Let's try another one: I use an exploit (or even just VBA automation) in Word to password protect all your files. You need to pay me to get them back (or maybe I don't care whether you get them back, I just like inflicting pain - aka like most mass market viruses)
Does whitelisting address this scenario? No. Are exploits just going to move from the problem space solved by whitelisting and to a new area that is not addressed by this technology? Yes It's just like spam (and every other area where we have a constantly escalated war of technology). Yet for some reason we don't seem to be learning that lesson. Cheers Ken From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, 17 April 2012 11:07 AM To: NT System Admin Issues Subject: Re: Whitelisting For any given environment, there will be less known good items that I want to run, than known bad ones that I don't, not to mention all the unknown bad ones that I don't know about yet. Managing the smaller list is *better*, not *perfect*. I haven't missed the point. A flawed example is just that -- flawed. But, going beyond that and focusing on the principle itself, the blacklist is ALSO vulnerable to the same issue. So, do you settle for the us both sharing your example problem, plus you having a host of other ones that are greater than mine? Or do you acknowledge that the approach I favor creates a smaller attack surface area? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott <[email protected]<mailto:[email protected]>> wrote: On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker <[email protected]<mailto:[email protected]>> wrote: >>> If it's an exploit, it's going to launch code. The code >>> won't run in a whitelisting environment unless it's approved by the admin. >> >> CMD /C DEL C:\*.* /S /Q /F /A > > A - Wouldn't work so nicely in 2008 and above, due to lack of elevated > rights > > B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude "known bad" software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
