Data files should neither be whitelisted nor blacklisted. That is not how you deal with buffer overruns (which is the primary mechanism by which bad data is used to exploit an app vulnerability).
Using lists to determine good/bad data is unmanageable from the start. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Sat, Apr 14, 2012 at 1:48 PM, Crawford, Scott <[email protected]>wrote: > good question, but it's MUCH easier than whitelisting all good data > files. > > I would expect the blacklist scanner to look for signatures of application > exploits. > > Sent from my Windows Phone > ------------------------------ > From: Rankin, James R > Sent: 4/14/2012 12:25 PM > > To: NT System Admin Issues > Subject: Re: Whitelisting > > How do you blacklist all possible bad data files? > ------Original Message------ > From: Crawford, Scott > To: NT System Admin Issues > ReplyTo: NT System Admin Issues > Subject: RE: Whitelisting > Sent: 14 Apr 2012 18:02 > > A combination is needed. Whitelisting for traditional executable code and > blacklisting for data files that exploit vulnerable white listed > applications. > > -----Original Message----- > From: Alex Eckelberry [mailto:[email protected] <[email protected]>] > Sent: Saturday, April 14, 2012 10:10 AM > To: NT System Admin Issues > Subject: Whitelisting > > I'm curious, what's the general feeling about about whitelisting? As a > former AV guy, I tend to prefer blacklisting, but I'm seeing signs things > might be changing. > > Thoughts? > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
