Thanks Michael, I am using Sandboxie right now when I look at questionable content and debug with Fiddler what is happening behind the scenes. I will say that HTTP internal from Oreilly and the Web-Application Hackers Handbook have given me some really good insight into troubleshooting the web-problems and looking at malicious things going on behind the scenes, that most usually don't get deep into.
Z Edward E. Ziots Network Engineer Lifespan Organization Email: [email protected] Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Thursday, January 29, 2009 5:18 PM To: Active Directory Admin Issues Subject: RE: OT: Was Tips 'n' Tricks Now it's Symantec Bashing Today the primary vector is browser exploits. It didn't used to be, and who knows what it may be in the future? Tell me the "killer app" 10 years from now, and I can tell you the future vector. :-) But in regards to web sandboxing, Microsoft has donated browser-independent code on that front: http://websandbox.livelabs.com/ Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php -----Original Message----- From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, January 29, 2009 5:14 PM To: Active Directory Admin Issues Subject: RE: OT: Was Tips 'n' Tricks Now it's Symantec Bashing Honestly, I posed this question at a security conference I attended last year. It seems that most of the exploitation is via browser exploits, why not come up with a HIPS for the web-browsers, that inspect all sessions being sent back and forth, and protect from java-script XSS, CSRF attacks on the client side, basically like using a web-browser sand-box technology. I haven't seen anything on the market like this yet, but it be an exciting vector to stop the drive-by web-exploits. The whitelist comes down to one thing: Code execution, if you can't tell what good code and bad code looks like, it doesn't matter if you allowed a seemingly good app, execute bad code, that is why like the HIPS better than application white listing. Z Edward E. Ziots Network Engineer Lifespan Organization Email: [email protected] Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, January 29, 2009 5:08 PM To: Active Directory Admin Issues Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing Somewhat agree. Whitelisting apps will definitely help a lot, but the process is tedious, if done well: o- build a clean install from known media o- use the output of dir /s /b and use md5sum to build a database of known files o- use magic app to use database of md5 hashes to whitelist apps o- install new software, redo steps above However, that still won't help against malicious data, like crafted Word/Excel docs, mp3s, whatever (sure, open that web-based file, so that I can pwn your browser and OS!) Now, whitelisting apps *and* whitelisting web sites - that would be truly useful, though it still doesn't protect against malicious email attachments. Kurt On Thu, Jan 29, 2009 at 1:58 PM, Michael B. Smith <[email protected]> wrote: > I think WhiteListing is "the future of A/V". > > > > There is simply too much to guard AGAINST now. > > > > (I say "the future" because I still think whitelists are too hard to build. > IMO. YMMV.) > > > > Regards, > > > > Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP > > My blog: http://TheEssentialExchange.com/blogs/michael > > I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php > > > > From: James Rankin [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:32 PM > To: Active Directory Admin Issues > Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing > > > > I am always wondering these days if AV is strictly necessary. AppSense won't > execute anything that isn't whitelisted and/or isn't owned by an > Administrator, and neither can network drives run executable content by > default. Coupled with WebSense, the use of mandatory profiles and a pretty > rapid patching strategy, I am left wondering how much mitigation AV actually > gives us on top. It certainly has only caught about three virii recently > (and guess what? They were on my boss's workstation, which means all the > products I mentioned above, he has removed himself from) > > 2009/1/29 Jake Gardner <[email protected]> > > I'm a little past halfway through the company wide removal of symantec and > installing AVG. yippie!! > > > > I love when the end users always ask me about why I don't like Symantec, or > they tell me how happy they are with Mcafee. ugh. I ask them if they've > had viruses or malware and they ALWAYS answer yes. > > > > > > > > Thanks, > > > > Jake Gardner > > TTC Network Administrator > > Ext. 246 > > > > > > ________________________________ > > From: James Rankin [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:19 PM > To: Active Directory Admin Issues > Subject: Re: Tips 'n' Tricks > > Hey guys, you're preaching to the choir here. My boss bought it, and he > likes to take down Exchange servers in the middle of the morning just to fix > some cosmetic issue. I hate Symantec with a passion that appears to be quite > common. > > 2009/1/29 Ziots, Edward <[email protected]> > > Symantec Sucks.. Period.. > > > > Z > > > > Edward E. Ziots > > Network Engineer > > Lifespan Organization > > Email: [email protected] > > Phone: 401-639-3505 > > MCSE, MCP+I, ME, CCA, Security +, Network + > > ________________________________ > > From: Jake Gardner [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:15 PM > > To: Active Directory Admin Issues > Subject: RE: Tips 'n' Tricks > > > > Call Symantec support right away and ask for their cleanwipe tool. That > will solve ALL of your Symantec problems forever. > > > > ;) > > > > Thanks, > > > > Jake Gardner > > TTC Network Administrator > > Ext. 246 > > > > > > ________________________________ > > From: Tim Vander Kooi [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:14 PM > To: Active Directory Admin Issues > Subject: RE: Tips 'n' Tricks > > As long as Symantec is on the network there should always be something to > have to fix. ;-) > > > > > > From: James Rankin [mailto:[email protected]] > Sent: Thursday, January 29, 2009 3:11 PM > To: Active Directory Admin Issues > Subject: Re: Tips 'n' Tricks > > > > Oh how I long to be back in a big environment...the heady days of when the > backbone security team "leased" admin access to support teams for specific > tasks and timeframes...when you couldn't get a service account with any more > access than it absolutely needed...when patches were tested at four > different levels before arriving in production :-) > > Now there's just me, WebSense, AppSense and Symantec Antivirus between the > infrastructure and anarchy. > > Enuff reminiscing.....back to fixing stuff > > 2009/1/29 Ziots, Edward <[email protected]> > > I hear you, can't tolerate that stuff here, of course scheduling of 700 > servers to be patched across 2 week timeline with a lockout on changes from > 7am-5pm posed by executive management doesn't make for happy campers... > > > > Z > > > > Edward E. Ziots > > Network Engineer > > Lifespan Organization > > Email: [email protected] > > Phone: 401-639-3505 > > MCSE, MCP+I, ME, CCA, Security +, Network + > > ________________________________ > > From: James Rankin [mailto:[email protected]] > Sent: Thursday, January 29, 2009 4:03 PM > > To: Active Directory Admin Issues > > Subject: Re: Tips 'n' Tricks > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > ***Teletronics Technology Corporation*** > This e-mail is confidential and may also be privileged. If you are not the > addressee or authorized by the addressee to receive this e-mail, you may not > disclose, copy, distribute, or use this e-mail. If you have received this > e-mail in error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > ******************************************************************* > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > ***Teletronics Technology Corporation*** > This e-mail is confidential and may also be privileged. If you are not the > addressee or authorized by the addressee to receive this e-mail, you may not > disclose, copy, distribute, or use this e-mail. If you have received this > e-mail in error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > ******************************************************************* > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
