What i was referring to was having only programs on a corporate white list run. White listing services are provided by http://www.bit9.com/ and they have now partnered with Kaspersky to be able ID most programs and anything else run it in a sandbox.
However your approach to blocking USB devices is better. But this is an overall approach. James On Mon, Nov 24, 2008 at 7:17 AM, Bipin Gautam <[EMAIL PROTECTED]>wrote: > On 11/24/08, James Matthews <[EMAIL PROTECTED]> wrote: > > bit9 and kaspersky offer this new service. Companies should make use of > it. > > > > what service, James! > > Could you please explain more... > > I find it ridicules to know that this problem has been there since the > earliest version of windows but still without a generic solution! Is > this unwillingness for the approach to a proper solution is what has > fueled the "antivirus business" for so long? > > If you look in the *nix side you will see this technique is > tested/proven. Signature based or behavior based approach detection > will continue to fail. > > To address this never-ending problem of virus infection from removable > media, i have implemented no-execution-from-removable to dorzons of > computers in the past years, even the dumbest of users understand what > is being done and feel safe about they wont likely have virus > infection from the removable media ever, even if the media has a > virus. They know workaround on how to temporarily disable the > restriction if they are willing to run something trustworthy as i have > made the users clear there is no solution to the problem of virus > infection from removable media and and you have to learn these few > things ...like you have learned to use antivirus software to stay > safe. Users get it, really! > > Antivirus companies should take similar approach (as described > previously) to address it but adding USABILITY. > > This problem is there to stay for years to come. What better could be > the proper solution to this problem? > > thanks, > -bipin > > > > > On Sun, Nov 23, 2008 at 10:05 PM, Bipin Gautam > > <[EMAIL PROTECTED]>wrote: > > > >> On 11/23/08, Mike C <[EMAIL PROTECTED]> wrote: > >> > >> >> Of course, blindly thwacking people / dragging them to HR by the hair > >> >> when they're really just trying to do their jobs is > >> >> counter-productive. The calls also show us where we, security, are > >> >> falling down. Perhaps it's poor awareness training (if the user > didn't > >> >> know that they shouldn't run unapproved software, or why we have that > >> >> rule, or how to get a new app approved); or could be that the > official > >> >> route is being seen as too slow or bureaucratic, in which case it > >> >> needs fixing. And so on. > >> >> > >> > > >> > All I hope is we can fix the issue. Hopefully in the near future. > >> > > >> > >> > >> Yeah! > >> Here is my prospective to a possible solution that wouldn't compromise > >> usability. > >> > >> But, first lets all agree on "banning execution of any binary from > >> removable media" is the only straightforward solution this decades old > >> problem of virus infection/propagation from removable media. > >> > >> See, if a web-page tries to install an activeX / browser plugin, your > >> browser (non intrusively) waits for user interaction with a security > >> warning message on "if you really intend to install the plugin (Which > >> may be harmful!)" or .......may choose to ignore the dialog and > >> continue browsing. > >> > >> Here, it is assumed "user understands" the security impact of > >> executing untrusted programs from internet and let the execution > >> decision left to the end user with manual interaction. If the plugin > >> installation behavior is not intended user can simply ignore the > >> manual interaction request for execution and instead continue. > >> > >> In similar way, anti virus company or Microsoft should create similar > >> for "My Computer Zone" where the first execution of a binary "from > >> removable media" is denied by default and prompt for user interaction > >> to execute, white list&execute or terminate/ban the request for > >> execution from removable media like the way internet explorer (non > >> intrusively) handles installation of activeX like in IE. Binary > >> execution from removable media should be treated that way ( untrusted > >> ! ) > >> > >> Pen drive / SD have unique serial numbers which can be used to > >> identify and permanently whitelist or blacklist the media from > >> execution. > >> > >> Windows already has a feature for prompting if user tries to execute > >> binary from intranet/shared folder or execution of binary marked as > >> downloaded from "Internet Zone" > >> > >> Why not have similar for binary execution from removable media as well!? > >> > >> What better could be the solution to stopping virus to propagate from > >> removable medias with (default) FAT file system. (lacking ACL's) > >> > >> For corporate environment let there be feature to sync these white > >> listed/blacklisted hashes of executable or removable media UID from > >> anti virus server/domain controller to anti virus clients/related > >> service running in user end. > >> > >> Will this work :)? > >> > >> -thanks, > >> bipin > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > > > > > > -- > > http://www.goldwatches.com/ > > > > http://www.jewelerslounge.com/luxury-insurance > > > > > -- > x-no-archive: yes > -- http://www.goldwatches.com/ http://www.jewelerslounge.com/luxury-insurance
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
