Heh. Probably not.
On Thu, Jan 29, 2009 at 11:27 PM, Tony Patton
<[email protected]> wrote:
>
> Probably nothing to do with the *almost* scantily-clad women in Lycra?
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: [email protected]
>
>
> Kurt Buff <[email protected]>
>
> 29/01/2009 22:23
>
> Please respond to
> "Active Directory Admin Issues" <[email protected]>
> To
> "Active Directory Admin Issues" <[email protected]>
> cc
> Subject
> Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing
>
>
>
>
> I've got a start on that with my sidewinders. They are pretty strict
> about parsing http traffic, and I regularly get requests from user
> trying to visit sites that use bad, bad, bad programming, especially
> poorly crafted URLs.
>
> Here's one that wouldn't pass my firewall without it being whitelisted:
>
> http://www.costco.com/Common/Category.aspx?cat=70718&eCat=BC|589|70718&lang=en-US&whse=BC&topnav=
>
> I think the firewall doesn't like the '|' characters
>
> That having been said, it does nothing to parse javascript - I've had
> several machines pwned recently, from clueless users visiting dodgy
> music and gaming web sites. I just have my minions flatten the boxes
> and reinstall. It's not worth the effort to try to clean them - and
> we're using Sunbelt's product on the desktops, with regular updates.
>
> Kurt
>
> On Thu, Jan 29, 2009 at 2:13 PM, Ziots, Edward <[email protected]> wrote:
>> Honestly,
>>
>> I posed this question at a security conference I attended last year.
>>
>> It seems that most of the exploitation is via browser exploits, why not
>> come up with a HIPS for the web-browsers, that inspect all sessions
>> being sent back and forth, and protect from java-script XSS, CSRF
>> attacks on the client side, basically like using a web-browser sand-box
>> technology. I haven't seen anything on the market like this yet, but it
>> be an exciting vector to stop the drive-by web-exploits.
>>
>> The whitelist comes down to one thing: Code execution, if you can't tell
>> what good code and bad code looks like, it doesn't matter if you allowed
>> a seemingly good app, execute bad code, that is why like the HIPS better
>> than application white listing.
>>
>> Z
>>
>> Edward E. Ziots
>> Network Engineer
>> Lifespan Organization
>> Email: [email protected]
>> Phone: 401-639-3505
>> MCSE, MCP+I, ME, CCA, Security +, Network +
>>
>> -----Original Message-----
>> From: Kurt Buff [mailto:[email protected]]
>> Sent: Thursday, January 29, 2009 5:08 PM
>> To: Active Directory Admin Issues
>> Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing
>>
>> Somewhat agree.
>>
>> Whitelisting apps will definitely help a lot, but the process is
>> tedious, if done well:
>> o- build a clean install from known media
>> o- use the output of dir /s /b and use md5sum to build a database
>> of known files
>> o- use magic app to use database of md5 hashes to whitelist apps
>> o- install new software, redo steps above
>>
>> However, that still won't help against malicious data, like crafted
>> Word/Excel docs, mp3s, whatever (sure, open that web-based file, so
>> that I can pwn your browser and OS!)
>>
>> Now, whitelisting apps *and* whitelisting web sites - that would be
>> truly useful, though it still doesn't protect against malicious email
>> attachments.
>>
>>
>>
>> Kurt
>>
>> On Thu, Jan 29, 2009 at 1:58 PM, Michael B. Smith
>> <[email protected]> wrote:
>>> I think WhiteListing is "the future of A/V".
>>>
>>>
>>>
>>> There is simply too much to guard AGAINST now.
>>>
>>>
>>>
>>> (I say "the future" because I still think whitelists are too hard to
>> build.
>>> IMO. YMMV.)
>>>
>>>
>>>
>>> Regards,
>>>
>>>
>>>
>>> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
>>>
>>> My blog:
> http://TheEssentialExchange.com/blogs/michael
>>>
>>> I'll be at TEC'2009!
> http://www.tec2009.com/vegas/index.php
>>>
>>>
>>>
>>> From: James Rankin [mailto:[email protected]]
>>> Sent: Thursday, January 29, 2009 4:32 PM
>>> To: Active Directory Admin Issues
>>> Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing
>>>
>>>
>>>
>>> I am always wondering these days if AV is strictly necessary. AppSense
>> won't
>>> execute anything that isn't whitelisted and/or isn't owned by an
>>> Administrator, and neither can network drives run executable content
>> by
>>> default. Coupled with WebSense, the use of mandatory profiles and a
>> pretty
>>> rapid patching strategy, I am left wondering how much mitigation AV
>> actually
>>> gives us on top. It certainly has only caught about three virii
>> recently
>>> (and guess what? They were on my boss's workstation, which means all
>> the
>>> products I mentioned above, he has removed himself from)
>>>
>>> 2009/1/29 Jake Gardner <[email protected]>
>>>
>>> I'm a little past halfway through the company wide removal of
>> symantec and
>>> installing AVG. yippie!!
>>>
>>>
>>>
>>> I love when the end users always ask me about why I don't like
>> Symantec, or
>>> they tell me how happy they are with Mcafee. ugh. I ask them if
>> they've
>>> had viruses or malware and they ALWAYS answer yes.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Jake Gardner
>>>
>>> TTC Network Administrator
>>>
>>> Ext. 246
>>>
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: James Rankin [mailto:[email protected]]
>>> Sent: Thursday, January 29, 2009 4:19 PM
>>> To: Active Directory Admin Issues
>>> Subject: Re: Tips 'n' Tricks
>>>
>>> Hey guys, you're preaching to the choir here. My boss bought it, and
>> he
>>> likes to take down Exchange servers in the middle of the morning just
>> to fix
>>> some cosmetic issue. I hate Symantec with a passion that appears to be
>> quite
>>> common.
>>>
>>> 2009/1/29 Ziots, Edward <[email protected]>
>>>
>>> Symantec Sucks.. Period..
>>>
>>>
>>>
>>> Z
>>>
>>>
>>>
>>> Edward E. Ziots
>>>
>>> Network Engineer
>>>
>>> Lifespan Organization
>>>
>>> Email: [email protected]
>>>
>>> Phone: 401-639-3505
>>>
>>> MCSE, MCP+I, ME, CCA, Security +, Network +
>>>
>>> ________________________________
>>>
>>> From: Jake Gardner [mailto:[email protected]]
>>> Sent: Thursday, January 29, 2009 4:15 PM
>>>
>>> To: Active Directory Admin Issues
>>> Subject: RE: Tips 'n' Tricks
>>>
>>>
>>>
>>> Call Symantec support right away and ask for their cleanwipe tool.
>> That
>>> will solve ALL of your Symantec problems forever.
>>>
>>>
>>>
>>> ;)
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Jake Gardner
>>>
>>> TTC Network Administrator
>>>
>>> Ext. 246
>>>
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: Tim Vander Kooi [mailto:[email protected]]
>>> Sent: Thursday, January 29, 2009 4:14 PM
>>> To: Active Directory Admin Issues
>>> Subject: RE: Tips 'n' Tricks
>>>
>>> As long as Symantec is on the network there should always be something
>> to
>>> have to fix. ;-)
>>>
>>>
>>>
>>>
>>>
>>> From: James Rankin [mailto:[email protected]]
>>> Sent: Thursday, January 29, 2009 3:11 PM
>>> To: Active Directory Admin Issues
>>> Subject: Re: Tips 'n' Tricks
>>>
>>>
>>>
>>> Oh how I long to be back in a big environment...the heady days of when
>> the
>>> backbone security team "leased" admin access to support teams for
>> specific
>>> tasks and timeframes...when you couldn't get a service account with
>> any more
>>> access than it absolutely needed...when patches were tested at four
>>> different levels before arriving in production :-)
>>>
>>> Now there's just me, WebSense, AppSense and Symantec Antivirus between
>> the
>>> infrastructure and anarchy.
>>>
>>> Enuff reminiscing.....back to fixing stuff
>>>
>>> 2009/1/29 Ziots, Edward <[email protected]>
>>>
>>> I hear you, can't tolerate that stuff here, of course scheduling of
>> 700
>>> servers to be patched across 2 week timeline with a lockout on changes
>> from
>>> 7am-5pm posed by executive management doesn't make for happy
>> campers...
>>>
>>>
>>>
>>> Z
>>>
>>>
>>>
>>> Edward E. Ziots
>>>
>>> Network Engineer
>>>
>>> Lifespan Organization
>>>
>>> Email: [email protected]
>>>
>>> Phone: 401-639-3505
>>>
>>> MCSE, MCP+I, ME, CCA, Security +, Network +
>>>
>>> ________________________________
>>>
>>> From: James Rankin [mailto:[email protected]]
>>> Sent: Thursday, January 29, 2009 4:03 PM
>>>
>>> To: Active Directory Admin Issues
>>>
>>> Subject: Re: Tips 'n' Tricks
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>> ***Teletronics Technology Corporation***
>>> This e-mail is confidential and may also be privileged. If you are
>> not the
>>> addressee or authorized by the addressee to receive this e-mail, you
>> may not
>>> disclose, copy, distribute, or use this e-mail. If you have received
>> this
>>> e-mail in error, please notify the sender immediately by reply e-mail
>> or by
>>> telephone at 267-352-2020 and destroy this message and any copies.
>>>
>>> Thank you.
>>>
>>> *******************************************************************
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>> ***Teletronics Technology Corporation***
>>> This e-mail is confidential and may also be privileged. If you are
>> not the
>>> addressee or authorized by the addressee to receive this e-mail, you
>> may not
>>> disclose, copy, distribute, or use this e-mail. If you have received
>> this
>>> e-mail in error, please notify the sender immediately by reply e-mail
>> or by
>>> telephone at 267-352-2020 and destroy this message and any copies.
>>>
>>> Thank you.
>>>
>>> *******************************************************************
>>>
>>>
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>>
>>> ~ ~
>>>
>>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>>> ~ ~
>>
>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK
>> Test! ~
>> ~ <
> http://www.sunbelt-software.com/product.cfm?id=400> ~
>>
>> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test!
>> ~
>> ~ <
> http://www.sunbelt-software.com/product.cfm?id=400> ~
>>
>
> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~
> ~ <
> http://www.sunbelt-software.com/product.cfm?id=400> ~
>
> ====================================================================
> http://www.quinn-insurance.com
>
> This e-mail is intended only for the addressee named above. The contents
> should not be copied nor disclosed to any other person. Any views or
> opinions expressed are solely those of the sender and
> do not necessarily represent those of QUINN-Insurance, unless otherwise
> specifically stated . As internet communications are not secure,
> QUINN-Insurance is not responsible for the contents of this message nor
> responsible for any change made to this message after it was sent by the
> original sender. Although virus scanning is used on all inbound and
> outbound e-mail, we advise you to carry out your own virus check before
> opening any attachment. We cannot accept liability for any damage sustained
> as a result of any software viruses.
>
> ====================================================================
>
> QUINN-Life Direct Limited is regulated by the Financial Regulator.
> QUINN-Insurance Limited is regulated by the Financial Regulator and
> regulated by the Financial Services Authority for the conduct of UK
> business.
>
> ====================================================================
>
> QUINN-Life Direct Limited is registered in Ireland, registration number
> 292374 and is a private company limited by shares.
> QUINN-Insurance Limited is registered in Ireland, registration number
> 240768 and is a private company limited by shares.
> Both companies have their head office at Dublin Road, Cavan, Co. Cavan.
>
> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~
> ~ ~
~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~
~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
