Just as virtually all primarily blacklist-focused solutions provide some options for whitelisting, and other options for malware detection beyond signatures, so too do most whitelist-focused solutions offer ways of restricting application access beyond their primary approach.
I think what most people are saying is "whitelist tools and technologies are the best way to deal with host-based malware going forward" and what you appear to be hearing is "*a whitelist* is the only way to deal with host-based malware going forward". Subtle difference. Also, to take your analogy a little further, the reason we're having this discussion is that most AV products don't actually identify behavior -- they simply track physical malware characteristics. This is why zero day vulnerabilities get by them. Unless Uncle Louie had a rapsheet before he got to your house, he'd actually manage to do some damage before the police blotter report was updated. And, given that the list of strangers showing up to do dumb things still outnumber the list of not-already-banned-family-members who would do dumb things, my view of the relatively uselessness of most AV products today still stands. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Nov 15, 2011 at 6:38 PM, Crawford, Scott <[email protected]>wrote: > It’s not a question of whitelist or AV (blacklist). Both are necessary. > Whitelisting is very effective at controlling what exe, dll, com, etc. are > allowed to run. But, malware can also exist as malformed data files such as > pdf, jpeg, mp3. For these, blacklisting is needed since its extremely > impractical to whitelist every data file you’d like to open.**** > > ** ** > > The analogy I like is home access. It’s pretty impractical to maintain a > list of criminals that you won’t allow into your house. It’s much easier to > keep a mental list of friends and family who are welcome to come in. In > that sense, you’re whitelisting access to your house. But, even though > Uncle Louie may be on the whitelist, if he comes over drunk one night and > starts swinging a bat at my wife, I’m not gonna let him stick around just > because he’s been whitelisted. My failsafe blacklist of unacceptable > behavior is going to dictate that I kick him out.**** > > ** ** > > *From:* Stu Sjouwerman [mailto:[email protected]] > *Sent:* Tuesday, November 15, 2011 1:19 PM > *To:* NT System Admin Issues > *Subject:* Would you drop AV for Whitelisting / Application Control?**** > > ** ** > > So I’m asking a bunch of questions here, because I’m looking at writing > this**** > > story from a few different angles. If the ratio Malware to good code is 80 > – 20**** > > (which it is +/- at the moment) why not drop AV all together and lock down > those**** > > workstations and only allow good code to run? Saves budget.**** > > ** ** > > Your view? Input?**** > > > Stu **** > > ** ** > > ** ** > > ** ** > > ** ** > > ** ** > > *From:* Stu Sjouwerman > *Sent:* Tuesday, November 15, 2011 2:10 PM > *To:* NT System Admin Issues > *Subject:* RE: Whitelisting Pros & Cons?**** > > ** ** > > Oh, this an acquisition, that is why it’s having such a high score! LOL > **** > > ** ** > > *From:* Doug Hampshire [mailto:[email protected]] > *Sent:* Tuesday, November 15, 2011 1:13 PM > *To:* NT System Admin Issues > *Subject:* Re: Whitelisting Pros & Cons?**** > > ** ** > > Clearly these results are flawed if McAfee Anything gets higher than a -3 > in any category. :-)**** > > On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman <[email protected]> > wrote:**** > > Thanks Micheal. Anyone experience with any of the Whitelisting products in > this InfoWorld Review?**** > > **** > > > http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? > **** > > **** > > **** > > *Bit9 Parity Suite 5.01***** > > *10***** > > *8***** > > *9***** > > *9***** > > *10***** > > *9.4***** > > *EXCELLENT***** > > *30%***** > > *15%***** > > *25%***** > > *10%***** > > *20%***** > > *CoreTrace Bouncer 5***** > > *9***** > > *9***** > > *9***** > > *8***** > > *9***** > > *8.9***** > > *VERY GOOD***** > > *30%***** > > *15%***** > > *25%***** > > *10%***** > > *20%***** > > *Lumension Application Control***** > > *8***** > > *9***** > > *8***** > > *9***** > > *9***** > > *8.5***** > > *VERY GOOD***** > > *30%***** > > *15%***** > > *25%***** > > *10%***** > > *20%***** > > *McAfee Application Control 5.0***** > > *9***** > > *9***** > > *9***** > > *8***** > > *8***** > > *8.7***** > > *VERY GOOD***** > > *30%***** > > *15%***** > > *25%***** > > *10%***** > > *20%***** > > *SignaCert Enterprise Trust Services 3.0***** > > **** > > **** > > **** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Monday, November 14, 2011 5:10 PM**** > > > *To:* NT System Admin Issues > *Subject:* Re: Whitelisting Pros & Cons?**** > > **** > > Whitelisting is the future IMHO. You cant trust anything anymore. Faith > doesnt cut it. You have to protect yourself and your assets, and > whitelisting is the best way to do it. > > -- > Espi**** > > **** > > **** > > ** ** > > On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman <[email protected]> > wrote:**** > > I'm referring to Whitelisting in the context of security. About 10 years > ago, the ratio > "Good code" versus malware was perhaps 90 good 10 bad. In that scenario, > it makes > sense to keep the bad code out. But over the last 10 years, with automated > malware > variant generation, the tables have turned, and there is actually more > malware than > good code out there. So in -that- scenario it might make sense to only > allow "good code" > and implement application control. Only that which is allowed, will run. > > I'd like your feedback - input - discussion on this ! > > Warm regards, > > Stu**** > > > -----Original Message----- > From: Matthew W. Ross [mailto:[email protected]] > Sent: Monday, November 14, 2011 11:22 AM > To: NT System Admin Issues**** > > Subject: Re: Whitelisting Pros & Cons? > > Are you asking about web content filtering, email filtering, or some other > type of "whitelisting?" > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: Stu Sjouwerman > [mailto:[email protected]] > To: NT System Admin Issues > [mailto:[email protected]] > Sent: Mon, 14 Nov 2011 > 08:14:57 -0800 > Subject: Whitelisting Pros & Cons?**** > > > Guys, I am writing an article for WServerNews, and would like your > > public input. > > > > What is your experience with Whitelisting, which products you > > tried/use, and what experience you are having with this, likes and hates > are all welcome !! > > > > Warm regards, > > > > Stu > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
