Probably nothing to do with the *almost* scantily-clad women in Lycra? Regards
Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: [email protected] Kurt Buff <[email protected]> 29/01/2009 22:23 Please respond to "Active Directory Admin Issues" <[email protected]> To "Active Directory Admin Issues" <[email protected]> cc Subject Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing I've got a start on that with my sidewinders. They are pretty strict about parsing http traffic, and I regularly get requests from user trying to visit sites that use bad, bad, bad programming, especially poorly crafted URLs. Here's one that wouldn't pass my firewall without it being whitelisted: http://www.costco.com/Common/Category.aspx?cat=70718&eCat=BC|589|70718&lang=en-US&whse=BC&topnav= I think the firewall doesn't like the '|' characters That having been said, it does nothing to parse javascript - I've had several machines pwned recently, from clueless users visiting dodgy music and gaming web sites. I just have my minions flatten the boxes and reinstall. It's not worth the effort to try to clean them - and we're using Sunbelt's product on the desktops, with regular updates. Kurt On Thu, Jan 29, 2009 at 2:13 PM, Ziots, Edward <[email protected]> wrote: > Honestly, > > I posed this question at a security conference I attended last year. > > It seems that most of the exploitation is via browser exploits, why not > come up with a HIPS for the web-browsers, that inspect all sessions > being sent back and forth, and protect from java-script XSS, CSRF > attacks on the client side, basically like using a web-browser sand-box > technology. I haven't seen anything on the market like this yet, but it > be an exciting vector to stop the drive-by web-exploits. > > The whitelist comes down to one thing: Code execution, if you can't tell > what good code and bad code looks like, it doesn't matter if you allowed > a seemingly good app, execute bad code, that is why like the HIPS better > than application white listing. > > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > Email: [email protected] > Phone: 401-639-3505 > MCSE, MCP+I, ME, CCA, Security +, Network + > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Thursday, January 29, 2009 5:08 PM > To: Active Directory Admin Issues > Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing > > Somewhat agree. > > Whitelisting apps will definitely help a lot, but the process is > tedious, if done well: > o- build a clean install from known media > o- use the output of dir /s /b and use md5sum to build a database > of known files > o- use magic app to use database of md5 hashes to whitelist apps > o- install new software, redo steps above > > However, that still won't help against malicious data, like crafted > Word/Excel docs, mp3s, whatever (sure, open that web-based file, so > that I can pwn your browser and OS!) > > Now, whitelisting apps *and* whitelisting web sites - that would be > truly useful, though it still doesn't protect against malicious email > attachments. > > > > Kurt > > On Thu, Jan 29, 2009 at 1:58 PM, Michael B. Smith > <[email protected]> wrote: >> I think WhiteListing is "the future of A/V". >> >> >> >> There is simply too much to guard AGAINST now. >> >> >> >> (I say "the future" because I still think whitelists are too hard to > build. >> IMO. YMMV.) >> >> >> >> Regards, >> >> >> >> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP >> >> My blog: http://TheEssentialExchange.com/blogs/michael >> >> I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php >> >> >> >> From: James Rankin [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:32 PM >> To: Active Directory Admin Issues >> Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing >> >> >> >> I am always wondering these days if AV is strictly necessary. AppSense > won't >> execute anything that isn't whitelisted and/or isn't owned by an >> Administrator, and neither can network drives run executable content > by >> default. Coupled with WebSense, the use of mandatory profiles and a > pretty >> rapid patching strategy, I am left wondering how much mitigation AV > actually >> gives us on top. It certainly has only caught about three virii > recently >> (and guess what? They were on my boss's workstation, which means all > the >> products I mentioned above, he has removed himself from) >> >> 2009/1/29 Jake Gardner <[email protected]> >> >> I'm a little past halfway through the company wide removal of > symantec and >> installing AVG. yippie!! >> >> >> >> I love when the end users always ask me about why I don't like > Symantec, or >> they tell me how happy they are with Mcafee. ugh. I ask them if > they've >> had viruses or malware and they ALWAYS answer yes. >> >> >> >> >> >> >> >> Thanks, >> >> >> >> Jake Gardner >> >> TTC Network Administrator >> >> Ext. 246 >> >> >> >> >> >> ________________________________ >> >> From: James Rankin [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:19 PM >> To: Active Directory Admin Issues >> Subject: Re: Tips 'n' Tricks >> >> Hey guys, you're preaching to the choir here. My boss bought it, and > he >> likes to take down Exchange servers in the middle of the morning just > to fix >> some cosmetic issue. I hate Symantec with a passion that appears to be > quite >> common. >> >> 2009/1/29 Ziots, Edward <[email protected]> >> >> Symantec Sucks.. Period.. >> >> >> >> Z >> >> >> >> Edward E. Ziots >> >> Network Engineer >> >> Lifespan Organization >> >> Email: [email protected] >> >> Phone: 401-639-3505 >> >> MCSE, MCP+I, ME, CCA, Security +, Network + >> >> ________________________________ >> >> From: Jake Gardner [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:15 PM >> >> To: Active Directory Admin Issues >> Subject: RE: Tips 'n' Tricks >> >> >> >> Call Symantec support right away and ask for their cleanwipe tool. > That >> will solve ALL of your Symantec problems forever. >> >> >> >> ;) >> >> >> >> Thanks, >> >> >> >> Jake Gardner >> >> TTC Network Administrator >> >> Ext. 246 >> >> >> >> >> >> ________________________________ >> >> From: Tim Vander Kooi [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:14 PM >> To: Active Directory Admin Issues >> Subject: RE: Tips 'n' Tricks >> >> As long as Symantec is on the network there should always be something > to >> have to fix. ;-) >> >> >> >> >> >> From: James Rankin [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 3:11 PM >> To: Active Directory Admin Issues >> Subject: Re: Tips 'n' Tricks >> >> >> >> Oh how I long to be back in a big environment...the heady days of when > the >> backbone security team "leased" admin access to support teams for > specific >> tasks and timeframes...when you couldn't get a service account with > any more >> access than it absolutely needed...when patches were tested at four >> different levels before arriving in production :-) >> >> Now there's just me, WebSense, AppSense and Symantec Antivirus between > the >> infrastructure and anarchy. >> >> Enuff reminiscing.....back to fixing stuff >> >> 2009/1/29 Ziots, Edward <[email protected]> >> >> I hear you, can't tolerate that stuff here, of course scheduling of > 700 >> servers to be patched across 2 week timeline with a lockout on changes > from >> 7am-5pm posed by executive management doesn't make for happy > campers... >> >> >> >> Z >> >> >> >> Edward E. Ziots >> >> Network Engineer >> >> Lifespan Organization >> >> Email: [email protected] >> >> Phone: 401-639-3505 >> >> MCSE, MCP+I, ME, CCA, Security +, Network + >> >> ________________________________ >> >> From: James Rankin [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:03 PM >> >> To: Active Directory Admin Issues >> >> Subject: Re: Tips 'n' Tricks >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> ***Teletronics Technology Corporation*** >> This e-mail is confidential and may also be privileged. If you are > not the >> addressee or authorized by the addressee to receive this e-mail, you > may not >> disclose, copy, distribute, or use this e-mail. If you have received > this >> e-mail in error, please notify the sender immediately by reply e-mail > or by >> telephone at 267-352-2020 and destroy this message and any copies. >> >> Thank you. >> >> ******************************************************************* >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> ***Teletronics Technology Corporation*** >> This e-mail is confidential and may also be privileged. If you are > not the >> addressee or authorized by the addressee to receive this e-mail, you > may not >> disclose, copy, distribute, or use this e-mail. If you have received > this >> e-mail in error, please notify the sender immediately by reply e-mail > or by >> telephone at 267-352-2020 and destroy this message and any copies. >> >> Thank you. >> >> ******************************************************************* >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ > ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ==================================================================== http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. ==================================================================== QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. ==================================================================== QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
