: NT System Admin Issues

Subject: Re: Whitelisting Pros  Cons?

Are you asking about web content filtering, email filtering, or some other type 
of whitelisting?


--Matt Ross
Ephrata School District


- Original Message -
From: Stu Sjouwerman
[mailto:s...@sunbelt-software.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Mon, 14 Nov 2011
08:14:57 -0800
Subject: Whitelisting Pros  Cons?

 Guys, I am writing an article for WServerNews, and would like your
 public input.

 What is your experience with Whitelisting, which products you
 tried/use, and what experience you are having with this, likes and hates are 
 all welcome !!

 Warm regards,

 Stu

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana

Would you drop AV for Whitelisting / Application Control?

So I'm asking a bunch of questions here, because I'm looking at writing this
story from a few different angles. If the ratio Malware to good code is 80 - 20
(which it is +/- at the moment) why not drop AV all together and lock down those
workstations and only allow good code to run?   Saves budget.

Your view? Input?

Stu





From: Stu Sjouwerman
Sent: Tuesday, November 15, 2011 2:10 PM
To: NT System Admin Issues
Subject: RE: Whitelisting Pros  Cons?

Oh, this an acquisition, that is why it's having such a high score!   LOL

From: Doug Hampshire [mailto:dhampsh...@gmail.com]
Sent: Tuesday, November 15, 2011 1:13 PM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Clearly these results are flawed if McAfee Anything gets higher than a -3 in 
any category. :-)
On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman 
s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote:
Thanks Micheal. Anyone experience with any of the Whitelisting products in this 
InfoWorld Review?

http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?


Bit9 Parity Suite 5.01

10

8

9

9

10

9.4
EXCELLENT


30%

15%

25%

10%

20%

CoreTrace Bouncer 5

9

9

9

8

9

8.9
VERY GOOD


30%

15%

25%

10%

20%

Lumension Application Control

8

9

8

9

9

8.5
VERY GOOD


30%

15%

25%

10%

20%

McAfee Application Control 5.0

9

9

9

8

8

8.7
VERY GOOD


30%

15%

25%

10%

20%

SignaCert Enterprise Trust Services 3.0




From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.commailto:michealespin...@gmail.com]
Sent: Monday, November 14, 2011 5:10 PM

To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith 
doesnt cut it.  You have to protect yourself and your assets, and whitelisting 
is the best way to do it.

--
Espi



On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman 
s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote:
I'm referring to Whitelisting in the context of security.  About 10 years ago, 
the ratio
Good code versus malware was perhaps 90 good 10 bad.  In that scenario, it 
makes
sense to keep the bad code out. But over the last 10 years, with automated 
malware
variant generation, the tables have turned, and there is actually more malware 
than
good code out there. So in -that- scenario it might make sense to only allow 
good code
and implement application control. Only that which is allowed, will run.

I'd like your feedback - input - discussion on this !

Warm regards,

Stu

-Original Message-
From: Matthew W. Ross 
[mailto:mr...@ephrataschools.orgmailto:mr...@ephrataschools.org]
Sent: Monday, November 14, 2011 11:22 AM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Are you asking about web content filtering, email filtering, or some other type 
of whitelisting?


--Matt Ross
Ephrata School District


- Original Message -
From: Stu Sjouwerman
[mailto:s...@sunbelt-software.commailto:s...@sunbelt-software.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Mon, 14 Nov 2011
08:14:57 -0800
Subject: Whitelisting Pros  Cons?
 Guys, I am writing an article for WServerNews, and would like your
 public input.

 What is your experience with Whitelisting, which products you
 tried/use, and what experience you are having with this, likes and hates are 
 all welcome !!

 Warm regards,

 Stu

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to 
 listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful

RE: Would you drop AV for Whitelisting / Application Control?

Very good feedback Kurt! Anyone else ?

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, November 15, 2011 2:37 PM
To: NT System Admin Issues
Subject: Re: Would you drop AV for Whitelisting / Application Control?

On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman s...@sunbelt-software.com wrote:

 So I’m asking a bunch of questions here, because I’m looking at 
 writing this story from a few different angles. If the ratio Malware 
 to good code is 80 – 20 (which it is +/- at the moment) why not drop 
 AV all together and lock down those workstations and only allow good code to 
 run?   Saves budget.

 Your view? Input?

 Stu

Does it really save budget? I ask this though I'm thoroughly in favor of 
application whitelisting [1]

The whitelist publisher should

 o- Have a comprehensive set of known apps up front
 o- Make it easy for an administrator to add apps to the whitelist for some 
obscure program that's crucial
 o- Have a subscription mechanism to update their whitelist frequently
 o- Have a way for a subscriber to submit an executable for analysis to be 
included/excluded from the whitelist

Absent the above, the blacklisters probably have an advantage in terms of 
effort expended by the sysadmin, by virtue of the nearly hourly updates they 
publish.

Kurt

[1] I don't yet have experience with whitelisting. Given our relatively recent 
EA with MSFT, I plan to make some time to explore it by setting up Applocker on 
a test OU and subjecting myself to the pain.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Would you drop AV for Whitelisting / Application Control?

2011-11-15 Thread David Lum

I like the idea for many scenarios, developers would be one where it would be 
tough, but in the places I manage I bet It would work for 80% of the systems as 
a great many fire up just a few apps. For public access machines (library) this 
is largely what I do anyway, but for more than just malware concerns :-).

The catch is developers usually need more speed than the rest so if you could 
go without AV on them it would be beneficial from their standpoint - they are 
historically (in my experience) the hardest to balance between security and 
performance.

Dave

-Original Message-
From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] 
Sent: Tuesday, November 15, 2011 11:47 AM
To: NT System Admin Issues
Subject: RE: Would you drop AV for Whitelisting / Application Control?

Very good feedback Kurt! Anyone else ?

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Tuesday, November 15, 2011 2:37 PM
To: NT System Admin Issues
Subject: Re: Would you drop AV for Whitelisting / Application Control?

On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman s...@sunbelt-software.com wrote:

 So I’m asking a bunch of questions here, because I’m looking at 
 writing this story from a few different angles. If the ratio Malware 
 to good code is 80 – 20 (which it is +/- at the moment) why not drop 
 AV all together and lock down those workstations and only allow good code to 
 run?   Saves budget.

 Your view? Input?

 Stu

Does it really save budget? I ask this though I'm thoroughly in favor of 
application whitelisting [1]

The whitelist publisher should

 o- Have a comprehensive set of known apps up front
 o- Make it easy for an administrator to add apps to the whitelist for some 
obscure program that's crucial
 o- Have a subscription mechanism to update their whitelist frequently
 o- Have a way for a subscriber to submit an executable for analysis to be 
included/excluded from the whitelist

Absent the above, the blacklisters probably have an advantage in terms of 
effort expended by the sysadmin, by virtue of the nearly hourly updates they 
publish.

Kurt

[1] I don't yet have experience with whitelisting. Given our relatively recent 
EA with MSFT, I plan to make some time to explore it by setting up Applocker on 
a test OU and subjecting myself to the pain.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Would you drop AV for Whitelisting / Application Control?

2011-11-15 Thread Ziots, Edward

Some have taken that stance, but I have also heard the other side, is
they need to keep AV on workstations, Servers due to compliance issues.
( which I don't really take as a valid argument, especially if
compensating controls are taking effect)

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

 

From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] 
Sent: Tuesday, November 15, 2011 2:19 PM
To: NT System Admin Issues
Subject: Would you drop AV for Whitelisting / Application Control?

 

So I'm asking a bunch of questions here, because I'm looking at writing
this

story from a few different angles. If the ratio Malware to good code is
80 - 20

(which it is +/- at the moment) why not drop AV all together and lock
down those

workstations and only allow good code to run?   Saves budget.

 

Your view? Input?


Stu 

 

 

 

 

 

From: Stu Sjouwerman 
Sent: Tuesday, November 15, 2011 2:10 PM
To: NT System Admin Issues
Subject: RE: Whitelisting Pros  Cons?

 

Oh, this an acquisition, that is why it's having such a high score!
LOL 

 

From: Doug Hampshire [mailto:dhampsh...@gmail.com] 
Sent: Tuesday, November 15, 2011 1:13 PM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

 

Clearly these results are flawed if McAfee Anything gets higher than a
-3 in any category. :-)

On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman 
s...@sunbelt-software.com wrote:

Thanks Micheal. Anyone experience with any of the Whitelisting products
in this InfoWorld Review?

 

http://www.infoworld.com/d/security-central/test-center-review-whitelist
ing-security-offers-salvation-835?

 

 

Bit9 Parity Suite 5.01

10

8

9

9

10

9.4

EXCELLENT

30%

15%

25%

10%

20%


CoreTrace Bouncer 5

9

9

9

8

9

8.9

VERY GOOD

30%

15%

25%

10%

20%


Lumension Application Control

8

9

8

9

9

8.5

VERY GOOD

30%

15%

25%

10%

20%


McAfee Application Control 5.0

9

9

9

8

8

8.7

VERY GOOD

30%

15%

25%

10%

20%


SignaCert Enterprise Trust Services 3.0



 

 

 

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Monday, November 14, 2011 5:10 PM


To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

 

Whitelisting is the future IMHO.  You cant trust anything anymore.
Faith doesnt cut it.  You have to protect yourself and your assets, and
whitelisting is the best way to do it.

--
Espi

 

 

 

On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman 
s...@sunbelt-software.com wrote:

I'm referring to Whitelisting in the context of security.  About 10
years ago, the ratio
Good code versus malware was perhaps 90 good 10 bad.  In that
scenario, it makes
sense to keep the bad code out. But over the last 10 years, with
automated malware
variant generation, the tables have turned, and there is actually more
malware than
good code out there. So in -that- scenario it might make sense to only
allow good code
and implement application control. Only that which is allowed, will run.

I'd like your feedback - input - discussion on this !

Warm regards,

Stu


-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
Sent: Monday, November 14, 2011 11:22 AM
To: NT System Admin Issues

Subject: Re: Whitelisting Pros  Cons?

Are you asking about web content filtering, email filtering, or some
other type of whitelisting?


--Matt Ross
Ephrata School District


- Original Message -
From: Stu Sjouwerman
[mailto:s...@sunbelt-software.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Mon, 14 Nov 2011
08:14:57 -0800
Subject: Whitelisting Pros  Cons?

 Guys, I am writing an article for WServerNews, and would like your
 public input.

 What is your experience with Whitelisting, which products you
 tried/use, and what experience you are having with this, likes and
hates are all welcome !!

 Warm regards,

 Stu

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com

Re: Would you drop AV for Whitelisting / Application Control?

AV is still very useful in perimeter security devices, but its usefulness
is deteriorating rapidly.

In the past 2 years, various machines on my home network have intercepted
malware trying to infect my network, but except for malware-laden email, AV
has not been the vehicle that has caught it.  On the flip side, I've had
lots more false positives with AV (things that it doesn't like, but which I
know is there, and want it to be there, like MetaSploit, VNC, etc)

My detailed viewpoint is:
http://home.asbzone.com/ASB/archive/2010/05/10/it-s-time-to-re-evaluate-host-based-security.aspx

I intend to get rid of AV at home (using Vipre, MSE, and Avira on different
machines) and fully deploy whitelisting in the next few months.  It's my
major upgrade project for the Winter.

OpenDNS is already doing more for me in terms of malware detection and
protection vs host-based AV

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Tue, Nov 15, 2011 at 2:18 PM, Stu Sjouwerman
s...@sunbelt-software.comwrote:

 So I’m asking a bunch of questions here, because I’m looking at writing
 this

 story from a few different angles. If the ratio Malware to good code is 80
 – 20

 (which it is +/- at the moment) why not drop AV all together and lock down
 those

 workstations and only allow good code to run?   Saves budget.

 ** **

 Your view? Input?


 Stu 

 ** **

 ** **

 ** **

 ** **

 ** **

 *From:* Stu Sjouwerman
 *Sent:* Tuesday, November 15, 2011 2:10 PM
 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting Pros  Cons?

 ** **

 Oh, this an acquisition, that is why it’s having such a high score!   LOL
 

 ** **

 *From:* Doug Hampshire [mailto:dhampsh...@gmail.com]
 *Sent:* Tuesday, November 15, 2011 1:13 PM
 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

 ** **

 Clearly these results are flawed if McAfee Anything gets higher than a -3
 in any category. :-)

 On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 Thanks Micheal. Anyone experience with any of the Whitelisting products in
 this InfoWorld Review?

  


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

  

  

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

  

  

  

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM


 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

  

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

  

  

 ** **

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm referring to Whitelisting in the context of security.  About 10 years
 ago, the ratio
 Good code versus malware was perhaps 90 good 10 bad.  In that scenario,
 it makes
 sense to keep the bad code out. But over the last 10 years, with automated
 malware
 variant generation, the tables have turned, and there is actually more
 malware than
 good code out there. So in -that- scenario it might make sense to only
 allow good code
 and implement application control. Only that which is allowed, will run.

 I'd like your feedback - input - discussion on this !

 Warm regards,

 Stu


 -Original Message-
 From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
 Sent: Monday, November 14, 2011 11:22 AM
 To: NT System Admin Issues

 Subject: Re: Whitelisting Pros  Cons?

 Are you asking about web content filtering, email filtering, or some other
 type of whitelisting?


 --Matt Ross
 Ephrata School District


 - Original Message -
 From: Stu Sjouwerman
 [mailto:s...@sunbelt-software.com]
 To: NT System Admin Issues
 [mailto:ntsysadmin@lyris.sunbelt-software.com]
 Sent: Mon, 14 Nov 2011
 08:14:57 -0800
 Subject: Whitelisting Pros  Cons?

  Guys, I am writing an article for WServerNews, and would like your
  public input.
 
  What is your experience with Whitelisting, which products you
  tried/use, and what experience you are having

Re: Would you drop AV for Whitelisting / Application Control?

Auditors can be picky here.

What you do to get around this is not surprise them.  Get them onboard
early on, and there are no surprises at audit time.

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Tue, Nov 15, 2011 at 3:09 PM, Ziots, Edward ezi...@lifespan.org wrote:

 Some have taken that stance, but I have also heard the other side, is they
 need to keep AV on workstations, Servers due to compliance issues. ( which
 I don’t really take as a valid argument, especially if compensating
 controls are taking effect)

 ** **

 Z

 ** **

 Edward E. Ziots

 CISSP, Network +, Security +

 Security Engineer

 Lifespan Organization

 Email:ezi...@lifespan.org

 Cell:401-639-3505

 [image: CISSP_logo]

 ** **

 *From:* Stu Sjouwerman [mailto:s...@sunbelt-software.com]
 *Sent:* Tuesday, November 15, 2011 2:19 PM

 *To:* NT System Admin Issues
 *Subject:* Would you drop AV for Whitelisting / Application Control?

 ** **

 So I’m asking a bunch of questions here, because I’m looking at writing
 this

 story from a few different angles. If the ratio Malware to good code is 80
 – 20

 (which it is +/- at the moment) why not drop AV all together and lock down
 those

 workstations and only allow good code to run?   Saves budget.

 ** **

 Your view? Input?


 Stu 

 ** **

 ** **

 ** **

 ** **

 ** **

 *From:* Stu Sjouwerman
 *Sent:* Tuesday, November 15, 2011 2:10 PM
 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting Pros  Cons?

 ** **

 Oh, this an acquisition, that is why it’s having such a high score!   LOL
 

 ** **

 *From:* Doug Hampshire [mailto:dhampsh...@gmail.com dhampsh...@gmail.com]

 *Sent:* Tuesday, November 15, 2011 1:13 PM
 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

 ** **

 Clearly these results are flawed if McAfee Anything gets higher than a -3
 in any category. :-)

 On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 Thanks Micheal. Anyone experience with any of the Whitelisting products in
 this InfoWorld Review?

  


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

  

  

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

  

  

  

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM


 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

  

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

  

  

 ** **

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm referring to Whitelisting in the context of security.  About 10 years
 ago, the ratio
 Good code versus malware was perhaps 90 good 10 bad.  In that scenario,
 it makes
 sense to keep the bad code out. But over the last 10 years, with automated
 malware
 variant generation, the tables have turned, and there is actually more
 malware than
 good code out there. So in -that- scenario it might make sense to only
 allow good code
 and implement application control. Only that which is allowed, will run.

 I'd like your feedback - input - discussion on this !

 Warm regards,

 Stu


 -Original Message-
 From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
 Sent: Monday, November 14, 2011 11:22 AM
 To: NT System Admin Issues

 Subject: Re: Whitelisting Pros  Cons?

 Are you asking about web content filtering, email filtering, or some other
 type of whitelisting?


 --Matt Ross
 Ephrata School District


 - Original Message -
 From: Stu Sjouwerman
 [mailto:s...@sunbelt-software.com]
 To: NT System Admin Issues
 [mailto:ntsysadmin@lyris.sunbelt-software.com]
 Sent: Mon, 14 Nov 2011
 08:14:57 -0800
 Subject: Whitelisting Pros  Cons?

  Guys, I am writing an article for WServerNews, and would like your
  public input.
 
  What is your experience with Whitelisting, which products you
  tried/use, and what experience you are having with this, likes

Re: Would you drop AV for Whitelisting / Application Control?

What I did in one environment was isolate the entire developer segment,
because they made a stink about the mandatory AV, and insisted that they
couldn't work if their systems were locked down like everyone else.

We allowed them to have control of their own scanning settings, but
firewalled their entire segment from the rest of the network and
deep-scanned their traffic.

The security posture of the rest of the environment improved greatly, but
more than half of the developers needed to have their laptops rebuilt due
to constant rootkits.  They finally relented when they couldn't win any
argument about how unnecessary our approach to security was for them.

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Tue, Nov 15, 2011 at 2:57 PM, David Lum david@nwea.org wrote:

 I like the idea for many scenarios, developers would be one where it would
 be tough, but in the places I manage I bet It would work for 80% of the
 systems as a great many fire up just a few apps. For public access machines
 (library) this is largely what I do anyway, but for more than just malware
 concerns :-).

 The catch is developers usually need more speed than the rest so if you
 could go without AV on them it would be beneficial from their standpoint -
 they are historically (in my experience) the hardest to balance between
 security and performance.

 Dave

 -Original Message-
 From: Stu Sjouwerman [mailto:s...@sunbelt-software.com]
 Sent: Tuesday, November 15, 2011 11:47 AM
 To: NT System Admin Issues
 Subject: RE: Would you drop AV for Whitelisting / Application Control?

 Very good feedback Kurt! Anyone else ?

 -Original Message-
 From: Kurt Buff [mailto:kurt.b...@gmail.com]
 Sent: Tuesday, November 15, 2011 2:37 PM
 To: NT System Admin Issues
 Subject: Re: Would you drop AV for Whitelisting / Application Control?

 On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman s...@sunbelt-software.com
 wrote:
 
  So I’m asking a bunch of questions here, because I’m looking at
  writing this story from a few different angles. If the ratio Malware
  to good code is 80 – 20 (which it is +/- at the moment) why not drop
  AV all together and lock down those workstations and only allow good
 code to run?   Saves budget.
 
  Your view? Input?
 
  Stu

 Does it really save budget? I ask this though I'm thoroughly in favor of
 application whitelisting [1]

 The whitelist publisher should

 o- Have a comprehensive set of known apps up front
 o- Make it easy for an administrator to add apps to the whitelist for
 some obscure program that's crucial
 o- Have a subscription mechanism to update their whitelist frequently
 o- Have a way for a subscriber to submit an executable for analysis to
 be included/excluded from the whitelist

 Absent the above, the blacklisters probably have an advantage in terms of
 effort expended by the sysadmin, by virtue of the nearly hourly updates
 they publish.

 Kurt

 [1] I don't yet have experience with whitelisting. Given our relatively
 recent EA with MSFT, I plan to make some time to explore it by setting up
 Applocker on a test OU and subjecting myself to the pain.

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin


 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Would you drop AV for Whitelisting / Application Control?

2011-11-15 Thread Erik Goldoff

again, depends on your whitelisting solution


   - does it only depend on filename and size/date info
  -  that can be spoofed
   - does it also checksum executables ?
  - what happens on patch Tuesday ?
  - are patches/hotfixes even allowed to run ?
  - what happens to patched software that no longer matches checksum
 - especially when patched software is OS core ? do you brick
 machine via whitelist protection ?
  - how do you manage whitlelisting for power users with LOTS of
   installed software and legitimate need to install utilities and updates on
   the fly ?

I've found whitelisting to be very good on 'standardized' systems that
perform a specific role, but the more a system needs to be customized for
the end user, the harder it is to mange security via whitelisting.

On Tue, Nov 15, 2011 at 2:18 PM, Stu Sjouwerman
s...@sunbelt-software.comwrote:

  So I’m asking a bunch of questions here, because I’m looking at writing
 this

 story from a few different angles. If the ratio Malware to good code is 80
 – 20

 (which it is +/- at the moment) why not drop AV all together and lock down
 those

 workstations and only allow good code to run?   Saves budget.

 ** **

 Your view? Input?


 Stu 

 ** **

 ** **

 ** **

 ** **

 ** **

 *From:* Stu Sjouwerman
 *Sent:* Tuesday, November 15, 2011 2:10 PM
 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting Pros  Cons?

 ** **

 Oh, this an acquisition, that is why it’s having such a high score!   LOL
 

 ** **

 *From:* Doug Hampshire [mailto:dhampsh...@gmail.com]
 *Sent:* Tuesday, November 15, 2011 1:13 PM
 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

 ** **

 Clearly these results are flawed if McAfee Anything gets higher than a -3
 in any category. :-)

 On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 Thanks Micheal. Anyone experience with any of the Whitelisting products in
 this InfoWorld Review?

  


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

  

  

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

  

  

  

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM


 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

  

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

  

  

 ** **

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm referring to Whitelisting in the context of security.  About 10 years
 ago, the ratio
 Good code versus malware was perhaps 90 good 10 bad.  In that scenario,
 it makes
 sense to keep the bad code out. But over the last 10 years, with automated
 malware
 variant generation, the tables have turned, and there is actually more
 malware than
 good code out there. So in -that- scenario it might make sense to only
 allow good code
 and implement application control. Only that which is allowed, will run.

 I'd like your feedback - input - discussion on this !

 Warm regards,

 Stu


 -Original Message-
 From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
 Sent: Monday, November 14, 2011 11:22 AM
 To: NT System Admin Issues

 Subject: Re: Whitelisting Pros  Cons?

 Are you asking about web content filtering, email filtering, or some other
 type of whitelisting?


 --Matt Ross
 Ephrata School District


 - Original Message -
 From: Stu Sjouwerman
 [mailto:s...@sunbelt-software.com]
 To: NT System Admin Issues
 [mailto:ntsysadmin@lyris.sunbelt-software.com]
 Sent: Mon, 14 Nov 2011
 08:14:57 -0800
 Subject: Whitelisting Pros  Cons?

  Guys, I am writing an article for WServerNews, and would like your
  public input.
 
  What is your experience with Whitelisting, which products you
  tried/use, and what experience you are having with this, likes and hates
 are all welcome !!
 
  Warm regards,
 
  Stu
 
  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  http

Re: Would you drop AV for Whitelisting / Application Control?

2011-11-15 Thread Kurt Buff

Two workstations, one for standard corporate applications and locked down,
the actual development machine should be in a separate subnet that's locked
down and has access to only the required netwrok assets, which ideally
should also be in that subnet.

Kurt

On Tue, Nov 15, 2011 at 11:36, Bourque Daniel 
daniel.bour...@loto-quebec.com wrote:

 **
 Developper's stations...

 I don't know how you can lock them down...

  --
 *De :* Stu Sjouwerman [mailto:s...@sunbelt-software.com]
 *Envoyé :* 15 novembre 2011 14:19
 *À :* NT System Admin Issues
 *Objet :* Would you drop AV for Whitelisting / Application Control?

  So I'm asking a bunch of questions here, because I'm looking at writing
 this

 story from a few different angles. If the ratio Malware to good code is 80
 - 20

 (which it is +/- at the moment) why not drop AV all together and lock down
 those

 workstations and only allow good code to run?   Saves budget.

 ** **

 Your view? Input?


 Stu 

 ** **

 ** **

 ** **

 ** **

 ** **

 *From:* Stu Sjouwerman
 *Sent:* Tuesday, November 15, 2011 2:10 PM
 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting Pros  Cons?

 ** **

 Oh, this an acquisition, that is why it's having such a high score!   LOL
 

 ** **

 *From:* Doug Hampshire [mailto:dhampsh...@gmail.com]
 *Sent:* Tuesday, November 15, 2011 1:13 PM
 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

 ** **

 Clearly these results are flawed if McAfee Anything gets higher than a -3
 in any category. :-)

 On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 Thanks Micheal. Anyone experience with any of the Whitelisting products in
 this InfoWorld Review?

  


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

  

  

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

  

  

  

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM


 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

  

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

  

  

 ** **

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm referring to Whitelisting in the context of security.  About 10 years
 ago, the ratio
 Good code versus malware was perhaps 90 good 10 bad.  In that scenario,
 it makes
 sense to keep the bad code out. But over the last 10 years, with automated
 malware
 variant generation, the tables have turned, and there is actually more
 malware than
 good code out there. So in -that- scenario it might make sense to only
 allow good code
 and implement application control. Only that which is allowed, will run.

 I'd like your feedback - input - discussion on this !

 Warm regards,

 Stu


 -Original Message-
 From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
 Sent: Monday, November 14, 2011 11:22 AM
 To: NT System Admin Issues

 Subject: Re: Whitelisting Pros  Cons?

 Are you asking about web content filtering, email filtering, or some other
 type of whitelisting?


 --Matt Ross
 Ephrata School District


 - Original Message -
 From: Stu Sjouwerman
 [mailto:s...@sunbelt-software.com]
 To: NT System Admin Issues
 [mailto:ntsysadmin@lyris.sunbelt-software.com]
 Sent: Mon, 14 Nov 2011
 08:14:57 -0800
 Subject: Whitelisting Pros  Cons?

  Guys, I am writing an article for WServerNews, and would like your
  public input.
 
  What is your experience with Whitelisting, which products you
  tried/use, and what experience you are having with this, likes and hates
 are all welcome !!
 
  Warm regards,
 
  Stu
 
  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~
 
  ---
  To manage subscriptions click here:
  http://lyris.sunbelt-software.com/read/my_forums/
  or send an email to listmana...@lyris.sunbeltsoftware.com
  with the body: unsubscribe ntsysadmin

 ~ Finally

RE: Would you drop AV for Whitelisting / Application Control?

2011-11-15 Thread Ziots, Edward

Why get around them? That is the same negative thinking I see all over
the place. ( I deal with auditors a lot, they aren't to be feared as
much as some make it out to be) 

 

Best thing is to have your ducks in order on why you make the risk based
decisions in the deployment of your security controls, and be able to
explain it to the auditors and back it up with the understanding of the
compliance issues that you are under. 

 

Sincerely,

EZ

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Tuesday, November 15, 2011 3:14 PM
To: NT System Admin Issues
Subject: Re: Would you drop AV for Whitelisting / Application Control?

 

Auditors can be picky here.

What you do to get around this is not surprise them.  Get them onboard
early on, and there are no surprises at audit time.


ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...





On Tue, Nov 15, 2011 at 3:09 PM, Ziots, Edward ezi...@lifespan.org
wrote:

Some have taken that stance, but I have also heard the other side, is
they need to keep AV on workstations, Servers due to compliance issues.
( which I don't really take as a valid argument, especially if
compensating controls are taking effect)

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org 

Cell:401-639-3505

 

 

From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] 
Sent: Tuesday, November 15, 2011 2:19 PM


To: NT System Admin Issues

Subject: Would you drop AV for Whitelisting / Application Control?

 

So I'm asking a bunch of questions here, because I'm looking at writing
this

story from a few different angles. If the ratio Malware to good code is
80 - 20

(which it is +/- at the moment) why not drop AV all together and lock
down those

workstations and only allow good code to run?   Saves budget.

 

Your view? Input?


Stu 

 

 

 

 

 

From: Stu Sjouwerman 
Sent: Tuesday, November 15, 2011 2:10 PM
To: NT System Admin Issues
Subject: RE: Whitelisting Pros  Cons?

 

Oh, this an acquisition, that is why it's having such a high score!
LOL 

 

From: Doug Hampshire [mailto:dhampsh...@gmail.com] 
Sent: Tuesday, November 15, 2011 1:13 PM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

 

Clearly these results are flawed if McAfee Anything gets higher than a
-3 in any category. :-)

On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman 
s...@sunbelt-software.com wrote:

Thanks Micheal. Anyone experience with any of the Whitelisting products
in this InfoWorld Review?

 

http://www.infoworld.com/d/security-central/test-center-review-whitelist
ing-security-offers-salvation-835?

 

 

Bit9 Parity Suite 5.01

10

8

9

9

10

9.4

EXCELLENT

30%

15%

25%

10%

20%


CoreTrace Bouncer 5

9

9

9

8

9

8.9

VERY GOOD

30%

15%

25%

10%

20%


Lumension Application Control

8

9

8

9

9

8.5

VERY GOOD

30%

15%

25%

10%

20%


McAfee Application Control 5.0

9

9

9

8

8

8.7

VERY GOOD

30%

15%

25%

10%

20%


SignaCert Enterprise Trust Services 3.0



 

 

 

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Monday, November 14, 2011 5:10 PM


To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

 

Whitelisting is the future IMHO.  You cant trust anything anymore.
Faith doesnt cut it.  You have to protect yourself and your assets, and
whitelisting is the best way to do it.

--
Espi

 

 

 

On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman 
s...@sunbelt-software.com wrote:

I'm referring to Whitelisting in the context of security.  About 10
years ago, the ratio
Good code versus malware was perhaps 90 good 10 bad.  In that
scenario, it makes
sense to keep the bad code out. But over the last 10 years, with
automated malware
variant generation, the tables have turned, and there is actually more
malware than
good code out there. So in -that- scenario it might make sense to only
allow good code
and implement application control. Only that which is allowed, will run.

I'd like your feedback - input - discussion on this !

Warm regards,

Stu


-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
Sent: Monday, November 14, 2011 11:22 AM
To: NT System Admin Issues

Subject: Re: Whitelisting Pros  Cons?

Are you asking about web content filtering, email filtering, or some
other type of whitelisting?


--Matt Ross
Ephrata School District


- Original Message -
From: Stu Sjouwerman
[mailto:s...@sunbelt-software.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Mon, 14 Nov 2011
08:14:57 -0800
Subject: Whitelisting Pros  Cons?

 Guys, I am writing an article

Re: Would you drop AV for Whitelisting / Application Control?

No, not get around *them*.  Get around the issue of them being picky about
certain technologies.

You get them on board with the approach being taken -- not at audit time,
but well before.

By working with them in advance, everyone is happy(ier).

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Tue, Nov 15, 2011 at 3:57 PM, Ziots, Edward ezi...@lifespan.org wrote:

 Why get around them? That is the same negative thinking I see all over the
 place. ( I deal with auditors a lot, they aren’t to be feared as much as
 some make it out to be) 

 ** **

 Best thing is to have your ducks in order on why you make the *risk based
 *decisions in the deployment of your security controls, and be able to
 explain it to the auditors and back it up with the understanding of the
 compliance issues that you are under. 

 ** **

 Sincerely,

 EZ

 ** **

 Edward E. Ziots

 CISSP, Network +, Security +

 Security Engineer

 Lifespan Organization

 Email:ezi...@lifespan.org

 Cell:401-639-3505

 [image: CISSP_logo]

 ** **

 *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
 *Sent:* Tuesday, November 15, 2011 3:14 PM

 *To:* NT System Admin Issues
 *Subject:* Re: Would you drop AV for Whitelisting / Application Control?**
 **

 ** **

 Auditors can be picky here.


 What you do to get around this is not surprise them.  Get them onboard
 early on, and there are no surprises at audit time.
 

 *ASB*

 *http://XeeMe.com/AndrewBaker*

 *Harnessing the Advantages of Technology for the SMB market…*



 

 On Tue, Nov 15, 2011 at 3:09 PM, Ziots, Edward ezi...@lifespan.org
 wrote:

 Some have taken that stance, but I have also heard the other side, is they
 need to keep AV on workstations, Servers due to compliance issues. ( which
 I don’t really take as a valid argument, especially if compensating
 controls are taking effect)

  

 Z

  

 Edward E. Ziots

 CISSP, Network +, Security +

 Security Engineer

 Lifespan Organization

 Email:ezi...@lifespan.org

 Cell:401-639-3505

 [image: CISSP_logo]

  

 *From:* Stu Sjouwerman [mailto:s...@sunbelt-software.com]
 *Sent:* Tuesday, November 15, 2011 2:19 PM


 *To:* NT System Admin Issues

 *Subject:* Would you drop AV for Whitelisting / Application Control?

  

 So I’m asking a bunch of questions here, because I’m looking at writing
 this

 story from a few different angles. If the ratio Malware to good code is 80
 – 20

 (which it is +/- at the moment) why not drop AV all together and lock down
 those

 workstations and only allow good code to run?   Saves budget.

  

 Your view? Input?


 Stu 

  

  

  

  

  

 *From:* Stu Sjouwerman
 *Sent:* Tuesday, November 15, 2011 2:10 PM
 *To:* NT System Admin Issues
 *Subject:* RE: Whitelisting Pros  Cons?

  

 Oh, this an acquisition, that is why it’s having such a high score!   LOL
 

  

 *From:* Doug Hampshire [mailto:dhampsh...@gmail.com dhampsh...@gmail.com]

 *Sent:* Tuesday, November 15, 2011 1:13 PM
 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

  

 Clearly these results are flawed if McAfee Anything gets higher than a -3
 in any category. :-)

 On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 Thanks Micheal. Anyone experience with any of the Whitelisting products in
 this InfoWorld Review?

  


 http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
 

  

  

 *Bit9 Parity Suite 5.01*

 *10*

 *8*

 *9*

 *9*

 *10*

 *9.4*

 *EXCELLENT*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *CoreTrace Bouncer 5*

 *9*

 *9*

 *9*

 *8*

 *9*

 *8.9*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *Lumension Application Control*

 *8*

 *9*

 *8*

 *9*

 *9*

 *8.5*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *McAfee Application Control 5.0*

 *9*

 *9*

 *9*

 *8*

 *8*

 *8.7*

 *VERY GOOD*

 *30%*

 *15%*

 *25%*

 *10%*

 *20%*

 *SignaCert Enterprise Trust Services 3.0*

  

  

  

 *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
 *Sent:* Monday, November 14, 2011 5:10 PM


 *To:* NT System Admin Issues
 *Subject:* Re: Whitelisting Pros  Cons?

  

 Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith
 doesnt cut it.  You have to protect yourself and your assets, and
 whitelisting is the best way to do it.

 --
 Espi

  

  

  

 On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com
 wrote:

 I'm

RE: Would you drop AV for Whitelisting / Application Control?

2011-11-15 Thread Crawford, Scott

It's not a question of whitelist or AV (blacklist). Both are necessary.  
Whitelisting is very effective at controlling what exe, dll, com, etc. are 
allowed to run. But, malware can also exist as malformed data files such as 
pdf, jpeg, mp3.  For these, blacklisting is needed since its extremely 
impractical to whitelist every data file you'd like to open.

The analogy I like is home access. It's pretty impractical to maintain a list 
of criminals that you won't allow into your house. It's much easier to keep a 
mental list of friends and family who are welcome to come in. In that sense, 
you're whitelisting access to your house. But, even though Uncle Louie may be 
on the whitelist, if he comes over drunk one night and starts swinging a bat at 
my wife, I'm not gonna let him stick around just because he's been whitelisted. 
My failsafe blacklist of unacceptable behavior is going to dictate that I kick 
him out.

From: Stu Sjouwerman [mailto:s...@sunbelt-software.com]
Sent: Tuesday, November 15, 2011 1:19 PM
To: NT System Admin Issues
Subject: Would you drop AV for Whitelisting / Application Control?

So I'm asking a bunch of questions here, because I'm looking at writing this
story from a few different angles. If the ratio Malware to good code is 80 - 20
(which it is +/- at the moment) why not drop AV all together and lock down those
workstations and only allow good code to run?   Saves budget.

Your view? Input?

Stu





From: Stu Sjouwerman
Sent: Tuesday, November 15, 2011 2:10 PM
To: NT System Admin Issues
Subject: RE: Whitelisting Pros  Cons?

Oh, this an acquisition, that is why it's having such a high score!   LOL

From: Doug Hampshire 
[mailto:dhampsh...@gmail.com]mailto:[mailto:dhampsh...@gmail.com]
Sent: Tuesday, November 15, 2011 1:13 PM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Clearly these results are flawed if McAfee Anything gets higher than a -3 in 
any category. :-)
On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman 
s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote:
Thanks Micheal. Anyone experience with any of the Whitelisting products in this 
InfoWorld Review?

http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?


Bit9 Parity Suite 5.01

10

8

9

9

10

9.4
EXCELLENT


30%

15%

25%

10%

20%

CoreTrace Bouncer 5

9

9

9

8

9

8.9
VERY GOOD


30%

15%

25%

10%

20%

Lumension Application Control

8

9

8

9

9

8.5
VERY GOOD


30%

15%

25%

10%

20%

McAfee Application Control 5.0

9

9

9

8

8

8.7
VERY GOOD


30%

15%

25%

10%

20%

SignaCert Enterprise Trust Services 3.0




From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.commailto:michealespin...@gmail.com]
Sent: Monday, November 14, 2011 5:10 PM

To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Whitelisting is the future IMHO.  You cant trust anything anymore.  Faith 
doesnt cut it.  You have to protect yourself and your assets, and whitelisting 
is the best way to do it.

--
Espi



On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman 
s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote:
I'm referring to Whitelisting in the context of security.  About 10 years ago, 
the ratio
Good code versus malware was perhaps 90 good 10 bad.  In that scenario, it 
makes
sense to keep the bad code out. But over the last 10 years, with automated 
malware
variant generation, the tables have turned, and there is actually more malware 
than
good code out there. So in -that- scenario it might make sense to only allow 
good code
and implement application control. Only that which is allowed, will run.

I'd like your feedback - input - discussion on this !

Warm regards,

Stu

-Original Message-
From: Matthew W. Ross 
[mailto:mr...@ephrataschools.orgmailto:mr...@ephrataschools.org]
Sent: Monday, November 14, 2011 11:22 AM
To: NT System Admin Issues
Subject: Re: Whitelisting Pros  Cons?

Are you asking about web content filtering, email filtering, or some other type 
of whitelisting?


--Matt Ross
Ephrata School District


- Original Message -
From: Stu Sjouwerman
[mailto:s...@sunbelt-software.commailto:s...@sunbelt-software.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Mon, 14 Nov 2011
08:14:57 -0800
Subject: Whitelisting Pros  Cons?
 Guys, I am writing an article for WServerNews, and would like your
 public input.

 What is your experience with Whitelisting, which products you
 tried/use, and what experience you are having with this, likes and hates are 
 all welcome !!

 Warm regards,

 Stu

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to 
 listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com

Re: Would you drop AV for Whitelisting / Application Control?