-----Original Message----- From: Kurt Buff [mailto:[email protected]] Subject: Re: Whitelisting
On Sun, Apr 15, 2012 at 21:50, Ken Schaefer <[email protected]> wrote: >> For the SOHO end user, the vast bulk of infections are either: >> a) exploits in existing applications (Acrobat Reader, Adobe Flash, >> Java runtime, Internet Explorer) >> b) social engineering attacks, where the user is convinced to run/install >> some malware that they shouldn't. Despite code signing, users are still >> doing this. >> >> How will whitelisting help the above type of user? I can't see how it >> does - they will always have the ability to override whatever recommendation >> the AV (or protection application) provides. > >Simple - they won't have to worry about "file.doc.exe" (or >VBS|JS|JAR|DLL|etc) embedded in their emails, or the random >executables from the various web sites either are deliberately set up, or have >been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. >> Whitelisting will slow application development/deployment even more, >> and will just result in more applications like Access and Excel that >> provide a semi-IDE to the end user that allows them to develop their own >> code/functionality. And resulting opportunities for code exploit. > > Bummer for them. Opportunity for those who can, and who can help them. Perhaps. Or maybe there's no ROI developing the feature in the first place. Or maybe exploits will just move to another area (Excel, Access application etc) that whitelisting doesn't cover. You're not addressing the point at all. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
