Yes, it can address that scenario. You can sign the scripts you want to run, and disallow unsigned scripts.
Does whitelisting solve world hunger, cure cancer or find livable space on Mars? No. But it does address, more effectively, a huge range of threats that are inadequately addressed by the traditional blacklisting approach of current AV products. It's even used within Windows directly to make the OS more secure. As a result, I will continue to use and recommend it to reduce my threat landscape, leaving more time to intelligently address the threats that it does not handle well. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Apr 17, 2012 at 12:46 AM, Ken Schaefer <[email protected]> wrote: > Let’s try another one: I use an exploit (or even just VBA automation) in > Word to password protect all your files. You need to pay me to get them > back (or maybe I don’t care whether you get them back, I just like > inflicting pain – aka like most mass market viruses)**** > > ** ** > > Does whitelisting address this scenario? No. **** > > Are exploits just going to move from the problem space solved by > whitelisting and to a new area that is not addressed by this technology? Yes > **** > > ** ** > > It’s just like spam (and every other area where we have a constantly > escalated war of technology). Yet for some reason we don’t seem to be > learning that lesson.**** > > ** ** > > Cheers**** > > Ken**** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Tuesday, 17 April 2012 11:07 AM > > *To:* NT System Admin Issues > *Subject:* Re: Whitelisting**** > > ** ** > > For any given environment, there will be less known good items that I want > to run, than known bad ones that I don't, not to mention all the unknown > bad ones that I don't know about yet.**** > > ** ** > > Managing the smaller list is *better*, not *perfect*.**** > > ** ** > > I haven't missed the point. A flawed example is just that -- flawed. > But, going beyond that and focusing on the principle itself, the blacklist > is ALSO vulnerable to the same issue.**** > > ** ** > > So, do you settle for the us both sharing your example problem, plus you > having a host of other ones that are greater than mine? Or do you > acknowledge that the approach I favor creates a smaller attack surface area? > **** > > ** ** > > ** ** > > *ASB***** > > *http://XeeMe.com/AndrewBaker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > > > **** > > On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott <[email protected]> wrote:** > ** > > On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker <[email protected]> > wrote: > >>> If it's an exploit, it's going to launch code. The code > >>> won't run in a whitelisting environment unless it's approved by the > admin. > >> > >> CMD /C DEL C:\*.* /S /Q /F /A > >**** > > > A - Wouldn't work so nicely in 2008 and above, due to lack of elevated > > rights > > > > B - Limited use infection (since it destroys itself)**** > > You're missing the point. You're arguing against the example, > rather than the principle. Namely: It's possible to use a whitelisted > application as an attack vector.[1] > > You're also making another mistake -- you're seeing protection of > the system as an end, rather than a means. Nobody cares if the OS is > intact if all the data is gone. We protect the OS because we use the > OS to protect the assets, not just for the sake of having a protected > OS. > > -- Ben > > [1] To the original question: This doesn't mean blacklisting, i.e., > trying to identify and exclude "known bad" software, is the better > alternative.**** > > > ** > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
