again, depends on your whitelisting solution
- does it only depend on filename and size/date info
- that can be spoofed
- does it also checksum executables ?
- what happens on patch Tuesday ?
- are patches/hotfixes even allowed to run ?
- what happens to patched software that no longer matches checksum
- especially when patched software is OS core ? do you brick
machine via whitelist protection ?
- how do you manage whitlelisting for power users with LOTS of
installed software and legitimate need to install utilities and updates on
the fly ?
I've found whitelisting to be very good on 'standardized' systems that
perform a specific role, but the more a system needs to be customized for
the end user, the harder it is to mange security via whitelisting.
On Tue, Nov 15, 2011 at 2:18 PM, Stu Sjouwerman
<[email protected]>wrote:
> So I’m asking a bunch of questions here, because I’m looking at writing
> this****
>
> story from a few different angles. If the ratio Malware to good code is 80
> – 20****
>
> (which it is +/- at the moment) why not drop AV all together and lock down
> those****
>
> workstations and only allow good code to run? Saves budget.****
>
> ** **
>
> Your view? Input?****
>
>
> Stu ****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Stu Sjouwerman
> *Sent:* Tuesday, November 15, 2011 2:10 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Whitelisting Pros & Cons?****
>
> ** **
>
> Oh, this an acquisition, that is why it’s having such a high score! LOL
> ****
>
> ** **
>
> *From:* Doug Hampshire [mailto:[email protected]]
> *Sent:* Tuesday, November 15, 2011 1:13 PM
> *To:* NT System Admin Issues
> *Subject:* Re: Whitelisting Pros & Cons?****
>
> ** **
>
> Clearly these results are flawed if McAfee Anything gets higher than a -3
> in any category. :-)****
>
> On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman <[email protected]>
> wrote:****
>
> Thanks Micheal. Anyone experience with any of the Whitelisting products in
> this InfoWorld Review?****
>
> ****
>
>
> http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835?
> ****
>
> ****
>
> ****
>
> *Bit9 Parity Suite 5.01*****
>
> *10*****
>
> *8*****
>
> *9*****
>
> *9*****
>
> *10*****
>
> *9.4*****
>
> *EXCELLENT*****
>
> *30%*****
>
> *15%*****
>
> *25%*****
>
> *10%*****
>
> *20%*****
>
> *CoreTrace Bouncer 5*****
>
> *9*****
>
> *9*****
>
> *9*****
>
> *8*****
>
> *9*****
>
> *8.9*****
>
> *VERY GOOD*****
>
> *30%*****
>
> *15%*****
>
> *25%*****
>
> *10%*****
>
> *20%*****
>
> *Lumension Application Control*****
>
> *8*****
>
> *9*****
>
> *8*****
>
> *9*****
>
> *9*****
>
> *8.5*****
>
> *VERY GOOD*****
>
> *30%*****
>
> *15%*****
>
> *25%*****
>
> *10%*****
>
> *20%*****
>
> *McAfee Application Control 5.0*****
>
> *9*****
>
> *9*****
>
> *9*****
>
> *8*****
>
> *8*****
>
> *8.7*****
>
> *VERY GOOD*****
>
> *30%*****
>
> *15%*****
>
> *25%*****
>
> *10%*****
>
> *20%*****
>
> *SignaCert Enterprise Trust Services 3.0*****
>
> ****
>
> ****
>
> ****
>
> *From:* Micheal Espinola Jr [mailto:[email protected]]
> *Sent:* Monday, November 14, 2011 5:10 PM****
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Whitelisting Pros & Cons?****
>
> ****
>
> Whitelisting is the future IMHO. You cant trust anything anymore. Faith
> doesnt cut it. You have to protect yourself and your assets, and
> whitelisting is the best way to do it.
>
> --
> Espi****
>
> ****
>
> ****
>
> ** **
>
> On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman <[email protected]>
> wrote:****
>
> I'm referring to Whitelisting in the context of security. About 10 years
> ago, the ratio
> "Good code" versus malware was perhaps 90 good 10 bad. In that scenario,
> it makes
> sense to keep the bad code out. But over the last 10 years, with automated
> malware
> variant generation, the tables have turned, and there is actually more
> malware than
> good code out there. So in -that- scenario it might make sense to only
> allow "good code"
> and implement application control. Only that which is allowed, will run.
>
> I'd like your feedback - input - discussion on this !
>
> Warm regards,
>
> Stu****
>
>
> -----Original Message-----
> From: Matthew W. Ross [mailto:[email protected]]
> Sent: Monday, November 14, 2011 11:22 AM
> To: NT System Admin Issues****
>
> Subject: Re: Whitelisting Pros & Cons?
>
> Are you asking about web content filtering, email filtering, or some other
> type of "whitelisting?"
>
>
> --Matt Ross
> Ephrata School District
>
>
> ----- Original Message -----
> From: Stu Sjouwerman
> [mailto:[email protected]]
> To: NT System Admin Issues
> [mailto:[email protected]]
> Sent: Mon, 14 Nov 2011
> 08:14:57 -0800
> Subject: Whitelisting Pros & Cons?****
>
> > Guys, I am writing an article for WServerNews, and would like your
> > public input.
> >
> > What is your experience with Whitelisting, which products you
> > tried/use, and what experience you are having with this, likes and hates
> are all welcome !!
> >
> > Warm regards,
> >
> > Stu
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to [email protected]
> > with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin****
>
> ****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin****
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
