Honestly, I posed this question at a security conference I attended last year.
It seems that most of the exploitation is via browser exploits, why not come up with a HIPS for the web-browsers, that inspect all sessions being sent back and forth, and protect from java-script XSS, CSRF attacks on the client side, basically like using a web-browser sand-box technology. I haven't seen anything on the market like this yet, but it be an exciting vector to stop the drive-by web-exploits. The whitelist comes down to one thing: Code execution, if you can't tell what good code and bad code looks like, it doesn't matter if you allowed a seemingly good app, execute bad code, that is why like the HIPS better than application white listing. Z Edward E. Ziots Network Engineer Lifespan Organization Email: [email protected] Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, January 29, 2009 5:08 PM To: Active Directory Admin Issues Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing Somewhat agree. Whitelisting apps will definitely help a lot, but the process is tedious, if done well: o- build a clean install from known media o- use the output of dir /s /b and use md5sum to build a database of known files o- use magic app to use database of md5 hashes to whitelist apps o- install new software, redo steps above However, that still won't help against malicious data, like crafted Word/Excel docs, mp3s, whatever (sure, open that web-based file, so that I can pwn your browser and OS!) Now, whitelisting apps *and* whitelisting web sites - that would be truly useful, though it still doesn't protect against malicious email attachments. Kurt On Thu, Jan 29, 2009 at 1:58 PM, Michael B. Smith <[email protected]> wrote: > I think WhiteListing is "the future of A/V". > > > > There is simply too much to guard AGAINST now. > > > > (I say "the future" because I still think whitelists are too hard to build. > IMO. YMMV.) > > > > Regards, > > > > Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP > > My blog: http://TheEssentialExchange.com/blogs/michael > > I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php > > > > From: James Rankin [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:32 PM > To: Active Directory Admin Issues > Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing > > > > I am always wondering these days if AV is strictly necessary. AppSense won't > execute anything that isn't whitelisted and/or isn't owned by an > Administrator, and neither can network drives run executable content by > default. Coupled with WebSense, the use of mandatory profiles and a pretty > rapid patching strategy, I am left wondering how much mitigation AV actually > gives us on top. It certainly has only caught about three virii recently > (and guess what? They were on my boss's workstation, which means all the > products I mentioned above, he has removed himself from) > > 2009/1/29 Jake Gardner <[email protected]> > > I'm a little past halfway through the company wide removal of symantec and > installing AVG. yippie!! > > > > I love when the end users always ask me about why I don't like Symantec, or > they tell me how happy they are with Mcafee. ugh. I ask them if they've > had viruses or malware and they ALWAYS answer yes. > > > > > > > > Thanks, > > > > Jake Gardner > > TTC Network Administrator > > Ext. 246 > > > > > > ________________________________ > > From: James Rankin [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:19 PM > To: Active Directory Admin Issues > Subject: Re: Tips 'n' Tricks > > Hey guys, you're preaching to the choir here. My boss bought it, and he > likes to take down Exchange servers in the middle of the morning just to fix > some cosmetic issue. I hate Symantec with a passion that appears to be quite > common. > > 2009/1/29 Ziots, Edward <[email protected]> > > Symantec Sucks.. Period.. > > > > Z > > > > Edward E. Ziots > > Network Engineer > > Lifespan Organization > > Email: [email protected] > > Phone: 401-639-3505 > > MCSE, MCP+I, ME, CCA, Security +, Network + > > ________________________________ > > From: Jake Gardner [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:15 PM > > To: Active Directory Admin Issues > Subject: RE: Tips 'n' Tricks > > > > Call Symantec support right away and ask for their cleanwipe tool. That > will solve ALL of your Symantec problems forever. > > > > ;) > > > > Thanks, > > > > Jake Gardner > > TTC Network Administrator > > Ext. 246 > > > > > > ________________________________ > > From: Tim Vander Kooi [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:14 PM > To: Active Directory Admin Issues > Subject: RE: Tips 'n' Tricks > > As long as Symantec is on the network there should always be something to > have to fix. ;-) > > > > > > From: James Rankin [mailto:[email protected]] > Sent: Thursday, January 29, 2009 3:11 PM > To: Active Directory Admin Issues > Subject: Re: Tips 'n' Tricks > > > > Oh how I long to be back in a big environment...the heady days of when the > backbone security team "leased" admin access to support teams for specific > tasks and timeframes...when you couldn't get a service account with any more > access than it absolutely needed...when patches were tested at four > different levels before arriving in production :-) > > Now there's just me, WebSense, AppSense and Symantec Antivirus between the > infrastructure and anarchy. > > Enuff reminiscing.....back to fixing stuff > > 2009/1/29 Ziots, Edward <[email protected]> > > I hear you, can't tolerate that stuff here, of course scheduling of 700 > servers to be patched across 2 week timeline with a lockout on changes from > 7am-5pm posed by executive management doesn't make for happy campers... > > > > Z > > > > Edward E. Ziots > > Network Engineer > > Lifespan Organization > > Email: [email protected] > > Phone: 401-639-3505 > > MCSE, MCP+I, ME, CCA, Security +, Network + > > ________________________________ > > From: James Rankin [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:03 PM > > To: Active Directory Admin Issues > > Subject: Re: Tips 'n' Tricks > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > ***Teletronics Technology Corporation*** > This e-mail is confidential and may also be privileged. If you are not the > addressee or authorized by the addressee to receive this e-mail, you may not > disclose, copy, distribute, or use this e-mail. If you have received this > e-mail in error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > ******************************************************************* > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > ***Teletronics Technology Corporation*** > This e-mail is confidential and may also be privileged. If you are not the > addressee or authorized by the addressee to receive this e-mail, you may not > disclose, copy, distribute, or use this e-mail. If you have received this > e-mail in error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > ******************************************************************* > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
