thing can
> simply be subverted or replaced.
>
> Cheers
> Ken
>
> -Original Message-
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Tuesday, 11 May 2010 11:58 PM
> To: NT System Admin Issues
> Subject: RE: Life just keeps getting better
May 2010 11:58 PM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
In the context of simple whitelisting systems I agree, but in the case of
something like CSA unless your fake Notepad has specific permissions to modify
scvhost (for example) it will get denied. By
On Tue, May 11, 2010 at 1:31 PM, Kennedy, Jim
wrote:
> Let's not ignore the first Conficker infection while we wait for the next.
> CSA was the only thing that stopped it dead from day zero.
I would disagree with "only".
Conficker attacked MS08-067 autorun, and open/weak-password network
sha
very important part of the
>> > security
>> > strategy. Just wait until your next Conficker infection...
>> >
>> >
>> > Alex
>> >
>> >
>> > -Original Message-
>> > From: Kennedy, Jim [mailto:kennedy...@elyrias
icker infection...
> >
> >
> > Alex
> >
> >
> > -Original Message-
> > From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> >
> > Sent: Tuesday, May 11, 2010 10:57 AM
> > To: NT System Admin Issues
> >
> > Sub
Ben,
I agree with the position that Sophos has taken. Although your point about
them being a not-quite-disinterested party is well noted, the fact that they
believe that they personally aren't impacted, doesn't mean that they had to
give their competitors a pass.
It's not like they took they hi
heers
> Ken
>
> -Original Message-
> From: Ziots, Edward [mailto:ezi...@lifespan.org]
> Sent: Tuesday, 11 May 2010 11:13 PM
> To: NT System Admin Issues
> Subject: RE: Life just keeps getting better
>
> Ken,
>
> Personal experience with dealing with r00ted
; -Original Message-
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
>
> Sent: Tuesday, May 11, 2010 10:57 AM
> To: NT System Admin Issues
>
> Subject: RE: Life just keeps getting better
>
>
> Just to amplify 6.0 is also discontinued. This las...
>
System Admin Issues
Subject: RE: Life just keeps getting better
We have to keep in mind that whitelisting/blacklisting is just another
layer; another tool in our arsenal. I don't think anyone is suggesting
that AV go away all together, simply suggesting not relying on it
completely.
y +,Network +,CCA Network Engineer Lifespan Organization
401-639-3505
ezi...@lifespan.org
-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Tuesday, May 11, 2010 9:11 AM
To: NT System Admin Issues
Subject: Re: Life just keeps getting better
On Mon, May 10, 2010 at
to:kennedy...@elyriaschools.org]
Sent: Tuesday, May 11, 2010 1:31 PM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Let's not ignore the first Conficker infection while we wait for the
next. CSA was the only thing that stopped it dead from day zero. Not a
single CSA customer
Ken,
If you have a rootkit, GAME OVER PERIOD, we both accept that. NO control
discussed is going to save you from that.
Malware/Malcode, basically same thing, you say tomato, I say tomato.
We both agree on if the box is rooted then it doesn't matter what you
have in controls, they are all byp
days, and
were many hours behind every variant that came out.
-Original Message-
From: Alex Eckelberry [mailto:al...@sunbelt-software.com]
Sent: Tuesday, May 11, 2010 1:19 PM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Just wait until your next Conficker infe
2010 10:57 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Just to amplify 6.0 is also discontinued. This las...
Sent: Tuesday, May 11, 2010 10:50 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Too bad Cisco royally screwed up C
Mr Ziots is right as well.
- Original Message -
From: Alex Eckelberry
To: NT System Admin Issues
Sent: Tue May 11 13:19:28 2010
Subject: RE: Life just keeps getting better
>But Mr. Zoits is right, AV is pointless. It is a signature race and
>you wll lose that race soo
nt part of the security
strategy. Just wait until your next Conficker infection...
Alex
-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Tuesday, May 11, 2010 10:57 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Just
plemented correctly, but
>> alas it is gone now. Trends new one is looking pretty good.
>>
>>
>> -Original Message-
>> From: Ziots, Edward [mailto:ezi...@lifespan.org]
>> Sent: Tuesday, May 11, 2010 10:50 AM
>> To: NT System Admin Issues
>>
+1
75000 new pieces of malware *DAILY* - and that will probably only
increase, never decrease, because the automation for morphing malware
will only get better.
LUA + base installs + whitelisting is the only reasonable stance I can
see. Layer in other protections as necessary, including HIPS, etc
c.com]
Sent: Tuesday, May 11, 2010 11:29 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Once code is running as system, it's irrelevant what system you try to put in
place to prevent it.
Whitelisting is not going to help, because the rootkit can simply report
meone *please* explain
how whitelisting is going to help?
Cheers
Ken
-Original Message-
From: Peter van Houten [mailto:peter...@gmail.com]
Sent: Tuesday, 11 May 2010 11:19 PM
To: NT System Admin Issues
Subject: Re: Life just keeps getting better
Why take it offline? If you have some
t: Tuesday, 11 May 2010 11:13 PM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Ken,
Personal experience with dealing with r00ted systems that have bypassed AV
controls has shown me a lot about how nefarious these attacks can be, and I am
still learning a lot about
k Engineer
Lifespan Organization
401-639-3505
ezi...@lifespan.org
-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, May 11, 2010 11:01 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
-Original Message-
From: Ziots, Edward [
urity +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
ezi...@lifespan.org
-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, May 11, 2010 11:01 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
-Ori
s was the best there ever was
> at doing this. Virtually bullet proof if implemented correctly, but alas it
> is gone now. Trends new one is looking pretty good.
>
>
> -Original Message-
> From: Ziots, Edward [mailto:ezi...@lifespan.org]
> Sent: Tuesday, May 11, 2010 10
On Tue, May 11, 2010 at 10:44 AM, Ken Schaefer wrote:
[re: vulnerabilities in AV software, especially
> How is whitelisting or blacklisting going to help? Answer: it's not.
Whitelisting is not directly going to address the problem of
vulnerabilities in anti-virus software. But I agree with the
-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org]
Subject: RE: Life just keeps getting better
> On Access, most of the rootkits on the systems have hidden themselves from
> AV,
> therefore rendering its "On Access" detection useless.
How does
-639-3505
ezi...@lifespan.org
-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Tuesday, May 11, 2010 10:57 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Just to amplify 6.0 is also discontinued. This last release a few weeks
r was at
doing this. Virtually bullet proof if implemented correctly, but alas it is
gone now. Trends new one is looking pretty good.
-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Tuesday, May 11, 2010 10:50 AM
To: NT System Admin Issues
Subject: RE: Life just
10:44 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
How is whitelisting or blacklisting going to help? Answer: it's not. The
problem is thread pre-emption and storing values in user-mode memory
space where it can be altered (assuming you can get the timing right).
ot;
Cheers
Ken
-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Tuesday, 11 May 2010 9:16 PM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
You can also read the blurb on San's ISC page also, some vendors say its
important,
: Tuesday, May 11, 2010 10:10 AM
To: NT System Admin Issues
Subject: Re: RE: Life just keeps getting better
Just as IPS products are maturing to the point that signatures are only
a small part of the arsenal, so AV will have to mature. The players
that de-emphasize signatures for blacklisting
k +,CCA
Network Engineer
Lifespan Organization
401-639-3505
ezi...@lifespan.org
-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Tuesday, May 11, 20...
Subject: Re: Life just keeps getting better
On Mon, May 10, 2010 at 12:40 AM, Kurt Buff http://www.sunbeltsoftwa
+,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
ezi...@lifespan.org
-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Tuesday, May 11, 2010 9:19 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
Right now I'
Right now I'm still not too keen on McAfee's credibility...
-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Tuesday, May 11, 2010 8:16 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better
You can also read the blurb on San&
5
ezi...@lifespan.org
-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Tuesday, May 11, 2010 9:11 AM
To: NT System Admin Issues
Subject: Re: Life just keeps getting better
On Mon, May 10, 2010 at 12:40 AM, Kurt Buff wrote:
> How to bypass almost all AV software
On Mon, May 10, 2010 at 12:40 AM, Kurt Buff wrote:
> How to bypass almost all AV software
>
> http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php
Sophos's response:
http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-shaker/
Overblown IMHO
- the example is talking about loading bad kernel code - you need to be an
admin to do that
- on x64 systems the bad driver would have to be signed
- the AV system should have picked up the bad code being placed onto the system
prior to anyone executing it - I don't see how this b
37 matches
Mail list logo
