I only partially agree, Alex. Even so, assuming we agree with the nomenclature of "signature" as the technology, the need to change signatures is very different in a whitelist environment than in a blacklisting environment. And the processing power needed to evaluate them is considerably diminished, as the number of items for each environment is much smaller.
Just consider the difference in a firewall rule-set that assumes a "deny all that has not been explicitly opened" stance vs one that tries to explicitly prevent all bad protocols and ports -ASB: http://XeeSM.com/AndrewBaker On Fri, May 7, 2010 at 11:01 PM, Alex Eckelberry <[email protected] > wrote: > These are all forms of signatures, most particularly the hash. I suppose > it's a question of nomenclature. > > Alex > > > -----Original Message----- > From: Phil Brutsche [mailto:[email protected]] > Sent: Friday, May 07, 2010 7:20 PM > To: NT System Admin Issues > Subject: Re: Sunbelt, McAfee, Symantec - now Clam > > Application whitelisting doesn't necessarily use signatures. > > Microsoft's AppLocker and it's predecessor, Software Restriction Policies, > can whitelist based on: > * folder paths > * file name > * file hashes > * executables signed by with a software publisher's X.509 code-signing > certificate > > Alex Eckelberry wrote: > > Not sure about that. What happens when the whitelisting vendor screws > > up a dat file, and you can't run any of your programs at all because > > they are not "allowed"? The problem is compounded by the fact that > > there are far more legitimate files released daily than there are > > malicious files, so whitelisting applications need to update even more > > than blacklisting apps. > > -- > > Phil Brutsche > [email protected] > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
