-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec's Endpoint Protection has a device control feature which basically functions as you have stated. I haven't really played around with it much, however, it can block devices based on device id...
elazar On Mon, 24 Nov 2008 00:17:34 -0500 Bipin Gautam <[EMAIL PROTECTED]> wrote: >On 11/24/08, James Matthews <[EMAIL PROTECTED]> wrote: >> bit9 and kaspersky offer this new service. Companies should make >use of it. >> > >what service, James! > >Could you please explain more... > >I find it ridicules to know that this problem has been there since >the >earliest version of windows but still without a generic solution! >Is >this unwillingness for the approach to a proper solution is what >has >fueled the "antivirus business" for so long? > >If you look in the *nix side you will see this technique is >tested/proven. Signature based or behavior based approach >detection >will continue to fail. > >To address this never-ending problem of virus infection from >removable >media, i have implemented no-execution-from-removable to dorzons >of >computers in the past years, even the dumbest of users understand >what >is being done and feel safe about they wont likely have virus >infection from the removable media ever, even if the media has a >virus. They know workaround on how to temporarily disable the >restriction if they are willing to run something trustworthy as i >have >made the users clear there is no solution to the problem of virus >infection from removable media and and you have to learn these few >things ...like you have learned to use antivirus software to stay >safe. Users get it, really! > >Antivirus companies should take similar approach (as described >previously) to address it but adding USABILITY. > >This problem is there to stay for years to come. What better could >be >the proper solution to this problem? > >thanks, >-bipin > > > >> On Sun, Nov 23, 2008 at 10:05 PM, Bipin Gautam >> <[EMAIL PROTECTED]>wrote: >> >>> On 11/23/08, Mike C <[EMAIL PROTECTED]> wrote: >>> >>> >> Of course, blindly thwacking people / dragging them to HR by >the hair >>> >> when they're really just trying to do their jobs is >>> >> counter-productive. The calls also show us where we, >security, are >>> >> falling down. Perhaps it's poor awareness training (if the >user didn't >>> >> know that they shouldn't run unapproved software, or why we >have that >>> >> rule, or how to get a new app approved); or could be that >the official >>> >> route is being seen as too slow or bureaucratic, in which >case it >>> >> needs fixing. And so on. >>> >> >>> > >>> > All I hope is we can fix the issue. Hopefully in the near >future. >>> > >>> >>> >>> Yeah! >>> Here is my prospective to a possible solution that wouldn't >compromise >>> usability. >>> >>> But, first lets all agree on "banning execution of any binary >from >>> removable media" is the only straightforward solution this >decades old >>> problem of virus infection/propagation from removable media. >>> >>> See, if a web-page tries to install an activeX / browser >plugin, your >>> browser (non intrusively) waits for user interaction with a >security >>> warning message on "if you really intend to install the plugin >(Which >>> may be harmful!)" or .......may choose to ignore the dialog and >>> continue browsing. >>> >>> Here, it is assumed "user understands" the security impact of >>> executing untrusted programs from internet and let the >execution >>> decision left to the end user with manual interaction. If the >plugin >>> installation behavior is not intended user can simply ignore >the >>> manual interaction request for execution and instead continue. >>> >>> In similar way, anti virus company or Microsoft should create >similar >>> for "My Computer Zone" where the first execution of a binary >"from >>> removable media" is denied by default and prompt for user >interaction >>> to execute, white list&execute or terminate/ban the request for >>> execution from removable media like the way internet explorer >(non >>> intrusively) handles installation of activeX like in IE. Binary >>> execution from removable media should be treated that way ( >untrusted >>> ! ) >>> >>> Pen drive / SD have unique serial numbers which can be used to >>> identify and permanently whitelist or blacklist the media from >>> execution. >>> >>> Windows already has a feature for prompting if user tries to >execute >>> binary from intranet/shared folder or execution of binary >marked as >>> downloaded from "Internet Zone" >>> >>> Why not have similar for binary execution from removable media >as well!? >>> >>> What better could be the solution to stopping virus to >propagate from >>> removable medias with (default) FAT file system. (lacking >ACL's) >>> >>> For corporate environment let there be feature to sync these >white >>> listed/blacklisted hashes of executable or removable media UID >from >>> anti virus server/domain controller to anti virus >clients/related >>> service running in user end. >>> >>> Will this work :)? >>> >>> -thanks, >>> bipin >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> >> -- >> http://www.goldwatches.com/ >> >> http://www.jewelerslounge.com/luxury-insurance >> > > >-- >x-no-archive: yes > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkkqUtIACgkQi04xwClgpZitOQP8D1lV4X3nBEKbynQ0RUX5RMO3U/5Z cpJAalM0CPllm0sbTkAMeuogsyB4vhZ9J4UdXcRzyVOZPLs1nMOvQHttNTTXAKQDXsiv 6aexWRZvg4UeE5YSbgs7bU8PjWsNAW3kPL9d2/fkuLisCA2leOMMjPUdxZQu8vRg5oIC IQQl5TM= =/TSf -----END PGP SIGNATURE----- -- Click for huge discounts on pet food and supplies - up to 70% off http://tagline.hushmail.com/fc/PnY6qxt2l8TNc9jVLBmA5nygUPHxBXPtdRHOAicTVOCmlIMT7aiDW/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
