Re: Lumension Intelligent Whitelisting
Don't think it works with the latest versions of XenApp, although it is a good six months or so since I came across this issue and may have been updated Sent from my Blackberry, which may be an antique but delivers email RELIABLY -Original Message- From: Richard Stovall rich...@gmail.com Date: Mon, 7 Jan 2013 16:18:44 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: Lumension Intelligent Whitelisting Anyone out there using Lumension products? I'm particularly interested in the Intelligent Whitelisting bundle that includes patching, A/V and application whitelisting. Any experiences or thoughts you wouldn't mind sharing? Thanks, RS ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Yup. The EICAR[1] string as a good example as well. In notepad, it's 68 ASCII characters. In DOS, it's an executable. So is it code or is it text? [1] http://eicar.org/85-0-Download.html From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, April 18, 2012 12:31 AM To: NT System Admin Issues Subject: RE: Whitelisting Actually, to make this point better: If I open a certain set of 0s and 1s in notepad.exe, it just displays the ASCII/Unicode character representation of those 1s and 0s on the screen If I open the same set of 0s and 1s in cscript.exe, then certain other actions get performed on the system. The above is a fairly clear distinction, but there are plenty of scenarios that grey the boundary far more. As far as I'm concerned, it is very difficult to distinguish between data and code, except in the simplest of cases. Cheers Ken From: Ken Schaefer [mailto:k...@adopenstatic.com]mailto:[mailto:k...@adopenstatic.com] Sent: Tuesday, 17 April 2012 11:12 AM To: NT System Admin Issues Subject: RE: Whitelisting The first statement is wrong - there is no difference between data and code - they are just ones and zeros. Now, an application, can, tell an OS that certain memory addresses contain code that should not be executed. But some other application, loading exactly the same ones and zeros, can tell the OS that it should be executable. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com]mailto:[mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 2:28 AM To: NT System Admin Issues Subject: Re: Whitelisting Data is code. Code is data. They're both strings of 1's and 0's. No, they are most certainly not the same. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Yes, code and data is all about context. Code can be considered data if you take it out of the context where it can be run. If data cannot be executed, it is not code. The beauty of whitelisting applications (as a concept) is that you don't care about things that aren't running, as they can't do anything to you until they CAN run. A set of 0s and 1s opened in notepad is no problem to me until that set of 0s and 1s can run in some manner. While I can certainly elect to do so, I don't *need* to use any computational power to address an inert set of 0s and 1s. If notepad has a buffer overflow vulnerability, as an example, then I still don't need to expend a lot of concern about that set of 0s and 1s if I don't want to. I only have to worry about what new processes it can spawn. Yes, it is technically possible that for a given executable, one could totally co-opt it to make it a malignant executable without the need for any other, but this is extremely difficult, which is why it is not regularly done. That's an extreme edge case, AND its an edge case that is not any better addressed by a blacklisting solution in a zero-day scenario, whereas the most likely scenario of the compromised executable calling down new processes *is* trapped adequately by whitelisting. If you believe that the value of this class of protection is not worth the pain of managing the whitelisting solutions, then so be it. I cannot tell you where to draw the cost/benefit line. But I'm opting for any solution which better handles an entire class of real and prevalent threats than the standard solution, and which will only get better as the disparity between the size of blacklists and whitelists grows. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Wed, Apr 18, 2012 at 1:31 AM, Ken Schaefer k...@adopenstatic.com wrote: Actually, to make this point better: ** ** If I open a certain set of 0s and 1s in notepad.exe, it just displays the ASCII/Unicode character representation of those 1s and 0s on the screen*** * If I open the same set of 0s and 1s in cscript.exe, then certain other actions get performed on the system. ** ** The above is a fairly clear distinction, but there are plenty of scenarios that grey the boundary far more. As far as I’m concerned, it is very difficult to distinguish between data and code, except in the simplest of cases. ** ** Cheers Ken ** ** *From:* Ken Schaefer [mailto:k...@adopenstatic.com] *Sent:* Tuesday, 17 April 2012 11:12 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** The first statement is wrong – there is no difference between data and code – they are just ones and zeros. ** ** Now, an application, can, tell an OS that certain memory addresses contain code that should not be executed. But some other application, loading exactly the same ones and zeros, can tell the OS that it should be executable. ** ** Cheers Ken ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Tuesday, 17 April 2012 2:28 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** ***Data is code. Code is data. They’re both strings of 1’s and 0’s. * ** ** No, they are most certainly not the same. ** ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
*Surely that’s entirely dependent on the application that is hosting the script to support such functionality?* I thought we were talking about the *principle *of whitelisting vs blacklisting, not necessarily specific implementations... If an application or OS does not support it, it cannot be implemented. But, to the extent that it becomes enough of a burden, alternatives will be pursued, whether that means new apps or a whole new OS. Microsoft Office suffered from a tremendous number of macro virus issues. These have largely diminished -- and not due to blacklisting. Adobe Acrobat and Flash are key vectors today. Either Adobe will make it easier to control these types of issues, then people will find alternatives to their products. They've already begun to take some step, but much of the damage has been done. *I get your point that you can close off loopholes. But I fear that it’s just another “whack a mole” exercise. Threats will still be there, but we now have the relatively large overhead of whitelisting.* ** ** Such is the nature of information security. We chase on many levels, and we try to get ahead on some levels. Threats do remain, but with better education, tools and practices, we are better able to manage our risks. Whitelisting is ultimately a better approach for most issues than is blacklisting, even though blacklisting has provided significant benefits over time, because at some point there is too much overhead to track all of the bad, and it is easier to track all of the good. *Tools like IPSec (for whitelisting network traffic) have existed for years. Yet hardly anyone is using it. It’s just too hard to implement and maintain. I see the same with applications (except in the smallest of environments)* ** The pain of blacklisting is not felt by all -- but it is growing. Yes, some of the tools are hard to use or limited in scope. Like everything else, the tipping point has to be crossed for most people to want to embrace a different approach, and then when more vendors and administrators are using that approach, the tools get simpler, more robust, and more affordable. Regardless of the level of difficulty inherent in many of the implementations *today*, the concept of whitelisting is better than the concept of blacklisting once the number of items that one has to blacklist becomes massive and/or the items on the list need to change frequently. That's all this discussion is about. We came to that conclusion years ago with firewall rules, and it has been to our collective benefit. We're going to continue to see more problems managing today's blacklists, and greater effort put into not having to do that. Yes, the bad guys will move on to something else, because that's what they do, but we will better be able to manage that entire class of threat. Regards, *ASB* http://about.me/Andrew.S.Baker* * *Solutions Architect -- InfoSec Infrastructure* On Wed, Apr 18, 2012 at 1:28 AM, Ken Schaefer k...@adopenstatic.com wrote: Surely that’s entirely dependent on the application that is hosting the script to support such functionality? ** ** If I develop an arbitrary application: KensSuperCADProgram, and I provide a basic IDE that allows users to develop custom extensions/actions, then your whitelisting application isn’t going to know anything about it (unless it’s been specifically coded to examine KensSuperCADProgram extensions).** ** ** ** I get your point that you can close off loopholes. But I fear that it’s just another “whack a mole” exercise. Threats will still be there, but we now have the relatively large overhead of whitelisting. ** ** Tools like IPSec (for whitelisting network traffic) have existed for years. Yet hardly anyone is using it. It’s just too hard to implement and maintain. I see the same with applications (except in the smallest of environments) ** ** Cheers Ken ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Tuesday, 17 April 2012 7:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** Yes, it can address that scenario. ** ** You can sign the scripts you want to run, and disallow unsigned scripts.** ** ** ** Does whitelisting solve world hunger, cure cancer or find livable space on Mars? No. But it does address, more effectively, a huge range of threats that are inadequately addressed by the traditional blacklisting approach of current AV products. It's even used within Windows directly to make the OS more secure. As a result, I will continue to use and recommend it to reduce my threat landscape, leaving more time to intelligently address the threats that it does not handle well. *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Tue, Apr 17, 2012 at 12:46 AM, Ken Schaefer k...@adopenstatic.com wrote: Let’s try another one: I use
RE: Whitelisting
Way back when I was in app dev, there was a popular programming technique called data driven programming. You would take chunks of code specific to the user or app module and store the code in a database. Then every time for that user or app module the code would be read from the database and executed. Code meets data and data meets code. Back then it made for very customizable software but you paid for it on the execution side. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Andrew S. Baker [mailto:asbz...@gmail.com] Subject: Re: Whitelisting Yes, code and data is all about context. Code can be considered data if you take it out of the context where it can be run. If data cannot be executed, it is not code. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Snippets are still widely used, perhaps more widely used today than in the past, as the hardware has become faster and faster. From: Webster [mailto:webs...@carlwebster.com] Sent: Wednesday, April 18, 2012 7:41 AM To: NT System Admin Issues Subject: RE: Whitelisting Way back when I was in app dev, there was a popular programming technique called data driven programming. You would take chunks of code specific to the user or app module and store the code in a database. Then every time for that user or app module the code would be read from the database and executed. Code meets data and data meets code. Back then it made for very customizable software but you paid for it on the execution side. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Andrew S. Baker [mailto:asbz...@gmail.com]mailto:[mailto:asbz...@gmail.com] Subject: Re: Whitelisting Yes, code and data is all about context. Code can be considered data if you take it out of the context where it can be run. If data cannot be executed, it is not code. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Only during logons, otherwise it's disallowed On 16 April 2012 17:04, Ben Scott mailvor...@gmail.com wrote: On Mon, Apr 16, 2012 at 10:21 AM, Alex Eckelberry al...@eckelberry.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A I expect you whitelist CMD.EXE, no? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- http://appsensebigot.blogspot.co.uk IMPORTANT INFORMATION/DISCLAIMER I certainly don't have time to monitor the content of e-mail sent and received via this account for the purposes of ensuring compliance with anyone's policies and procedures. I am pretty sure that somewhere in UK legislation there is some politically-correct drivel that stipulates I must never send or store e-mails or attachments that are obscene, indecent, sexist, racist, defamatory, abusive, in breach of copyright, encrypted, amusing, overly long, slightly opinionated, anonymous, likely to harm animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority (such as extraterrestrial eggplants). Emails of this nature sent in or out of this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway, but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. I am not responsible for any changes made to the message after it has been sent, in more or less the same way that cyclozine manufacturers aren't responsible for drug addicts mixing it with methadone and overdosing, so I'm glad I cleared the confusion up there nice and early. Where opinions are expressed, they are not necessarily mine. However, I don't make a habit of expressing other people's opinions for them, so you shouldn't take that statement as an indication that I am in the business of providing an opinion-expressing service. In the event that I did, this discourse would provide no guarantee that I would do it anyway, but I don't, so I won't. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended addressee, or the person responsible for delivering it to them, aside from the fact that you've clearly got some level of unauthorised access to their account or are at least engaged in some sort of fraud, I'm obliged to tell you that may not copy, forward disclose or otherwise use it or any part of it in any way. To do so may be unlawful, and as you're already breaking the law, I am sure that bombshell makes you quake in your boots and turn yourself over to law enforcement immediately. If you receive this e-mail by mistake, please advise the sender immediately. That would be me, and as I am clearly prone to sending emails to completely the wrong person, I should instantly be stripped of my status as a technical consultant and sent to do something more becoming of my stupidity, such as appearing on Big Brother, the X Factor or insert country name here's Got Talent. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Yes, it can address that scenario. You can sign the scripts you want to run, and disallow unsigned scripts. Does whitelisting solve world hunger, cure cancer or find livable space on Mars? No. But it does address, more effectively, a huge range of threats that are inadequately addressed by the traditional blacklisting approach of current AV products. It's even used within Windows directly to make the OS more secure. As a result, I will continue to use and recommend it to reduce my threat landscape, leaving more time to intelligently address the threats that it does not handle well. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Apr 17, 2012 at 12:46 AM, Ken Schaefer k...@adopenstatic.com wrote: Let’s try another one: I use an exploit (or even just VBA automation) in Word to password protect all your files. You need to pay me to get them back (or maybe I don’t care whether you get them back, I just like inflicting pain – aka like most mass market viruses) ** ** Does whitelisting address this scenario? No. Are exploits just going to move from the problem space solved by whitelisting and to a new area that is not addressed by this technology? Yes ** ** It’s just like spam (and every other area where we have a constantly escalated war of technology). Yet for some reason we don’t seem to be learning that lesson. ** ** Cheers Ken ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Tuesday, 17 April 2012 11:07 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** For any given environment, there will be less known good items that I want to run, than known bad ones that I don't, not to mention all the unknown bad ones that I don't know about yet. ** ** Managing the smaller list is *better*, not *perfect*. ** ** I haven't missed the point. A flawed example is just that -- flawed. But, going beyond that and focusing on the principle itself, the blacklist is ALSO vulnerable to the same issue. ** ** So, do you settle for the us both sharing your example problem, plus you having a host of other ones that are greater than mine? Or do you acknowledge that the approach I favor creates a smaller attack surface area? ** ** ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott mailvor...@gmail.com wrote:** ** On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A A - Wouldn't work so nicely in 2008 and above, due to lack of elevated rights B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude known bad software, is the better alternative. ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
I wrote a white paper about whitelisting from the perspective of a system admin. If you are interested, here is a copy to the link of the PDF: https://s3.amazonaws.com/knowbe4.cdn/Whitelisting_WhitePaper.pdf Warm regards, Stu From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, April 17, 2012 7:10 AM To: NT System Admin Issues Subject: Re: Whitelisting Yes, it can address that scenario. You can sign the scripts you want to run, and disallow unsigned scripts. Does whitelisting solve world hunger, cure cancer or find livable space on Mars? No. But it does address, more effectively, a huge range of threats that are inadequately addressed by the traditional blacklisting approach of current AV products. It's even used within Windows directly to make the OS more secure. As a result, I will continue to use and recommend it to reduce my threat landscape, leaving more time to intelligently address the threats that it does not handle well. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Tue, Apr 17, 2012 at 12:46 AM, Ken Schaefer k...@adopenstatic.commailto:k...@adopenstatic.com wrote: Let's try another one: I use an exploit (or even just VBA automation) in Word to password protect all your files. You need to pay me to get them back (or maybe I don't care whether you get them back, I just like inflicting pain - aka like most mass market viruses) Does whitelisting address this scenario? No. Are exploits just going to move from the problem space solved by whitelisting and to a new area that is not addressed by this technology? Yes It's just like spam (and every other area where we have a constantly escalated war of technology). Yet for some reason we don't seem to be learning that lesson. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 11:07 AM To: NT System Admin Issues Subject: Re: Whitelisting For any given environment, there will be less known good items that I want to run, than known bad ones that I don't, not to mention all the unknown bad ones that I don't know about yet. Managing the smaller list is *better*, not *perfect*. I haven't missed the point. A flawed example is just that -- flawed. But, going beyond that and focusing on the principle itself, the blacklist is ALSO vulnerable to the same issue. So, do you settle for the us both sharing your example problem, plus you having a host of other ones that are greater than mine? Or do you acknowledge that the approach I favor creates a smaller attack surface area? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com wrote: On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A A - Wouldn't work so nicely in 2008 and above, due to lack of elevated rights B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude known bad software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
What a cool way to subvert lots of machines at once! Hack the cloud, and insert your own hashes. I like it... Kurt On Tue, Apr 17, 2012 at 08:41, Stu Sjouwerman s...@sunbelt-software.com wrote: I wrote a white paper about whitelisting from the perspective of a system admin. If you are interested, here is a copy to the link of the PDF: https://s3.amazonaws.com/knowbe4.cdn/Whitelisting_WhitePaper.pdf Warm regards, Stu From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, April 17, 2012 7:10 AM To: NT System Admin Issues Subject: Re: Whitelisting Yes, it can address that scenario. You can sign the scripts you want to run, and disallow unsigned scripts. Does whitelisting solve world hunger, cure cancer or find livable space on Mars? No. But it does address, more effectively, a huge range of threats that are inadequately addressed by the traditional blacklisting approach of current AV products. It's even used within Windows directly to make the OS more secure. As a result, I will continue to use and recommend it to reduce my threat landscape, leaving more time to intelligently address the threats that it does not handle well. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Tue, Apr 17, 2012 at 12:46 AM, Ken Schaefer k...@adopenstatic.com wrote: Let’s try another one: I use an exploit (or even just VBA automation) in Word to password protect all your files. You need to pay me to get them back (or maybe I don’t care whether you get them back, I just like inflicting pain – aka like most mass market viruses) Does whitelisting address this scenario? No. Are exploits just going to move from the problem space solved by whitelisting and to a new area that is not addressed by this technology? Yes It’s just like spam (and every other area where we have a constantly escalated war of technology). Yet for some reason we don’t seem to be learning that lesson. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 11:07 AM To: NT System Admin Issues Subject: Re: Whitelisting For any given environment, there will be less known good items that I want to run, than known bad ones that I don't, not to mention all the unknown bad ones that I don't know about yet. Managing the smaller list is *better*, not *perfect*. I haven't missed the point. A flawed example is just that -- flawed. But, going beyond that and focusing on the principle itself, the blacklist is ALSO vulnerable to the same issue. So, do you settle for the us both sharing your example problem, plus you having a host of other ones that are greater than mine? Or do you acknowledge that the approach I favor creates a smaller attack surface area? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A A - Wouldn't work so nicely in 2008 and above, due to lack of elevated rights B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude known bad software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body
RE: Whitelisting
Surely that's entirely dependent on the application that is hosting the script to support such functionality? If I develop an arbitrary application: KensSuperCADProgram, and I provide a basic IDE that allows users to develop custom extensions/actions, then your whitelisting application isn't going to know anything about it (unless it's been specifically coded to examine KensSuperCADProgram extensions). I get your point that you can close off loopholes. But I fear that it's just another whack a mole exercise. Threats will still be there, but we now have the relatively large overhead of whitelisting. Tools like IPSec (for whitelisting network traffic) have existed for years. Yet hardly anyone is using it. It's just too hard to implement and maintain. I see the same with applications (except in the smallest of environments) Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 7:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Yes, it can address that scenario. You can sign the scripts you want to run, and disallow unsigned scripts. Does whitelisting solve world hunger, cure cancer or find livable space on Mars? No. But it does address, more effectively, a huge range of threats that are inadequately addressed by the traditional blacklisting approach of current AV products. It's even used within Windows directly to make the OS more secure. As a result, I will continue to use and recommend it to reduce my threat landscape, leaving more time to intelligently address the threats that it does not handle well. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Tue, Apr 17, 2012 at 12:46 AM, Ken Schaefer k...@adopenstatic.commailto:k...@adopenstatic.com wrote: Let's try another one: I use an exploit (or even just VBA automation) in Word to password protect all your files. You need to pay me to get them back (or maybe I don't care whether you get them back, I just like inflicting pain - aka like most mass market viruses) Does whitelisting address this scenario? No. Are exploits just going to move from the problem space solved by whitelisting and to a new area that is not addressed by this technology? Yes It's just like spam (and every other area where we have a constantly escalated war of technology). Yet for some reason we don't seem to be learning that lesson. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 11:07 AM To: NT System Admin Issues Subject: Re: Whitelisting For any given environment, there will be less known good items that I want to run, than known bad ones that I don't, not to mention all the unknown bad ones that I don't know about yet. Managing the smaller list is *better*, not *perfect*. I haven't missed the point. A flawed example is just that -- flawed. But, going beyond that and focusing on the principle itself, the blacklist is ALSO vulnerable to the same issue. So, do you settle for the us both sharing your example problem, plus you having a host of other ones that are greater than mine? Or do you acknowledge that the approach I favor creates a smaller attack surface area? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com wrote: On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A A - Wouldn't work so nicely in 2008 and above, due to lack of elevated rights B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude known bad software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions
RE: Whitelisting
Actually, to make this point better: If I open a certain set of 0s and 1s in notepad.exe, it just displays the ASCII/Unicode character representation of those 1s and 0s on the screen If I open the same set of 0s and 1s in cscript.exe, then certain other actions get performed on the system. The above is a fairly clear distinction, but there are plenty of scenarios that grey the boundary far more. As far as I'm concerned, it is very difficult to distinguish between data and code, except in the simplest of cases. Cheers Ken From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, 17 April 2012 11:12 AM To: NT System Admin Issues Subject: RE: Whitelisting The first statement is wrong - there is no difference between data and code - they are just ones and zeros. Now, an application, can, tell an OS that certain memory addresses contain code that should not be executed. But some other application, loading exactly the same ones and zeros, can tell the OS that it should be executable. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com]mailto:[mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 2:28 AM To: NT System Admin Issues Subject: Re: Whitelisting Data is code. Code is data. They're both strings of 1's and 0's. No, they are most certainly not the same. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Bummer for them. Opportunity for those who can, and who can help them. Perhaps. Or maybe there's no ROI developing the feature in the first place. Or maybe exploits will just move to another area (Excel, Access application etc) that whitelisting doesn't cover. You're not addressing the point at all. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. After that, then yes, bad data is a problem. But bad data is the smaller problem. That *is* the point. To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. I'll still have some risk in my environment, but that's, to me, acceptable. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. To drive the point home - those words do not mean what I think you believe they mean. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 2:14 PM To: NT System Admin Issues Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Bummer for them. Opportunity for those who can, and who can help them. Perhaps. Or maybe there's no ROI developing the feature in the first place. Or maybe exploits will just move to another area (Excel, Access application etc) that whitelisting doesn't cover. You're not addressing the point at all. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. After that, then yes, bad data is a problem. But bad data is the smaller problem. That *is* the point. To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. I'll still have some risk in my environment, but that's, to me, acceptable. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage
RE: Whitelisting
One of the things I see mentioned below is the malicious browser based attacks ( BHO's, Malicious JavaScript, etc etc) and that is one area of weakness I see in the whitelisting solution. Other than that I agree it’s the right way to go. Being on the other side of Blacklisting, HIPS etc etc, it is a diminishing return over time when you have to write rule after rule to allow software to do things that aren't good coding practices, or worse, just to get the software to run. The other thing I would feel might be a weakness in the whitelisting solution, is if I allow a piece of software to run, and that software runs as a service and that service is remotely exploitable, than I can usurp the computer or any computer running that software, because I have exploited a trusted process. Again how can the whitelisting solution protect you from what you already have trusted if its flawed. Again layers of defense is still a valid argument here.. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 2:24 AM To: NT System Admin Issues Subject: RE: Whitelisting To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. To drive the point home - those words do not mean what I think you believe they mean. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 2:14 PM To: NT System Admin Issues Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code
Re: Whitelisting
An example of using whitelisting technologies in the enterprise http://appsensebigot.blogspot.co.uk/2012/03/replacing-your-antivirus-software-with.html On 16 April 2012 12:46, Ziots, Edward ezi...@lifespan.org wrote: One of the things I see mentioned below is the malicious browser based attacks ( BHO's, Malicious JavaScript, etc etc) and that is one area of weakness I see in the whitelisting solution. Other than that I agree it’s the right way to go. Being on the other side of Blacklisting, HIPS etc etc, it is a diminishing return over time when you have to write rule after rule to allow software to do things that aren't good coding practices, or worse, just to get the software to run. The other thing I would feel might be a weakness in the whitelisting solution, is if I allow a piece of software to run, and that software runs as a service and that service is remotely exploitable, than I can usurp the computer or any computer running that software, because I have exploited a trusted process. Again how can the whitelisting solution protect you from what you already have trusted if its flawed. Again layers of defense is still a valid argument here.. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 2:24 AM To: NT System Admin Issues Subject: RE: Whitelisting To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. To drive the point home - those words do not mean what I think you believe they mean. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 2:14 PM To: NT System Admin Issues Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow
RE: Whitelisting
But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your point). Alex From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:25 AM To: NT System Admin Issues Subject: RE: Whitelisting Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone _ From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market. On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. This would also apply to social engineering. If your company has a whitelisting solution in place, code that is not approved won’t run. So the user can download the stupid game they love, but in the end, they won't be able to run it. A good whitelisting application has a massive repository of good files, and the ability to train the system by the admin, not the end-user. Alex -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 12:51 AM To: NT System Admin Issues Subject: RE: Whitelisting For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. For corporate users, does whitelisting help significantly? I'm not sure that large organisations have the necessary processes in place to implement whitelisting. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 12:42 PM To: NT System Admin Issues Subject: Re: Whitelisting Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote: Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Re: Whitelisting
Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- http://appsensebigot.blogspot.co.uk IMPORTANT INFORMATION/DISCLAIMER I certainly don't have time to monitor the content of e-mail sent and received via this account for the purposes of ensuring compliance with anyone's policies and procedures. I am pretty sure that somewhere in UK legislation there is some politically-correct drivel that stipulates I must never send or store e-mails or attachments that are obscene, indecent, sexist, racist, defamatory, abusive, in breach of copyright, encrypted, amusing, overly long, slightly opinionated, anonymous, likely to harm animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority (such as extraterrestrial eggplants). Emails of this nature sent in or out of this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway
Re: Whitelisting
*I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. * Exactly. We've had epic battles about this very point on more than one occasion, however, so... * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:19 AM, Alex Eckelberry al...@eckelberry.comwrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
A BHO is a DLL, in other words, a PE file. As is an OCX. These would be/should be covered by a competent whitelisting solution. AFAIK, Javascript can't do much malicious in and of itself except crash your browser or do other weird stuff. Where it is malicious is when it can execute Windows code locally (or Mac code, if running on a Mac machine). -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Monday, April 16, 2012 7:47 AM To: NT System Admin Issues Subject: RE: Whitelisting One of the things I see mentioned below is the malicious browser based attacks ( BHO's, Malicious JavaScript, etc etc) and that is one area of weakness I see in the whitelisting solution. Other than that I agree it’s the right way to go. Being on the other side of Blacklisting, HIPS etc etc, it is a diminishing return over time when you have to write rule after rule to allow software to do things that aren't good coding practices, or worse, just to get the software to run. The other thing I would feel might be a weakness in the whitelisting solution, is if I allow a piece of software to run, and that software runs as a service and that service is remotely exploitable, than I can usurp the computer or any computer running that software, because I have exploited a trusted process. Again how can the whitelisting solution protect you from what you already have trusted if its flawed. Again layers of defense is still a valid argument here.. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 2:24 AM To: NT System Admin Issues Subject: RE: Whitelisting To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. To drive the point home - those words do not mean what I think you believe they mean. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 2:14 PM To: NT System Admin Issues Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow
Re: Whitelisting
Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly* reduced. (Read Only or Blocked Attack vs full system compromise) * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.comwrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant** ** means of execution control, the bad guys will, out of necessity, be*** * relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com
Re: Whitelisting
Thanks for clarifying that On 16 April 2012 16:25, Andrew S. Baker asbz...@gmail.com wrote: Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly* reduced. (Read Only or Blocked Attack vs full system compromise) * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.comwrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant* *** means of execution control, the bad guys will, out of necessity, be** ** relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages
Re: Whitelisting
On Mon, Apr 16, 2012 at 10:21 AM, Alex Eckelberry al...@eckelberry.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A I expect you whitelist CMD.EXE, no? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Data is harmless unless that data is actually formed in such a way to exploit a vulnerability in an application. If so, you've got a whitelisted application executing arbitrary code from a data file. From: Alex Eckelberry [mailto:al...@eckelberry.com] Sent: Monday, April 16, 2012 9:19 AM To: NT System Admin Issues Subject: RE: Whitelisting But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your point). Alex From: Crawford, Scott [mailto:crawfo...@evangel.edu]mailto:[mailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:25 AM To: NT System Admin Issues Subject: RE: Whitelisting Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.commailto:kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.commailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Why does the code that is spawned need to download some payload or use existing files? Why can't it make its own win32 calls? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 10:26 AM To: NT System Admin Issues Subject: Re: Whitelisting Here's one typical scenario: * WinWord.exe has a a buffer overflow vulnerability. * WinWord.exe is a whitelisted app, so the vulnerability can be exploited. * Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability * User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still greatly reduced. (Read Only or Blocked Attack vs full system compromise) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.commailto:al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your point). Alex From: Crawford, Scott [mailto:crawfo...@evangel.edumailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:25 AM To: NT System Admin Issues Subject: RE: Whitelisting Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject
Re: Whitelisting
Because it is *data*. Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.eduwrote: Why does the code that is spawned need to download some payload or use existing files? Why can’t it make its own win32 calls? ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 10:26 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability ** ** In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. ** ** In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. ** ** This is a key benefit of whitelisting. ** ** Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly* reduced. (Read Only or Blocked Attack vs full system compromise) ** ** ** ** ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? ** ** On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. ** ** No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. ** ** Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html ** ** ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.com wrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant** ** means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. There will always be code executed, in some form or another (unless I’m misunderstanding your point). Alex *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16
RE: Whitelisting
Data is code. Code is data. They're both strings of 1's and 0's. The only difference is what is interpreting that string. If data is data, how is it able to cause winword.exe to download a payload? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:30 AM To: NT System Admin Issues Subject: Re: Whitelisting Because it is data. Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can't it make its own win32 calls? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 10:26 AM To: NT System Admin Issues Subject: Re: Whitelisting Here's one typical scenario: * WinWord.exe has a a buffer overflow vulnerability. * WinWord.exe is a whitelisted app, so the vulnerability can be exploited. * Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability * User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still greatly reduced. (Read Only or Blocked Attack vs full system compromise) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.commailto:al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your
Re: Whitelisting
*Data is code. Code is data. They’re both strings of 1’s and 0’s. * No, they are most certainly not the same. *The only difference is what is interpreting that string. * And that's a huge difference. *If data is data, how is it able to cause winword.exe to download a payload?* Well, here's an oversimplification of how buffer overflows work: 1. An executable opens up a data file for manipulation 2. Because the input buffer is not adequately validated, the data (which is larger than the area allowed by the buffer), ends up overwriting a critical area *of the host executable's execution area* with new 1s and 0s. 3. The code which should normally execute at the conclusion of the data input is now replaced by some code stub which will do what the attacker wants. 4. This allows the host executable to now do something else than originally intended (or crash, which is what happens more often than not) Now, while this might seem like it gives one the completely co-opt the functions of the host executable for ones own purpose, in practice, this is very, very hard to do for anything but the simplest functionality. If you overwrite too much code, you'll just cause the host to die, which is essentially a DoS attack. Instead, the common practice is to use this limited area that was overwritten to call down a more robust piece of malware to get more malignant work done. (Or, alternately, to make use of already installed executables where that might make sense.) WinWord.exe, in our example, can be induced to download a payload because it was legitimately opening a data file which corrupted a portion of its application space because it did not properly validate its buffer space and thus protect itself. The initial action (File Open) is caused by a human. The DATA did not execute, but allowed for the laying down of CODE which could be executed. More detailed analysis can be found here: - http://en.wikipedia.org/wiki/Buffer_overflow - http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html - http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.eduwrote: Data is code. Code is data. They’re both strings of 1’s and 0’s. The only difference is what is interpreting that string. ** ** If data is data, how is it able to cause winword.exe to download a payload? ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:30 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** Because it is *data*. ** ** Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can’t it make its own win32 calls? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 10:26 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly* reduced. (Read Only or Blocked Attack vs full system compromise) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* ** ** On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's
Re: Whitelisting
Great info ASB, thanks, very relevant to a lot of work I've been doing. ---Blackberried -Original Message- From: Andrew S. Baker asbz...@gmail.com Date: Mon, 16 Apr 2012 14:27:56 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Whitelisting *Data is code. Code is data. They’re both strings of 1’s and 0’s. * No, they are most certainly not the same. *The only difference is what is interpreting that string. * And that's a huge difference. *If data is data, how is it able to cause winword.exe to download a payload?* Well, here's an oversimplification of how buffer overflows work: 1. An executable opens up a data file for manipulation 2. Because the input buffer is not adequately validated, the data (which is larger than the area allowed by the buffer), ends up overwriting a critical area *of the host executable's execution area* with new 1s and 0s. 3. The code which should normally execute at the conclusion of the data input is now replaced by some code stub which will do what the attacker wants. 4. This allows the host executable to now do something else than originally intended (or crash, which is what happens more often than not) Now, while this might seem like it gives one the completely co-opt the functions of the host executable for ones own purpose, in practice, this is very, very hard to do for anything but the simplest functionality. If you overwrite too much code, you'll just cause the host to die, which is essentially a DoS attack. Instead, the common practice is to use this limited area that was overwritten to call down a more robust piece of malware to get more malignant work done. (Or, alternately, to make use of already installed executables where that might make sense.) WinWord.exe, in our example, can be induced to download a payload because it was legitimately opening a data file which corrupted a portion of its application space because it did not properly validate its buffer space and thus protect itself. The initial action (File Open) is caused by a human. The DATA did not execute, but allowed for the laying down of CODE which could be executed. More detailed analysis can be found here: - http://en.wikipedia.org/wiki/Buffer_overflow - http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html - http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.eduwrote: Data is code. Code is data. They’re both strings of 1’s and 0’s. The only difference is what is interpreting that string. ** ** If data is data, how is it able to cause winword.exe to download a payload? ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:30 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** Because it is *data*. ** ** Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can’t it make its own win32 calls? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 10:26 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly
Re: Whitelisting
On Sun, Apr 15, 2012 at 23:24, Ken Schaefer k...@adopenstatic.com wrote: To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. You are correct, they are not, and I'd prefer to be able to do both, but it sharpens the point. I think blacklisting is basically a dead technology, even though it's all I have at the moment. When the bad guys can morph executables in minutes and blast them out via email or compromised web sites (and other modes, too) many times a day, it's gone beyond whack-a-mole. snip Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. Digital signatures, signed kernel mode code, etc., are whitelisting. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. You are correct- I haven't implemented them yet for our users. But, I am doing so for myself. I've put my user account and my machine into a test OU, and am applying policies that are more restrictive than what apply to standard users now. I do understand how difficult it is. I recently ran md5sum against one of our older standard image machines, prior to deployment (booted from a USB stick to have complete access), and redirected the hashes into a text file. I ran the machine through a round of patches, and did an md5sum again, then ran a diff. It was amazing how many files changed. NSA has put up a good approach, however, that might be workable - but for it to be really useful, users should not have admin rights, among other things. It also specifies SRP, as opposed to BitLocker - I'm sure that can be factored in. http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A A - Wouldn't work so nicely in 2008 and above, due to lack of elevated rights B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude known bad software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Your buffer overflow example illustrates the point. What is being over-written into the host's execution area? Answer: code/data/1's and 0's from the data file. Having never written a buffer overflow attack, I'll take your word that it's very, very hard to do for anything but the simplest functionality. However, the size of that resulting code isn't really the point. The point is that arbitrary code is being run. From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 1:28 PM To: NT System Admin Issues Subject: Re: Whitelisting Data is code. Code is data. They're both strings of 1's and 0's. No, they are most certainly not the same. The only difference is what is interpreting that string. And that's a huge difference. If data is data, how is it able to cause winword.exe to download a payload? Well, here's an oversimplification of how buffer overflows work: 1. An executable opens up a data file for manipulation 2. Because the input buffer is not adequately validated, the data (which is larger than the area allowed by the buffer), ends up overwriting a critical area of the host executable's execution area with new 1s and 0s. 3. The code which should normally execute at the conclusion of the data input is now replaced by some code stub which will do what the attacker wants. 4. This allows the host executable to now do something else than originally intended (or crash, which is what happens more often than not) Now, while this might seem like it gives one the completely co-opt the functions of the host executable for ones own purpose, in practice, this is very, very hard to do for anything but the simplest functionality. If you overwrite too much code, you'll just cause the host to die, which is essentially a DoS attack. Instead, the common practice is to use this limited area that was overwritten to call down a more robust piece of malware to get more malignant work done. (Or, alternately, to make use of already installed executables where that might make sense.) WinWord.exe, in our example, can be induced to download a payload because it was legitimately opening a data file which corrupted a portion of its application space because it did not properly validate its buffer space and thus protect itself. The initial action (File Open) is caused by a human. The DATA did not execute, but allowed for the laying down of CODE which could be executed. More detailed analysis can be found here: * http://en.wikipedia.org/wiki/Buffer_overflow * http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html * http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: Data is code. Code is data. They're both strings of 1's and 0's. The only difference is what is interpreting that string. If data is data, how is it able to cause winword.exe to download a payload? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:30 AM To: NT System Admin Issues Subject: Re: Whitelisting Because it is data. Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can't it make its own win32 calls? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 10:26 AM To: NT System Admin Issues Subject: Re: Whitelisting Here's one typical scenario: * WinWord.exe has a a buffer overflow vulnerability. * WinWord.exe is a whitelisted app, so the vulnerability can be exploited. * Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability * User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective
RE: Whitelisting
The user being socially engineered *is* the admin - it's a SOHO environment. It was the *line* just above what you quoted: For the SOHO end user, the vast bulk of infections are either: These types of users are being socially engineered *today* despite AV, code signing, UAC and any number of other warnings. They *still* insist on running BritneySpearsNaked.exe So, my question remains? How does whitelisting help that type of user? -Original Message- From: Alex Eckelberry [mailto:al...@eckelberry.com] Sent: Monday, 16 April 2012 10:21 PM To: NT System Admin Issues Subject: RE: Whitelisting a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. This would also apply to social engineering. If your company has a whitelisting solution in place, code that is not approved won’t run. So the user can download the stupid game they love, but in the end, they won't be able to run it. A good whitelisting application has a massive repository of good files, and the ability to train the system by the admin, not the end-user. Alex -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 12:51 AM To: NT System Admin Issues Subject: RE: Whitelisting For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. For corporate users, does whitelisting help significantly? I'm not sure that large organisations have the necessary processes in place to implement whitelisting. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 12:42 PM To: NT System Admin Issues Subject: Re: Whitelisting Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote: Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs
RE: Whitelisting
The first statement is wrong - there is no difference between data and code - they are just ones and zeros. Now, an application, can, tell an OS that certain memory addresses contain code that should not be executed. But some other application, loading exactly the same ones and zeros, can tell the OS that it should be executable. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 2:28 AM To: NT System Admin Issues Subject: Re: Whitelisting Data is code. Code is data. They're both strings of 1's and 0's. No, they are most certainly not the same. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
*Your buffer overflow example illustrates the point. * It really doesn't illustrate what you think it does, but there's no point in me going down this route any longer. You've chosen to selectively read what I've posted, and ignored clear examples that disagreed with your premise. We'll just have to agree to disagree on this. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 6:23 PM, Crawford, Scott crawfo...@evangel.eduwrote: Your buffer overflow example illustrates the point. What is being over-written into the host’s execution area? Answer: code/data/1’s and 0’s from the data file. Having never written a buffer overflow attack, I’ll take your word that it’s “very, very hard to do for anything but the simplest functionality”. However, the size of that resulting code isn’t really the point. The point is that arbitrary code is being run. ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 1:28 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** ***Data is code. Code is data. They’re both strings of 1’s and 0’s. * ** ** No, they are most certainly not the same. ** ** ** ** *The only difference is what is interpreting that string.** * ** ** And that's a huge difference. ** ** ** ** ***If data is data, how is it able to cause winword.exe to download a payload?* ** ** Well, here's an oversimplification of how buffer overflows work: ** ** 1. An executable opens up a data file for manipulation 2. Because the input buffer is not adequately validated, the data (which is larger than the area allowed by the buffer), ends up overwriting a critical area *of the host executable's execution area* with new 1s and 0s. 3. The code which should normally execute at the conclusion of the data input is now replaced by some code stub which will do what the attacker wants. 4. This allows the host executable to now do something else than originally intended (or crash, which is what happens more often than not) ** ** Now, while this might seem like it gives one the completely co-opt the functions of the host executable for ones own purpose, in practice, this is very, very hard to do for anything but the simplest functionality. If you overwrite too much code, you'll just cause the host to die, which is essentially a DoS attack. Instead, the common practice is to use this limited area that was overwritten to call down a more robust piece of malware to get more malignant work done. (Or, alternately, to make use of already installed executables where that might make sense.) ** ** WinWord.exe, in our example, can be induced to download a payload because it was legitimately opening a data file which corrupted a portion of its application space because it did not properly validate its buffer space and thus protect itself. The initial action (File Open) is caused by a human. The DATA did not execute, but allowed for the laying down of CODE which could be executed. ** ** ** ** More detailed analysis can be found here: - http://en.wikipedia.org/wiki/Buffer_overflow - http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html - http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work ** ** ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.edu wrote: Data is code. Code is data. They’re both strings of 1’s and 0’s. The only difference is what is interpreting that string. If data is data, how is it able to cause winword.exe to download a payload? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:30 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Because it is *data*. Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* ** ** On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can’t it make its own win32 calls? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 10:26 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so
Re: Whitelisting
It doesn't help someone who has the authority to override the controls. But, thankfully, that's a smaller percentage than people who don't have that authority. AV also doesn't help the people who won't install it or update it. But it has managed to help others. UAC doesn't help people who turn it off, etc. We can only help the most people who want to be helped, or who have no ability to undo the help. The rest, I will call consulting customers. (for a while, anyway) * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 11:07 PM, Ken Schaefer k...@adopenstatic.com wrote: The user being socially engineered *is* the admin - it's a SOHO environment. It was the *line* just above what you quoted: For the SOHO end user, the vast bulk of infections are either: These types of users are being socially engineered *today* despite AV, code signing, UAC and any number of other warnings. They *still* insist on running BritneySpearsNaked.exe So, my question remains? How does whitelisting help that type of user? -Original Message- From: Alex Eckelberry [mailto:al...@eckelberry.com] Sent: Monday, 16 April 2012 10:21 PM To: NT System Admin Issues Subject: RE: Whitelisting a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. This would also apply to social engineering. If your company has a whitelisting solution in place, code that is not approved won’t run. So the user can download the stupid game they love, but in the end, they won't be able to run it. A good whitelisting application has a massive repository of good files, and the ability to train the system by the admin, not the end-user. Alex -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 12:51 AM To: NT System Admin Issues Subject: RE: Whitelisting For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. For corporate users, does whitelisting help significantly? I'm not sure that large organisations have the necessary processes in place to implement whitelisting. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 12:42 PM To: NT System Admin Issues Subject: Re: Whitelisting Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote: Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2
RE: Whitelisting
How about I just load another bit of code into the process space of the existing, whitelisted application (e.g. a .dll). Then there is no need to spawn any separate executable process. Unless you are intending to fingerprint every single file on the system, we're back to square one. From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, 16 April 2012 11:26 PM To: NT System Admin Issues Subject: Re: Whitelisting Here's one typical scenario: * WinWord.exe has a a buffer overflow vulnerability. * WinWord.exe is a whitelisted app, so the vulnerability can be exploited. * Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability * User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still greatly reduced. (Read Only or Blocked Attack vs full system compromise) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.commailto:al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your point). Alex From: Crawford, Scott [mailto:crawfo...@evangel.edumailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:25 AM To: NT System Admin Issues Subject: RE: Whitelisting Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications
RE: Whitelisting
-Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, 17 April 2012 2:57 AM To: NT System Admin Issues Subject: Re: Whitelisting Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. Digital signatures, signed kernel mode code, etc., are whitelisting. And the point I'm making is that these whitelisting technologies are *not* helping make the problem I'm describing go away. 1. For SOHO environment, the end user simply overrides the warnings a. Only when the end user cannot override the settings (e.g. Windows x64 kernel code signing requirements) has any major improvement occurred i. I doubt that this type of central control by Microsoft would be tolerated for user mode applications ii. It could still be bypassed by packaging a CA cert with the malware – I’m surprised that this isn’t more prevalent. 2. For corporate environment of small size, the “administrator” is responsible for managing this on behalf of their users. Many smaller orgs are probably over staffed, so there is bandwidth to manage this 3. In the enterprise, this can’t be centrally controlled without impacting business agility. So the response from software vendors will be to create more applications like Access which allow *end users* to develop applications. How are you going to stop malicious applications like this? It’s just like spam – a never ending, escalating war. You are correct- I haven't implemented them yet for our users. But, I am doing so for myself. I've put my user account and my machine into a test OU, and am applying policies that are more restrictive than what apply to standard users now. I do understand how difficult it is. I recently ran md5sum against one of our older standard image machines, prior to deployment (booted from a USB stick to have complete access), and redirected the hashes into a text file. I ran the machine through a round of patches, and did an md5sum again, then ran a diff. It was amazing how many files changed. And this is just files on a disk. Are you also going to monitor which files are loaded by which processes (e.g. which .dll files are loaded by which .exe files?) Not just what the on-disk signatures, but an actual mapping of .dlls used by which .exe? Otherwise, a new, malicious dll file can be loaded into an existing, trusted, application. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Let's try another one: I use an exploit (or even just VBA automation) in Word to password protect all your files. You need to pay me to get them back (or maybe I don't care whether you get them back, I just like inflicting pain - aka like most mass market viruses) Does whitelisting address this scenario? No. Are exploits just going to move from the problem space solved by whitelisting and to a new area that is not addressed by this technology? Yes It's just like spam (and every other area where we have a constantly escalated war of technology). Yet for some reason we don't seem to be learning that lesson. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 11:07 AM To: NT System Admin Issues Subject: Re: Whitelisting For any given environment, there will be less known good items that I want to run, than known bad ones that I don't, not to mention all the unknown bad ones that I don't know about yet. Managing the smaller list is *better*, not *perfect*. I haven't missed the point. A flawed example is just that -- flawed. But, going beyond that and focusing on the principle itself, the blacklist is ALSO vulnerable to the same issue. So, do you settle for the us both sharing your example problem, plus you having a host of other ones that are greater than mine? Or do you acknowledge that the approach I favor creates a smaller attack surface area? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com wrote: On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A A - Wouldn't work so nicely in 2008 and above, due to lack of elevated rights B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude known bad software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
I believe that *whitelisting* is the approach to focus on. http://Home.ASBzone.com/ASB/archive/2010/05/10/it-s-time-to-re-evaluate-host-based-security.aspxhttp://home.asbzone.com/ASB/archive/2010/05/10/it-s-time-to-re-evaluate-host-based-security.aspx * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Sat, Apr 14, 2012 at 11:10 AM, Alex Eckelberry a...@eckelberry.comwrote: I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Data files should neither be whitelisted nor blacklisted. That is not how you deal with buffer overruns (which is the primary mechanism by which bad data is used to exploit an app vulnerability). Using lists to determine good/bad data is unmanageable from the start. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Sat, Apr 14, 2012 at 1:48 PM, Crawford, Scott crawfo...@evangel.eduwrote: good question, but it's MUCH easier than whitelisting all good data files. I would expect the blacklist scanner to look for signatures of application exploits. Sent from my Windows Phone -- From: Rankin, James R Sent: 4/14/2012 12:25 PM To: NT System Admin Issues Subject: Re: Whitelisting How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
You can't. :) * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.comwrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
I prefer whitelisting. -- Espi On Sat, Apr 14, 2012 at 8:29 AM, Michael B. Smith mich...@smithcons.comwrote: I think whitelisting is the right direction. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 11:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.commailto:kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.commailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote: Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. For corporate users, does whitelisting help significantly? I'm not sure that large organisations have the necessary processes in place to implement whitelisting. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 12:42 PM To: NT System Admin Issues Subject: Re: Whitelisting Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote: Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. For corporate users, does whitelisting help significantly? I believe it can, and should. I'm not sure that large organisations have the necessary processes in place to implement whitelisting. I'm sure they don't. It's a skill they have to learn, if they want to protect themselves. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Bummer for them. Opportunity for those who can, and who can help them. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
-Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Bummer for them. Opportunity for those who can, and who can help them. Perhaps. Or maybe there's no ROI developing the feature in the first place. Or maybe exploits will just move to another area (Excel, Access application etc) that whitelisting doesn't cover. You're not addressing the point at all. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Whitelisting
I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
I think whitelisting is the right direction. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 11:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Whitelisting (or greylisting) is the only way forward. Malware evolves too fast for blacklisting ever to be effective. There are also programs not listed as malware that are still malicious to some degree, and blacklisting can never protect against these. --Original Message-- From: Alex Eckelberry To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: Whitelisting Sent: 14 Apr 2012 16:10 I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ---Blackberried ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
On Sat, Apr 14, 2012 at 11:10 AM, Alex Eckelberry a...@eckelberry.com wrote: I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. IMNSHO: Tightly controlling what software can be run will always be far more effective than trying to identify every possible bad thing in the world. The hard part is usually doing it. Many orgs don't have good software management. The small ones can't afford it, and the large ones find the problem to hard to coordinate. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Same reason that blacklisting doesn't work for spam prevention either - spammers just find ways around the lists and it turns into a constant battle of trying to quickly blacklist the new terms/addresses only to find that the bad guys change them as fast as you can blacklist them. Ben M. Schorr Roland Schorr Tower www.rolandschorr.com | www.officeforlawyers.com | Twitter: @bschorr -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Saturday, April 14, 2012 9:07 To: NT System Admin Issues Subject: Re: Whitelisting On Sat, Apr 14, 2012 at 11:10 AM, Alex Eckelberry a...@eckelberry.com wrote: I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. IMNSHO: Tightly controlling what software can be run will always be far more effective than trying to identify every possible bad thing in the world. The hard part is usually doing it. Many orgs don't have good software management. The small ones can't afford it, and the large ones find the problem to hard to coordinate. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ---Blackberried ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
good question, but it's MUCH easier than whitelisting all good data files. I would expect the blacklist scanner to look for signatures of application exploits. Sent from my Windows Phone From: Rankin, James R Sent: 4/14/2012 12:25 PM To: NT System Admin Issues Subject: Re: Whitelisting How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ---Blackberried ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Interesting to see what mitigation can be done against data file exploits other than AV and patching. Might have a look into this a bit closer. ---Blackberried -Original Message- From: Crawford, Scott crawfo...@evangel.edu Date: Sat, 14 Apr 2012 17:48:46 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: RE: Whitelisting good question, but it's MUCH easier than whitelisting all good data files. I would expect the blacklist scanner to look for signatures of application exploits. Sent from my Windows Phone From: Rankin, James R Sent: 4/14/2012 12:25 PM To: NT System Admin Issues Subject: Re: Whitelisting How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ---Blackberried ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
On Sat, Apr 14, 2012 at 08:10, Alex Eckelberry a...@eckelberry.com wrote: I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? http://www.ranum.com/security/computer_security/editorials/dumb/ Numbers 1 and 2, for this discussion, but everyone should take to heart all of them Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Fwd: SANS NewsBites Vol. 13 : NSA's Application Whitelisting Breakthrough
Mucho snippage... Not huge news, but perhaps a useful technique. BTW, see also: http://isc.sans.edu/diary.html?storyid=8236 for a different approach. Kurt TOP OF THE NEWS --NSA's Application Whitelisting Breakthrough (February 10, 2012) The National Security Agency (NSA) has developed an approach to application whitelisting that consumes considerably fewer resources to deploy than standard whitelisting techniques. Instead of purchasing expensive software and employing people to update whitelists, the NSA's approach focuses on specific areas of computers where downloaded applications are permitted to execute. http://www.nextgov.com/nextgov/ng_20120210_8712.php?oref=topnews http://gcn.com/articles/2012/02/13/nsa-whitelisting-apps-secure-systems.aspx [Editors' Note (Ullrich, Paller): Application whitelisting still hasn't reached the mainstream adoption it deserves. If you thought it was too hard to implement because of false positives, consider this as a wake up call that (you have no idea what's running on your systems, and) you can stop rogue software and cost-effectively. Yes it has weaknesses (like in-memory scanning), but they are dwarfed by the benefits. Now someone please come up with a good whitelisting solution for OS X.] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: SANS NewsBites Vol. 13 : NSA's Application Whitelisting Breakthrough
On Tue, Feb 14, 2012 at 3:08 PM, Kurt Buff kurt.b...@gmail.com wrote: Not huge news, but perhaps a useful technique. http://www.nextgov.com/nextgov/ng_20120210_8712.php It's absolutely a useful technique. It's something I've been doing (and even occasionally advocating) for years. The theory is simple: Don't let software run from unauthorized locations. Don't let users modify the authorized locations. Implementation concept: Set permissions such that users can't write to locations where programs can run from. For example, don't let them write to C:\Program Files or C:\WINDOWS. Then use Software Restrictions Policy (SRP) to only allow execute from those locations. Now executables in user's profile folders, temp directories, etc., can't run. So even if a user downloads malicious or unauthorized software to their home directory, the system will refuse to run it. It is akin to the Unix-world's practice of mounting /tmp and /home with the noexec option, although Microsoft's approach with SRP gives you much more fine-grained control. One potential pitfall: SRP uses file extensions to determine executable status. Windows sometimes uses file content to determine executable status. For example, a Portable Executable renamed to have a .LNK extension will be executed anyway, depending on how you invoke it. So for SRP to close all holes, you have to apply it to *.LNK files, which means users' desktop shortcuts and Recent Items lists break. Pick your poison. I suspect the major reason that large organizations pay such big money for application whitelisting solutions is that they have poor control over software. One admin does one thing, another does something else, and there's no central control. Plus lots of crap software that wants to write to system locations. (I'd call it legacy software but let's face it, crap like that is pushed out brand new every day.) So they try and buy products to fix the mess. While this approach is not without value, I can't help but think of Ed Crowley's maxim on technological solutions and behavioral problems. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting Pros Cons?
In the end if white listing replaced anti-virus then attackers would simply raise the bar and make sure that their vulnerability exploits did not simply download and directly execute executable code. They would do behaviors in memory to simply defeat and bypass white listing technology. This is the point I've been trying (with mixed success) to make. My suggestion has been to also add blacklisting to look for malicious signatures within the pdf, jpg, etc. It seems to me that any given application vulnerability will be exploitable through a relatively easy to identify signature. Obviously, the payload could be any number of things, but the actual exploitation should be much easier to identify than the plethora of AV signatures that continually mutate. One could further reduce the number of signatures to keep on hand by only looking for exploits in recent versions of applications. From: Marc Maiffret [mailto:mmaiff...@eeye.com] Sent: Wednesday, November 16, 2011 11:01 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Thoughts on AV, white listing, and endpoint security futures... and yes in my classic terrible grammar, stream of conscious, style of writing... sorry NTSYSADMIN'ers! :) Anti-virus does an amazing job for what it was originally created for: The prevention of known bad files. The problem is that most malware these days is highly dynamic and as such we are increasingly living in a world of unknown malware and AV was not made to prevent unknown malware. Anti-virus vendors are trying to Band-Aid their signature problem by having new systems that hopefully generate signatures faster. This is all the stuff the AV companies advertise around their cloud information sharing systems etc... AV still requires some level of companies to be compromised to know there is a new piece of malware that needs a signature. The cloud stuff (I forget everyone's marketing terms) helps to make it so that AV can create a signature but hopefully with less companies compromised and in a shorter amount of time. White listing can help prevent unknown malware because it can prevent unknown executable code from executing. This is of course not without time to manage, configure, and make sure all your legitimate apps at first deployment, and over the course of time, are properly white listed. But we will skip the management aspect for now and focus on what works prevention wise and what the limitations are. Stepping back from a solution perspective let's look at the problem: Systems being compromised and infected with malware. The majority of malware infections happen from one of two ways: 1. User exploitation - User simply runs a piece of malicious code (web/usb/email/etc) and no exploit is involved, only trickery. 2. Vulnerability exploitation - User is either targeted or through normal web browsing, and is infected with malware via an exploit leveraging an unknown or unpatched software vulnerability. User Exploitation - This is a very common reason that malware ends up on systems. Think of all of the times you have had to clean up systems with fake anti-virus type of software etc... This is an area where anti-virus is simply failing because when the malware is delivered to one of your users it is being handed off by a server that is doing automated morphing of the executable in a way as to evade anti-virus signatures. I.E. The malicious executable has the exact same behavior on every system but the signature of that executable is different for every system it is delivered to. White listing is very helpful in preventing this type of malware because essentially it is a user running an unknown program and by virtue of white listing your blocking all unknown programs. This is why you will hear people talk about having installed these solutions and their level of malware has simply gone down. Vulnerability Exploitation - The other way systems are compromised is not by users just clicking on things but by attackers actively leveraging unknown or unpatched software vulnerabilities. In this case what ends up happening is a user will receive something like a PDF document via email or will be served malicious javascript/html/etc via a website and in either case there will be an exploit that leverages a vulnerability within some software you have installed on the system. When the exploit takes place it will start to leverage a software vulnerability typically to run malicious code within the memory space of the vulnerable software. I.E. A user is browsing a website, embedded javascript spawns a window with an Adobe PDF files, the PDF file automatically loads, exploit code leverages a vulnerability within the PDF, exploit code starts running malicious shellcode within that Adobe program, that exploit shellcode then delivers its payload. The payload is typically the exploit downloading a malicious executable from another website
Re: Whitelisting Pros Cons?
Defense in depth, the layered approach is the only way. White/greylisting is much more effective but in the end having multiple layers is the only way to be truly secure. However application management CAN reduce your reliance (and therefore performance and management overhead) on realtime AV scanning. As more servers, apps and desktops become virtual, performance is key. Switching to scheduled scans only is the next step. But you must always have multiple layers. Its not a duplication of effort when you are faced with adapting and evolving threats. Sent from my SR-71 Blackbird -Original Message- From: Crawford, Scott crawfo...@evangel.edu Date: Thu, 17 Nov 2011 19:58:50 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: RE: Whitelisting Pros Cons? In the end if white listing replaced anti-virus then attackers would simply raise the bar and make sure that their vulnerability exploits did not simply download and directly execute executable code. They would do behaviors in memory to simply defeat and bypass white listing technology. This is the point I've been trying (with mixed success) to make. My suggestion has been to also add blacklisting to look for malicious signatures within the pdf, jpg, etc. It seems to me that any given application vulnerability will be exploitable through a relatively easy to identify signature. Obviously, the payload could be any number of things, but the actual exploitation should be much easier to identify than the plethora of AV signatures that continually mutate. One could further reduce the number of signatures to keep on hand by only looking for exploits in recent versions of applications. From: Marc Maiffret [mailto:mmaiff...@eeye.com] Sent: Wednesday, November 16, 2011 11:01 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Thoughts on AV, white listing, and endpoint security futures... and yes in my classic terrible grammar, stream of conscious, style of writing... sorry NTSYSADMIN'ers! :) Anti-virus does an amazing job for what it was originally created for: The prevention of known bad files. The problem is that most malware these days is highly dynamic and as such we are increasingly living in a world of unknown malware and AV was not made to prevent unknown malware. Anti-virus vendors are trying to Band-Aid their signature problem by having new systems that hopefully generate signatures faster. This is all the stuff the AV companies advertise around their cloud information sharing systems etc... AV still requires some level of companies to be compromised to know there is a new piece of malware that needs a signature. The cloud stuff (I forget everyone's marketing terms) helps to make it so that AV can create a signature but hopefully with less companies compromised and in a shorter amount of time. White listing can help prevent unknown malware because it can prevent unknown executable code from executing. This is of course not without time to manage, configure, and make sure all your legitimate apps at first deployment, and over the course of time, are properly white listed. But we will skip the management aspect for now and focus on what works prevention wise and what the limitations are. Stepping back from a solution perspective let's look at the problem: Systems being compromised and infected with malware. The majority of malware infections happen from one of two ways: 1. User exploitation - User simply runs a piece of malicious code (web/usb/email/etc) and no exploit is involved, only trickery. 2. Vulnerability exploitation - User is either targeted or through normal web browsing, and is infected with malware via an exploit leveraging an unknown or unpatched software vulnerability. User Exploitation - This is a very common reason that malware ends up on systems. Think of all of the times you have had to clean up systems with fake anti-virus type of software etc... This is an area where anti-virus is simply failing because when the malware is delivered to one of your users it is being handed off by a server that is doing automated morphing of the executable in a way as to evade anti-virus signatures. I.E. The malicious executable has the exact same behavior on every system but the signature of that executable is different for every system it is delivered to. White listing is very helpful in preventing this type of malware because essentially it is a user running an unknown program and by virtue of white listing your blocking all unknown programs. This is why you will hear people talk about having installed these solutions and their level of malware has simply gone down. Vulnerability Exploitation - The other way systems are compromised is not by users just clicking on things but by attackers actively leveraging unknown or unpatched software vulnerabilities
RE: Whitelisting Pros Cons?
Thoughts on AV, white listing, and endpoint security futures... and yes in my classic terrible grammar, stream of conscious, style of writing... sorry NTSYSADMIN'ers! :) Anti-virus does an amazing job for what it was originally created for: The prevention of known bad files. The problem is that most malware these days is highly dynamic and as such we are increasingly living in a world of unknown malware and AV was not made to prevent unknown malware. Anti-virus vendors are trying to Band-Aid their signature problem by having new systems that hopefully generate signatures faster. This is all the stuff the AV companies advertise around their cloud information sharing systems etc... AV still requires some level of companies to be compromised to know there is a new piece of malware that needs a signature. The cloud stuff (I forget everyone's marketing terms) helps to make it so that AV can create a signature but hopefully with less companies compromised and in a shorter amount of time. White listing can help prevent unknown malware because it can prevent unknown executable code from executing. This is of course not without time to manage, configure, and make sure all your legitimate apps at first deployment, and over the course of time, are properly white listed. But we will skip the management aspect for now and focus on what works prevention wise and what the limitations are. Stepping back from a solution perspective let's look at the problem: Systems being compromised and infected with malware. The majority of malware infections happen from one of two ways: 1. User exploitation - User simply runs a piece of malicious code (web/usb/email/etc) and no exploit is involved, only trickery. 2. Vulnerability exploitation - User is either targeted or through normal web browsing, and is infected with malware via an exploit leveraging an unknown or unpatched software vulnerability. User Exploitation - This is a very common reason that malware ends up on systems. Think of all of the times you have had to clean up systems with fake anti-virus type of software etc... This is an area where anti-virus is simply failing because when the malware is delivered to one of your users it is being handed off by a server that is doing automated morphing of the executable in a way as to evade anti-virus signatures. I.E. The malicious executable has the exact same behavior on every system but the signature of that executable is different for every system it is delivered to. White listing is very helpful in preventing this type of malware because essentially it is a user running an unknown program and by virtue of white listing your blocking all unknown programs. This is why you will hear people talk about having installed these solutions and their level of malware has simply gone down. Vulnerability Exploitation - The other way systems are compromised is not by users just clicking on things but by attackers actively leveraging unknown or unpatched software vulnerabilities. In this case what ends up happening is a user will receive something like a PDF document via email or will be served malicious javascript/html/etc via a website and in either case there will be an exploit that leverages a vulnerability within some software you have installed on the system. When the exploit takes place it will start to leverage a software vulnerability typically to run malicious code within the memory space of the vulnerable software. I.E. A user is browsing a website, embedded javascript spawns a window with an Adobe PDF files, the PDF file automatically loads, exploit code leverages a vulnerability within the PDF, exploit code starts running malicious shellcode within that Adobe program, that exploit shellcode then delivers its payload. The payload is typically the exploit downloading a malicious executable from another website and then running that malicious executable which then Trojans a system etc... The problem is that the exploit code does not have to download another executable and rather it could keep performing malicious operations within the vulnerable application (Adobe) and since no new executable code is created, the whitelisting security software does not come into play. The point being that white listing is helpful against a lot of today's vulnerability exploitation because the payload delivered by most vulnerability exploits is to download an unknown executable and run it, which white listing will obviously stop. In the end if white listing replaced anti-virus then attackers would simply raise the bar and make sure that their vulnerability exploits did not simply download and directly execute executable code. They would do behaviors in memory to simply defeat and bypass white listing technology. Vulnerability/exploit prevention is critical and is always missed in discussions because everyone gets caught up in chasing the symptom (malware
RE: Whitelisting Pros Cons?
Would it be better to have a tool that only does whitelisting, or a software more like Viewfinity, where you can do both white and black lists, and also elevate permissions for applications that aren't on either list, but are needed by a few people, which wouldn't warrant putting it on the whitelist? Stu Sjouwerman s...@sunbelt-software.com 11/14/2011 2:16 PM Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From:Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting Pros Cons? - Lumension
Anyone experience with Lumension? This seems to be one of the bigger players. Did some testing with this perhaps? Warm regards, Stu From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Tuesday, November 15, 2011 10:47 AM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Would it be better to have a tool that only does whitelisting, or a software more like Viewfinity, where you can do both white and black lists, and also elevate permissions for applications that aren't on either list, but are needed by a few people, which wouldn't warrant putting it on the whitelist? Stu Sjouwerman s...@sunbelt-software.commailto:s...@sunbelt-software.com 11/14/2011 2:16 PM Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.orgmailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.commailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Re: Whitelisting Pros Cons? - Lumension
Can't believe that AppSense AM isn't in there as one of the test subjects. I think the issue is that most people use them for the Environment Manager (EM) feature of the suite so AppSense are treated more as a competitor in the UEM (User Environment Management) market rather than against other applications that do whitelisting, but the whitelisting product is (IMHO) their strongest. If they were willing to run the rule over AppLocker for that survey, then AM should surely have been included - most people who work with Application Manager brand it as AppLocker on steroids, which is slightly unfair seeing though it can do a lot more feature-wise. On 15 November 2011 16:07, Stu Sjouwerman s...@sunbelt-software.com wrote: Anyone experience with Lumension? This seems to be one of the bigger players. Did some testing with this perhaps? ** ** Warm regards, ** ** Stu ** ** *From:* Joseph Heaton [mailto:jhea...@dfg.ca.gov] *Sent:* Tuesday, November 15, 2011 10:47 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting Pros Cons? ** ** Would it be better to have a tool that only does whitelisting, or a software more like Viewfinity, where you can do both white and black lists, and also elevate permissions for applications that aren't on either list, but are needed by a few people, which wouldn't warrant putting it on the whitelist? Stu Sjouwerman s...@sunbelt-software.com 11/14/2011 2:16 PM Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? ** ** http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? ** ** ** ** *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* ** ** ** ** ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi ** ** ** ** ** ** On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com
Re: Whitelisting Pros Cons?
The greater the flexibility of the tool, the less tools you need to manage your security. Relying on 1 tool is not wise, but having to manage 12 slightly overlapping tools is its own nightmare. Getting it down to 3 or 4 tools is useful. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Nov 15, 2011 at 10:46 AM, Joseph Heaton jhea...@dfg.ca.gov wrote: Would it be better to have a tool that only does whitelisting, or a software more like Viewfinity, where you can do both white and black lists, and also elevate permissions for applications that aren't on either list, but are needed by a few people, which wouldn't warrant putting it on the whitelist? Stu Sjouwerman s...@sunbelt-software.com 11/14/2011 2:16 PM Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? ** ** http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? ** ** ** ** *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* ** ** ** ** ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi ** ** ** ** On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting Pros Cons?
Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.comwrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? ** ** http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? ** ** ** ** *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* ** ** ** ** ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi ** ** ** ** On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting Pros Cons?
Oh, this an acquisition, that is why it's having such a high score! LOL From: Doug Hampshire [mailto:dhampsh...@gmail.com] Sent: Tuesday, November 15, 2011 1:13 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.orgmailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.commailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE
Re: Whitelisting Pros Cons?
McAfee has done a bit of that in the past couple of years - witness their pickup of the Sidewinder firewall line with the purchase of Secure Computing a couple of years ago, along with WebWasher, SnapGear and IronMail. Kurt On Tue, Nov 15, 2011 at 11:09, Stu Sjouwerman s...@sunbelt-software.comwrote: Oh, this an acquisition, that is why it’s having such a high score! LOL ** ** *From:* Doug Hampshire [mailto:dhampsh...@gmail.com] *Sent:* Tuesday, November 15, 2011 1:13 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi ** ** On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Re: Would you drop AV for Whitelisting / Application Control?
On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman s...@sunbelt-software.com wrote: So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu Does it really save budget? I ask this though I'm thoroughly in favor of application whitelisting [1] The whitelist publisher should o- Have a comprehensive set of known apps up front o- Make it easy for an administrator to add apps to the whitelist for some obscure program that's crucial o- Have a subscription mechanism to update their whitelist frequently o- Have a way for a subscriber to submit an executable for analysis to be included/excluded from the whitelist Absent the above, the blacklisters probably have an advantage in terms of effort expended by the sysadmin, by virtue of the nearly hourly updates they publish. Kurt [1] I don't yet have experience with whitelisting. Given our relatively recent EA with MSFT, I plan to make some time to explore it by setting up Applocker on a test OU and subjecting myself to the pain. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Would you drop AV for Whitelisting / Application Control?
Developper's stations... I don't know how you can lock them down... De : Stu Sjouwerman [mailto:s...@sunbelt-software.com] Envoyé : 15 novembre 2011 14:19 À : NT System Admin Issues Objet : Would you drop AV for Whitelisting / Application Control? So I'm asking a bunch of questions here, because I'm looking at writing this story from a few different angles. If the ratio Malware to good code is 80 - 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu From: Stu Sjouwerman Sent: Tuesday, November 15, 2011 2:10 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Oh, this an acquisition, that is why it's having such a high score! LOL From: Doug Hampshire [mailto:dhampsh...@gmail.com] Sent: Tuesday, November 15, 2011 1:13 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Would you drop AV for Whitelisting / Application Control?
So I'm asking a bunch of questions here, because I'm looking at writing this story from a few different angles. If the ratio Malware to good code is 80 - 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu From: Stu Sjouwerman Sent: Tuesday, November 15, 2011 2:10 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Oh, this an acquisition, that is why it's having such a high score! LOL From: Doug Hampshire [mailto:dhampsh...@gmail.com] Sent: Tuesday, November 15, 2011 1:13 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.orgmailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.commailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful
RE: Would you drop AV for Whitelisting / Application Control?
Very good feedback Kurt! Anyone else ? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, November 15, 2011 2:37 PM To: NT System Admin Issues Subject: Re: Would you drop AV for Whitelisting / Application Control? On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman s...@sunbelt-software.com wrote: So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu Does it really save budget? I ask this though I'm thoroughly in favor of application whitelisting [1] The whitelist publisher should o- Have a comprehensive set of known apps up front o- Make it easy for an administrator to add apps to the whitelist for some obscure program that's crucial o- Have a subscription mechanism to update their whitelist frequently o- Have a way for a subscriber to submit an executable for analysis to be included/excluded from the whitelist Absent the above, the blacklisters probably have an advantage in terms of effort expended by the sysadmin, by virtue of the nearly hourly updates they publish. Kurt [1] I don't yet have experience with whitelisting. Given our relatively recent EA with MSFT, I plan to make some time to explore it by setting up Applocker on a test OU and subjecting myself to the pain. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Would you drop AV for Whitelisting / Application Control?
I like the idea for many scenarios, developers would be one where it would be tough, but in the places I manage I bet It would work for 80% of the systems as a great many fire up just a few apps. For public access machines (library) this is largely what I do anyway, but for more than just malware concerns :-). The catch is developers usually need more speed than the rest so if you could go without AV on them it would be beneficial from their standpoint - they are historically (in my experience) the hardest to balance between security and performance. Dave -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Tuesday, November 15, 2011 11:47 AM To: NT System Admin Issues Subject: RE: Would you drop AV for Whitelisting / Application Control? Very good feedback Kurt! Anyone else ? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, November 15, 2011 2:37 PM To: NT System Admin Issues Subject: Re: Would you drop AV for Whitelisting / Application Control? On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman s...@sunbelt-software.com wrote: So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu Does it really save budget? I ask this though I'm thoroughly in favor of application whitelisting [1] The whitelist publisher should o- Have a comprehensive set of known apps up front o- Make it easy for an administrator to add apps to the whitelist for some obscure program that's crucial o- Have a subscription mechanism to update their whitelist frequently o- Have a way for a subscriber to submit an executable for analysis to be included/excluded from the whitelist Absent the above, the blacklisters probably have an advantage in terms of effort expended by the sysadmin, by virtue of the nearly hourly updates they publish. Kurt [1] I don't yet have experience with whitelisting. Given our relatively recent EA with MSFT, I plan to make some time to explore it by setting up Applocker on a test OU and subjecting myself to the pain. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Would you drop AV for Whitelisting / Application Control?
Some have taken that stance, but I have also heard the other side, is they need to keep AV on workstations, Servers due to compliance issues. ( which I don't really take as a valid argument, especially if compensating controls are taking effect) Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Tuesday, November 15, 2011 2:19 PM To: NT System Admin Issues Subject: Would you drop AV for Whitelisting / Application Control? So I'm asking a bunch of questions here, because I'm looking at writing this story from a few different angles. If the ratio Malware to good code is 80 - 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu From: Stu Sjouwerman Sent: Tuesday, November 15, 2011 2:10 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Oh, this an acquisition, that is why it's having such a high score! LOL From: Doug Hampshire [mailto:dhampsh...@gmail.com] Sent: Tuesday, November 15, 2011 1:13 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelist ing-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com
Re: Would you drop AV for Whitelisting / Application Control?
AV is still very useful in perimeter security devices, but its usefulness is deteriorating rapidly. In the past 2 years, various machines on my home network have intercepted malware trying to infect my network, but except for malware-laden email, AV has not been the vehicle that has caught it. On the flip side, I've had lots more false positives with AV (things that it doesn't like, but which I know is there, and want it to be there, like MetaSploit, VNC, etc) My detailed viewpoint is: http://home.asbzone.com/ASB/archive/2010/05/10/it-s-time-to-re-evaluate-host-based-security.aspx I intend to get rid of AV at home (using Vipre, MSE, and Avira on different machines) and fully deploy whitelisting in the next few months. It's my major upgrade project for the Winter. OpenDNS is already doing more for me in terms of malware detection and protection vs host-based AV * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Nov 15, 2011 at 2:18 PM, Stu Sjouwerman s...@sunbelt-software.comwrote: So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. ** ** Your view? Input? Stu ** ** ** ** ** ** ** ** ** ** *From:* Stu Sjouwerman *Sent:* Tuesday, November 15, 2011 2:10 PM *To:* NT System Admin Issues *Subject:* RE: Whitelisting Pros Cons? ** ** Oh, this an acquisition, that is why it’s having such a high score! LOL ** ** *From:* Doug Hampshire [mailto:dhampsh...@gmail.com] *Sent:* Tuesday, November 15, 2011 1:13 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi ** ** On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having
Re: Would you drop AV for Whitelisting / Application Control?
Auditors can be picky here. What you do to get around this is not surprise them. Get them onboard early on, and there are no surprises at audit time. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Nov 15, 2011 at 3:09 PM, Ziots, Edward ezi...@lifespan.org wrote: Some have taken that stance, but I have also heard the other side, is they need to keep AV on workstations, Servers due to compliance issues. ( which I don’t really take as a valid argument, especially if compensating controls are taking effect) ** ** Z ** ** Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] ** ** *From:* Stu Sjouwerman [mailto:s...@sunbelt-software.com] *Sent:* Tuesday, November 15, 2011 2:19 PM *To:* NT System Admin Issues *Subject:* Would you drop AV for Whitelisting / Application Control? ** ** So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. ** ** Your view? Input? Stu ** ** ** ** ** ** ** ** ** ** *From:* Stu Sjouwerman *Sent:* Tuesday, November 15, 2011 2:10 PM *To:* NT System Admin Issues *Subject:* RE: Whitelisting Pros Cons? ** ** Oh, this an acquisition, that is why it’s having such a high score! LOL ** ** *From:* Doug Hampshire [mailto:dhampsh...@gmail.com dhampsh...@gmail.com] *Sent:* Tuesday, November 15, 2011 1:13 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi ** ** On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes
Re: Would you drop AV for Whitelisting / Application Control?
What I did in one environment was isolate the entire developer segment, because they made a stink about the mandatory AV, and insisted that they couldn't work if their systems were locked down like everyone else. We allowed them to have control of their own scanning settings, but firewalled their entire segment from the rest of the network and deep-scanned their traffic. The security posture of the rest of the environment improved greatly, but more than half of the developers needed to have their laptops rebuilt due to constant rootkits. They finally relented when they couldn't win any argument about how unnecessary our approach to security was for them. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Nov 15, 2011 at 2:57 PM, David Lum david@nwea.org wrote: I like the idea for many scenarios, developers would be one where it would be tough, but in the places I manage I bet It would work for 80% of the systems as a great many fire up just a few apps. For public access machines (library) this is largely what I do anyway, but for more than just malware concerns :-). The catch is developers usually need more speed than the rest so if you could go without AV on them it would be beneficial from their standpoint - they are historically (in my experience) the hardest to balance between security and performance. Dave -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Tuesday, November 15, 2011 11:47 AM To: NT System Admin Issues Subject: RE: Would you drop AV for Whitelisting / Application Control? Very good feedback Kurt! Anyone else ? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, November 15, 2011 2:37 PM To: NT System Admin Issues Subject: Re: Would you drop AV for Whitelisting / Application Control? On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman s...@sunbelt-software.com wrote: So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu Does it really save budget? I ask this though I'm thoroughly in favor of application whitelisting [1] The whitelist publisher should o- Have a comprehensive set of known apps up front o- Make it easy for an administrator to add apps to the whitelist for some obscure program that's crucial o- Have a subscription mechanism to update their whitelist frequently o- Have a way for a subscriber to submit an executable for analysis to be included/excluded from the whitelist Absent the above, the blacklisters probably have an advantage in terms of effort expended by the sysadmin, by virtue of the nearly hourly updates they publish. Kurt [1] I don't yet have experience with whitelisting. Given our relatively recent EA with MSFT, I plan to make some time to explore it by setting up Applocker on a test OU and subjecting myself to the pain. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Would you drop AV for Whitelisting / Application Control?
again, depends on your whitelisting solution - does it only depend on filename and size/date info - that can be spoofed - does it also checksum executables ? - what happens on patch Tuesday ? - are patches/hotfixes even allowed to run ? - what happens to patched software that no longer matches checksum - especially when patched software is OS core ? do you brick machine via whitelist protection ? - how do you manage whitlelisting for power users with LOTS of installed software and legitimate need to install utilities and updates on the fly ? I've found whitelisting to be very good on 'standardized' systems that perform a specific role, but the more a system needs to be customized for the end user, the harder it is to mange security via whitelisting. On Tue, Nov 15, 2011 at 2:18 PM, Stu Sjouwerman s...@sunbelt-software.comwrote: So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. ** ** Your view? Input? Stu ** ** ** ** ** ** ** ** ** ** *From:* Stu Sjouwerman *Sent:* Tuesday, November 15, 2011 2:10 PM *To:* NT System Admin Issues *Subject:* RE: Whitelisting Pros Cons? ** ** Oh, this an acquisition, that is why it’s having such a high score! LOL ** ** *From:* Doug Hampshire [mailto:dhampsh...@gmail.com] *Sent:* Tuesday, November 15, 2011 1:13 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi ** ** On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http
Re: Would you drop AV for Whitelisting / Application Control?
Two workstations, one for standard corporate applications and locked down, the actual development machine should be in a separate subnet that's locked down and has access to only the required netwrok assets, which ideally should also be in that subnet. Kurt On Tue, Nov 15, 2011 at 11:36, Bourque Daniel daniel.bour...@loto-quebec.com wrote: ** Developper's stations... I don't know how you can lock them down... -- *De :* Stu Sjouwerman [mailto:s...@sunbelt-software.com] *Envoyé :* 15 novembre 2011 14:19 *À :* NT System Admin Issues *Objet :* Would you drop AV for Whitelisting / Application Control? So I'm asking a bunch of questions here, because I'm looking at writing this story from a few different angles. If the ratio Malware to good code is 80 - 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. ** ** Your view? Input? Stu ** ** ** ** ** ** ** ** ** ** *From:* Stu Sjouwerman *Sent:* Tuesday, November 15, 2011 2:10 PM *To:* NT System Admin Issues *Subject:* RE: Whitelisting Pros Cons? ** ** Oh, this an acquisition, that is why it's having such a high score! LOL ** ** *From:* Doug Hampshire [mailto:dhampsh...@gmail.com] *Sent:* Tuesday, November 15, 2011 1:13 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi ** ** On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally
RE: Would you drop AV for Whitelisting / Application Control?
Why get around them? That is the same negative thinking I see all over the place. ( I deal with auditors a lot, they aren't to be feared as much as some make it out to be) Best thing is to have your ducks in order on why you make the risk based decisions in the deployment of your security controls, and be able to explain it to the auditors and back it up with the understanding of the compliance issues that you are under. Sincerely, EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, November 15, 2011 3:14 PM To: NT System Admin Issues Subject: Re: Would you drop AV for Whitelisting / Application Control? Auditors can be picky here. What you do to get around this is not surprise them. Get them onboard early on, and there are no surprises at audit time. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Tue, Nov 15, 2011 at 3:09 PM, Ziots, Edward ezi...@lifespan.org wrote: Some have taken that stance, but I have also heard the other side, is they need to keep AV on workstations, Servers due to compliance issues. ( which I don't really take as a valid argument, especially if compensating controls are taking effect) Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Tuesday, November 15, 2011 2:19 PM To: NT System Admin Issues Subject: Would you drop AV for Whitelisting / Application Control? So I'm asking a bunch of questions here, because I'm looking at writing this story from a few different angles. If the ratio Malware to good code is 80 - 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu From: Stu Sjouwerman Sent: Tuesday, November 15, 2011 2:10 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Oh, this an acquisition, that is why it's having such a high score! LOL From: Doug Hampshire [mailto:dhampsh...@gmail.com] Sent: Tuesday, November 15, 2011 1:13 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelist ing-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article
Re: Would you drop AV for Whitelisting / Application Control?
No, not get around *them*. Get around the issue of them being picky about certain technologies. You get them on board with the approach being taken -- not at audit time, but well before. By working with them in advance, everyone is happy(ier). * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Nov 15, 2011 at 3:57 PM, Ziots, Edward ezi...@lifespan.org wrote: Why get around them? That is the same negative thinking I see all over the place. ( I deal with auditors a lot, they aren’t to be feared as much as some make it out to be) ** ** Best thing is to have your ducks in order on why you make the *risk based *decisions in the deployment of your security controls, and be able to explain it to the auditors and back it up with the understanding of the compliance issues that you are under. ** ** Sincerely, EZ ** ** Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Tuesday, November 15, 2011 3:14 PM *To:* NT System Admin Issues *Subject:* Re: Would you drop AV for Whitelisting / Application Control?** ** ** ** Auditors can be picky here. What you do to get around this is not surprise them. Get them onboard early on, and there are no surprises at audit time. *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Tue, Nov 15, 2011 at 3:09 PM, Ziots, Edward ezi...@lifespan.org wrote: Some have taken that stance, but I have also heard the other side, is they need to keep AV on workstations, Servers due to compliance issues. ( which I don’t really take as a valid argument, especially if compensating controls are taking effect) Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] *From:* Stu Sjouwerman [mailto:s...@sunbelt-software.com] *Sent:* Tuesday, November 15, 2011 2:19 PM *To:* NT System Admin Issues *Subject:* Would you drop AV for Whitelisting / Application Control? So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu *From:* Stu Sjouwerman *Sent:* Tuesday, November 15, 2011 2:10 PM *To:* NT System Admin Issues *Subject:* RE: Whitelisting Pros Cons? Oh, this an acquisition, that is why it’s having such a high score! LOL *From:* Doug Hampshire [mailto:dhampsh...@gmail.com dhampsh...@gmail.com] *Sent:* Tuesday, November 15, 2011 1:13 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.com wrote: I'm
RE: Would you drop AV for Whitelisting / Application Control?
It's not a question of whitelist or AV (blacklist). Both are necessary. Whitelisting is very effective at controlling what exe, dll, com, etc. are allowed to run. But, malware can also exist as malformed data files such as pdf, jpeg, mp3. For these, blacklisting is needed since its extremely impractical to whitelist every data file you'd like to open. The analogy I like is home access. It's pretty impractical to maintain a list of criminals that you won't allow into your house. It's much easier to keep a mental list of friends and family who are welcome to come in. In that sense, you're whitelisting access to your house. But, even though Uncle Louie may be on the whitelist, if he comes over drunk one night and starts swinging a bat at my wife, I'm not gonna let him stick around just because he's been whitelisted. My failsafe blacklist of unacceptable behavior is going to dictate that I kick him out. From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Tuesday, November 15, 2011 1:19 PM To: NT System Admin Issues Subject: Would you drop AV for Whitelisting / Application Control? So I'm asking a bunch of questions here, because I'm looking at writing this story from a few different angles. If the ratio Malware to good code is 80 - 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu From: Stu Sjouwerman Sent: Tuesday, November 15, 2011 2:10 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Oh, this an acquisition, that is why it's having such a high score! LOL From: Doug Hampshire [mailto:dhampsh...@gmail.com]mailto:[mailto:dhampsh...@gmail.com] Sent: Tuesday, November 15, 2011 1:13 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman s...@sunbelt-software.commailto:s...@sunbelt-software.com wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.orgmailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.commailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
Re: Would you drop AV for Whitelisting / Application Control?
Just as virtually all primarily blacklist-focused solutions provide some options for whitelisting, and other options for malware detection beyond signatures, so too do most whitelist-focused solutions offer ways of restricting application access beyond their primary approach. I think what most people are saying is whitelist tools and technologies are the best way to deal with host-based malware going forward and what you appear to be hearing is *a whitelist* is the only way to deal with host-based malware going forward. Subtle difference. Also, to take your analogy a little further, the reason we're having this discussion is that most AV products don't actually identify behavior -- they simply track physical malware characteristics. This is why zero day vulnerabilities get by them. Unless Uncle Louie had a rapsheet before he got to your house, he'd actually manage to do some damage before the police blotter report was updated. And, given that the list of strangers showing up to do dumb things still outnumber the list of not-already-banned-family-members who would do dumb things, my view of the relatively uselessness of most AV products today still stands. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Nov 15, 2011 at 6:38 PM, Crawford, Scott crawfo...@evangel.eduwrote: It’s not a question of whitelist or AV (blacklist). Both are necessary. Whitelisting is very effective at controlling what exe, dll, com, etc. are allowed to run. But, malware can also exist as malformed data files such as pdf, jpeg, mp3. For these, blacklisting is needed since its extremely impractical to whitelist every data file you’d like to open. ** ** The analogy I like is home access. It’s pretty impractical to maintain a list of criminals that you won’t allow into your house. It’s much easier to keep a mental list of friends and family who are welcome to come in. In that sense, you’re whitelisting access to your house. But, even though Uncle Louie may be on the whitelist, if he comes over drunk one night and starts swinging a bat at my wife, I’m not gonna let him stick around just because he’s been whitelisted. My failsafe blacklist of unacceptable behavior is going to dictate that I kick him out. ** ** *From:* Stu Sjouwerman [mailto:s...@sunbelt-software.com] *Sent:* Tuesday, November 15, 2011 1:19 PM *To:* NT System Admin Issues *Subject:* Would you drop AV for Whitelisting / Application Control? ** ** So I’m asking a bunch of questions here, because I’m looking at writing this story from a few different angles. If the ratio Malware to good code is 80 – 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. ** ** Your view? Input? Stu ** ** ** ** ** ** ** ** ** ** *From:* Stu Sjouwerman *Sent:* Tuesday, November 15, 2011 2:10 PM *To:* NT System Admin Issues *Subject:* RE: Whitelisting Pros Cons? ** ** Oh, this an acquisition, that is why it’s having such a high score! LOL ** ** *From:* Doug Hampshire [mailto:dhampsh...@gmail.com] *Sent:* Tuesday, November 15, 2011 1:13 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? ** ** Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman s...@sunbelt-software.com wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? *Bit9 Parity Suite 5.01* *10* *8* *9* *9* *10* *9.4* *EXCELLENT* *30%* *15%* *25%* *10%* *20%* *CoreTrace Bouncer 5* *9* *9* *9* *8* *9* *8.9* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *Lumension Application Control* *8* *9* *8* *9* *9* *8.5* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *McAfee Application Control 5.0* *9* *9* *9* *8* *8* *8.7* *VERY GOOD* *30%* *15%* *25%* *10%* *20%* *SignaCert Enterprise Trust Services 3.0* *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Monday, November 14, 2011 5:10 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Pros Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi
Whitelisting Pros Cons?
Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting Pros Cons?
Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting Pros Cons?
I can comment offline for you Stu... feel free to email me accordingly. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:15 AM To: NT System Admin Issues Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
Re: Whitelisting Pros Cons?
I swear by AppSense Application Manager, great product, extremely granular, does a lot more than just whitelisting. It does device control for licensing (MS allow AM to manage licenses on Terminal Servers for the likes of Project and Visio, rather than buying thousands of licenses even though fifty users only need it). It can also control user rights policies, control panel applets, it can elevate users (or de-elevate them) from groups without logging off, produce reports, and a vast lot more besides. . AppLocker isn't anywhere in the same league, but it's free and a good improvement on the old Software Restriction Policies. But as far as I am concerned, AppSense is the leader in this field. AM renders AV almost redundant when set up properly. It isn't really whitelisting - it's greylisting. Anything installed by an admin onto the local drive can automatically execute. But anything a user drops on a local drive can't execute. it does this by maintaining a list of Trusted Owners. On the other hand, everything on network drives is untrusted by default and has to be allowed to run. You can base the trigger value around a vast array of configurable options, not just user or group. It can be a bit pricey for some, but especially when you see what else you get (Environment Management and Performance Management, both good products) in your licenses, I wouldn't do without it. YMMV, etc On 14 November 2011 16:14, Stu Sjouwerman s...@sunbelt-software.com wrote: Guys, I am writing an article for WServerNews, and would like your public input. ** ** What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! ** ** Warm regards, ** ** Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ** IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress.. * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * * The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
RE: Whitelisting Pros Cons?
I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting Pros Cons?
I am a huge fan of this tactic and I suspect the day will come when we seriously consider doing it for email and web surfing also. We were a full Cisco CAS shop here, districtwide 3000 desktops. It was wonderful. Ran it in audit mode for a few monthscreated the rules and whitelists and put it in deny mode. Very smooth and worked wonderfully. It stopped a tremendous amount of malware that does not require admin rights...that hits the users profile folders. I cried when they discontinued it. I think anything that is going to work and be manageable has to be modeled after how Cisco did it. It was extremely detailed and granular yet still easy to configure. You could allow a process to hit a certain registry key when only run by a certain user on Tuesdays IF they had on blue underwear. It was that granular. -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:48 AM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting Pros Cons?
Personally, I found the underwear sensor uncomfortable. -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Monday, November 14, 2011 1:02 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I am a huge fan of this tactic and I suspect the day will come when we seriously consider doing it for email and web surfing also. We were a full Cisco CAS shop here, districtwide 3000 desktops. It was wonderful. Ran it in audit mode for a few monthscreated the rules and whitelists and put it in deny mode. Very smooth and worked wonderfully. It stopped a tremendous amount of malware that does not require admin rights...that hits the users profile folders. I cried when they discontinued it. I think anything that is going to work and be manageable has to be modeled after how Cisco did it. It was extremely detailed and granular yet still easy to configure. You could allow a process to hit a certain registry key when only run by a certain user on Tuesdays IF they had on blue underwear. It was that granular. -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:48 AM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting Pros Cons?
That's not where you're supposed to put the antenna. -Original Message- From: Mayo, Bill [mailto:bem...@pittcountync.gov] Sent: Monday, November 14, 2011 12:06 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? Personally, I found the underwear sensor uncomfortable. -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Monday, November 14, 2011 1:02 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I am a huge fan of this tactic and I suspect the day will come when we seriously consider doing it for email and web surfing also. We were a full Cisco CAS shop here, districtwide 3000 desktops. It was wonderful. Ran it in audit mode for a few monthscreated the rules and whitelists and put it in deny mode. Very smooth and worked wonderfully. It stopped a tremendous amount of malware that does not require admin rights...that hits the users profile folders. I cried when they discontinued it. I think anything that is going to work and be manageable has to be modeled after how Cisco did it. It was extremely detailed and granular yet still easy to configure. You could allow a process to hit a certain registry key when only run by a certain user on Tuesdays IF they had on blue underwear. It was that granular. -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:48 AM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting Pros Cons?
I've used Cisco's CSA. It's a little fiddly to get set up at first, but after that - no problems and it does a great job. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:15 AM To: NT System Admin Issues Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
WAS: Whitelisting Pros Cons? - Application Control - Pros Cons
OK, so I'm clarifying the subject. Whitelisting is also called Application Control. See is as an additional security layer that allows you to just ALLOW a limited amount of approved applications. It's the ultimate lockdown. Also, you could switch off your antivirus Real Time protection and only use it for removal. Anyone use this in their domain? Experience with this?? Warm regards, Stu -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Monday, November 14, 2011 1:02 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I am a huge fan of this tactic and I suspect the day will come when we seriously consider doing it for email and web surfing also. We were a full Cisco CAS shop here, districtwide 3000 desktops. It was wonderful. Ran it in audit mode for a few monthscreated the rules and whitelists and put it in deny mode. Very smooth and worked wonderfully. It stopped a tremendous amount of malware that does not require admin rights...that hits the users profile folders. I cried when they discontinued it. I think anything that is going to work and be manageable has to be modeled after how Cisco did it. It was extremely detailed and granular yet still easy to configure. You could allow a process to hit a certain registry key when only run by a certain user on Tuesdays IF they had on blue underwear. It was that granular. -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:48 AM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: WAS: Whitelisting Pros Cons? - Application Control - Pros Cons
Turned off AV realtime in my last job because it was serving no purpose. AppSense AM caught huge amounts of malware before it even could execute. Trend was literally doing nothing. However, we had to crank up the monitoring through SCOM to ensure the AM service never went down. Sent from my SR-71 Blackbird -Original Message- From: Stu Sjouwerman s...@sunbelt-software.com Date: Mon, 14 Nov 2011 14:22:52 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: WAS: Whitelisting Pros Cons? - Application Control - Pros Cons OK, so I'm clarifying the subject. Whitelisting is also called Application Control. See is as an additional security layer that allows you to just ALLOW a limited amount of approved applications. It's the ultimate lockdown. Also, you could switch off your antivirus Real Time protection and only use it for removal. Anyone use this in their domain? Experience with this?? Warm regards, Stu -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Monday, November 14, 2011 1:02 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I am a huge fan of this tactic and I suspect the day will come when we seriously consider doing it for email and web surfing also. We were a full Cisco CAS shop here, districtwide 3000 desktops. It was wonderful. Ran it in audit mode for a few monthscreated the rules and whitelists and put it in deny mode. Very smooth and worked wonderfully. It stopped a tremendous amount of malware that does not require admin rights...that hits the users profile folders. I cried when they discontinued it. I think anything that is going to work and be manageable has to be modeled after how Cisco did it. It was extremely detailed and granular yet still easy to configure. You could allow a process to hit a certain registry key when only run by a certain user on Tuesdays IF they had on blue underwear. It was that granular. -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:48 AM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T
Re: WAS: Whitelisting Pros Cons? - Application Control - Pros Cons
AppSense AM also blocks nastiness in URLs and some executable elements of web pages, PDFs, office documents and much more besides. Watching it operate in the Audit Only mode truly opens your eyes to the tons of executable content users are running every day. Sent from my SR-71 Blackbird -Original Message- From: Stu Sjouwerman s...@sunbelt-software.com Date: Mon, 14 Nov 2011 14:22:52 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: WAS: Whitelisting Pros Cons? - Application Control - Pros Cons OK, so I'm clarifying the subject. Whitelisting is also called Application Control. See is as an additional security layer that allows you to just ALLOW a limited amount of approved applications. It's the ultimate lockdown. Also, you could switch off your antivirus Real Time protection and only use it for removal. Anyone use this in their domain? Experience with this?? Warm regards, Stu -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Monday, November 14, 2011 1:02 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I am a huge fan of this tactic and I suspect the day will come when we seriously consider doing it for email and web surfing also. We were a full Cisco CAS shop here, districtwide 3000 desktops. It was wonderful. Ran it in audit mode for a few monthscreated the rules and whitelists and put it in deny mode. Very smooth and worked wonderfully. It stopped a tremendous amount of malware that does not require admin rights...that hits the users profile folders. I cried when they discontinued it. I think anything that is going to work and be manageable has to be modeled after how Cisco did it. It was extremely detailed and granular yet still easy to configure. You could allow a process to hit a certain registry key when only run by a certain user on Tuesdays IF they had on blue underwear. It was that granular. -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:48 AM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio Good code versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow good code and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros Cons? Are you asking about web content filtering, email filtering, or some other type of whitelisting? --Matt Ross Ephrata School District - Original Message - From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog
RE: Whitelisting Pros Cons?
Too bad its retired now... CSA was defintely good when it was setup, but the amount of rules you needed to write to allow crap software to run, basically turns a lot of HIPS into swiss cheese after a while. ( But it also shows you how bad code is written) Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, November 14, 2011 2:19 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros Cons? I've used Cisco's CSA. It's a little fiddly to get set up at first, but after that - no problems and it does a great job. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Monday, November 14, 2011 11:15 AM To: NT System Admin Issues Subject: Whitelisting Pros Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg