On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker <[email protected]> wrote: >>> If it's an exploit, it's going to launch code. The code >>> won't run in a whitelisting environment unless it's approved by the admin. >> >> CMD /C DEL C:\*.* /S /Q /F /A > > A - Wouldn't work so nicely in 2008 and above, due to lack of elevated > rights > > B - Limited use infection (since it destroys itself)
You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude "known bad" software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
