Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables.
Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott <[email protected]> wrote: > > Possibly...even probably. But, if we ever get to a world where > whitelisting is the predominant means of execution control, the bad guys > will, out of necessity, be relegated to exploiting flaws in applications > through data files. A scanner that looks for signatures of exploits in files > will be a useful tool. Assuming of course, all applications aren't secure. > > > Sent from my Windows Phone > ________________________________ > From: Andrew S. Baker > Sent: 4/15/2012 1:08 PM > > To: NT System Admin Issues > Subject: Re: Whitelisting > > You can't. :) > > ASB > http://XeeMe.com/AndrewBaker > Harnessing the Advantages of Technology for the SMB market… > > > > > On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R <[email protected]> > wrote: >> >> How do you blacklist all possible bad data files? >> ------Original Message------ >> From: Crawford, Scott >> To: NT System Admin Issues >> ReplyTo: NT System Admin Issues >> Subject: RE: Whitelisting >> Sent: 14 Apr 2012 18:02 >> >> A combination is needed. Whitelisting for traditional executable code and >> blacklisting for data files that exploit vulnerable white listed >> applications. >> >> -----Original Message----- >> From: Alex Eckelberry [mailto:[email protected]] >> Sent: Saturday, April 14, 2012 10:10 AM >> To: NT System Admin Issues >> Subject: Whitelisting >> >> I'm curious, what's the general feeling about about whitelisting? As a >> former AV guy, I tend to prefer blacklisting, but I'm seeing signs things >> might be changing. >> >> Thoughts? > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
