On Sun, Apr 15, 2012 at 22:31, Ken Schaefer <[email protected]> wrote: > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Subject: Re: Whitelisting > > On Sun, Apr 15, 2012 at 21:50, Ken Schaefer <[email protected]> wrote: >>> For the SOHO end user, the vast bulk of infections are either: >>> a) exploits in existing applications (Acrobat Reader, Adobe Flash, >>> Java runtime, Internet Explorer) >>> b) social engineering attacks, where the user is convinced to run/install >>> some malware that they shouldn't. Despite code signing, users are still >>> doing this. >>> >>> How will whitelisting help the above type of user? I can't see how it >>> does - they will always have the ability to override whatever >>> recommendation the AV (or protection application) provides. >> >>Simple - they won't have to worry about "file.doc.exe" (or >>VBS|JS|JAR|DLL|etc) embedded in their emails, or the random >>executables from the various web sites either are deliberately set up, or have >>been subverted, to issue malware. Those are actually the larger threat, >>AFAICT. > > So, it doesn't help with any exploits of existing apps, browser plug ins etc. > > And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that > BritnesSpearsNaked.exe is actually a legitimate file, and then tells his > WhiteListing application that it should be added to the white list, then > it'll still run. And Joe User will still be screwed. > > And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded > that it's from his good Nigerian Prince friend Joanne User, and runs it, and > tells his WhiteListing application that is should be added to the white list, > then it'll still run fine. > > We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, > that warn users that the application might be something bad. Yet users still > allow this applications to run. With Whitelisting, you are also requiring > that the user decide what is legitimate and what is not. And users will > continue to be socially engineering into believing that malware are > legitimate files. Just like today. > > >>> Whitelisting will slow application development/deployment even more, >>> and will just result in more applications like Access and Excel that >>> provide a semi-IDE to the end user that allows them to develop their own >>> code/functionality. And resulting opportunities for code exploit. >> >> Bummer for them. Opportunity for those who can, and who can help them. > > Perhaps. Or maybe there's no ROI developing the feature in the first place. > > Or maybe exploits will just move to another area (Excel, Access application > etc) that whitelisting doesn't cover. > > You're not addressing the point at all.
Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. After that, then yes, bad data is a problem. But bad data is the smaller problem. That *is* the point. To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. I'll still have some risk in my environment, but that's, to me, acceptable. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
