I found that redirecting Outlook's secure temp folder helped me a lot with stopping the web-based/email attachment vector. AppSense doesn't let executable content from network drives run, so if the temp folder is pushed out onto the network it can't run.
Rather strangely if you alter the temp folder location away from %userprofile% Windows tries to change it straight back, so I had to use an agent to keep the relevant Registry key where I wanted it. Although with my technical ability (or lack of, rather) there is probably an easy way to do it I have missed. 2009/1/29 Kurt Buff <[email protected]> > Somewhat agree. > > Whitelisting apps will definitely help a lot, but the process is > tedious, if done well: > o- build a clean install from known media > o- use the output of dir /s /b and use md5sum to build a database > of known files > o- use magic app to use database of md5 hashes to whitelist apps > o- install new software, redo steps above > > However, that still won't help against malicious data, like crafted > Word/Excel docs, mp3s, whatever (sure, open that web-based file, so > that I can pwn your browser and OS!) > > Now, whitelisting apps *and* whitelisting web sites - that would be > truly useful, though it still doesn't protect against malicious email > attachments. > > > > Kurt > > On Thu, Jan 29, 2009 at 1:58 PM, Michael B. Smith > <[email protected]> wrote: > > I think WhiteListing is "the future of A/V". > > > > > > > > There is simply too much to guard AGAINST now. > > > > > > > > (I say "the future" because I still think whitelists are too hard to > build. > > IMO. YMMV.) > > > > > > > > Regards, > > > > > > > > Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP > > > > My blog: http://TheEssentialExchange.com/blogs/michael > > > > I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php > > > > > > > > From: James Rankin [mailto:[email protected]] > > Sent: Thursday, January 29, 2009 4:32 PM > > To: Active Directory Admin Issues > > Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing > > > > > > > > I am always wondering these days if AV is strictly necessary. AppSense > won't > > execute anything that isn't whitelisted and/or isn't owned by an > > Administrator, and neither can network drives run executable content by > > default. Coupled with WebSense, the use of mandatory profiles and a > pretty > > rapid patching strategy, I am left wondering how much mitigation AV > actually > > gives us on top. It certainly has only caught about three virii recently > > (and guess what? They were on my boss's workstation, which means all the > > products I mentioned above, he has removed himself from) > > > > 2009/1/29 Jake Gardner <[email protected]> > > > > I'm a little past halfway through the company wide removal of symantec > and > > installing AVG. yippie!! > > > > > > > > I love when the end users always ask me about why I don't like Symantec, > or > > they tell me how happy they are with Mcafee. ugh. I ask them if they've > > had viruses or malware and they ALWAYS answer yes. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Jake Gardner > > > > TTC Network Administrator > > > > Ext. 246 > > > > > > > > > > > > ________________________________ > > > > From: James Rankin [mailto:[email protected]] > > Sent: Thursday, January 29, 2009 4:19 PM > > To: Active Directory Admin Issues > > Subject: Re: Tips 'n' Tricks > > > > Hey guys, you're preaching to the choir here. My boss bought it, and he > > likes to take down Exchange servers in the middle of the morning just to > fix > > some cosmetic issue. I hate Symantec with a passion that appears to be > quite > > common. > > > > 2009/1/29 Ziots, Edward <[email protected]> > > > > Symantec Sucks.. Period.. > > > > > > > > Z > > > > > > > > Edward E. Ziots > > > > Network Engineer > > > > Lifespan Organization > > > > Email: [email protected] > > > > Phone: 401-639-3505 > > > > MCSE, MCP+I, ME, CCA, Security +, Network + > > > > ________________________________ > > > > From: Jake Gardner [mailto:[email protected]] > > Sent: Thursday, January 29, 2009 4:15 PM > > > > To: Active Directory Admin Issues > > Subject: RE: Tips 'n' Tricks > > > > > > > > Call Symantec support right away and ask for their cleanwipe tool. That > > will solve ALL of your Symantec problems forever. > > > > > > > > ;) > > > > > > > > Thanks, > > > > > > > > Jake Gardner > > > > TTC Network Administrator > > > > Ext. 246 > > > > > > > > > > > > ________________________________ > > > > From: Tim Vander Kooi [mailto:[email protected]] > > Sent: Thursday, January 29, 2009 4:14 PM > > To: Active Directory Admin Issues > > Subject: RE: Tips 'n' Tricks > > > > As long as Symantec is on the network there should always be something to > > have to fix. ;-) > > > > > > > > > > > > From: James Rankin [mailto:[email protected]] > > Sent: Thursday, January 29, 2009 3:11 PM > > To: Active Directory Admin Issues > > Subject: Re: Tips 'n' Tricks > > > > > > > > Oh how I long to be back in a big environment...the heady days of when > the > > backbone security team "leased" admin access to support teams for > specific > > tasks and timeframes...when you couldn't get a service account with any > more > > access than it absolutely needed...when patches were tested at four > > different levels before arriving in production :-) > > > > Now there's just me, WebSense, AppSense and Symantec Antivirus between > the > > infrastructure and anarchy. > > > > Enuff reminiscing.....back to fixing stuff > > > > 2009/1/29 Ziots, Edward <[email protected]> > > > > I hear you, can't tolerate that stuff here, of course scheduling of 700 > > servers to be patched across 2 week timeline with a lockout on changes > from > > 7am-5pm posed by executive management doesn't make for happy campers… > > > > > > > > Z > > > > > > > > Edward E. Ziots > > > > Network Engineer > > > > Lifespan Organization > > > > Email: [email protected] > > > > Phone: 401-639-3505 > > > > MCSE, MCP+I, ME, CCA, Security +, Network + > > > > ________________________________ > > > > From: James Rankin [mailto:[email protected]] > > Sent: Thursday, January 29, 2009 4:03 PM > > > > To: Active Directory Admin Issues > > > > Subject: Re: Tips 'n' Tricks > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > ***Teletronics Technology Corporation*** > > This e-mail is confidential and may also be privileged. If you are not > the > > addressee or authorized by the addressee to receive this e-mail, you may > not > > disclose, copy, distribute, or use this e-mail. If you have received this > > e-mail in error, please notify the sender immediately by reply e-mail or > by > > telephone at 267-352-2020 and destroy this message and any copies. > > > > Thank you. > > > > ******************************************************************* > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > ***Teletronics Technology Corporation*** > > This e-mail is confidential and may also be privileged. If you are not > the > > addressee or authorized by the addressee to receive this e-mail, you may > not > > disclose, copy, distribute, or use this e-mail. If you have received this > > e-mail in error, please notify the sender immediately by reply e-mail or > by > > telephone at 267-352-2020 and destroy this message and any copies. > > > > Thank you. > > > > ******************************************************************* > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
