Ken,
Personal experience with dealing with r00ted systems that have bypassed
AV controls has shown me a lot about how nefarious these attacks can be,
and I am still learning a lot about the infector vectors and how to
provide controls to prevent them. If AV doesn't have a signature for the
attack that the current malware has employed, then its pretty trivial to
do file system infection, Trojan dropping, rootkit installation etc etc,
trust me the malware authors/writers are still well ahead of us in the
battle and will probably continue to be for quite sometime. Also I am
not advocating any approach except that AV by itself is almost worthless
as a system control anymore. But when you are dealing with like 10K+ new
samples a day of virus/malware then its pretty hard for any AV vendor to
keep up with signatures to detect them all.
I would rather not turn this into a flame war, if you disagree, that is
perfectly fine, and you are well without your rights, please feel free
to contact me offline we can ramble it out there accordingly.
Always love a good discussion about this subject as painful as it is for
business these days.
Thanks
EZ
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
[email protected]
-----Original Message-----
From: Ken Schaefer [mailto:[email protected]]
Sent: Tuesday, May 11, 2010 11:01 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better....
-----Original Message-----
From: Ziots, Edward [mailto:[email protected]]
Subject: RE: Life just keeps getting better....
On Access, most of the rootkits on the systems have hidden themselves
from AV,
therefore rendering its "On Access" detection useless.
How does a rootkit manage to hide itself in the first place? You can
only hide yourself from FSF if you have hooked the relevant system calls
in the first place. On access should detect that before it happens.
Its not whether AV is good or not, its just a race not worth running
anymore trying to
fight common threat vectors with signature techniques.
Irrelevant to the point. You were talking about whitelisting vs
blacklisting, and yet are unable to explain how whitelisting helps in
the scenario you talked about.
Suggest you understand the situation before advocating some solution
that doesn't solve the problem.
Cheers
Ken
Been using CSA here for about 5+ yrs and its cut down the
Malware/Spyware drastically, due to controlling code execution period,
its hooked into the Kernel so it can't be bypassed, and has saved the
bacon more than a few times.
Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which
leaves folks in a pickle and looking for other solutions and application
whitelisting seems to be the best of the choices atm. Its not
fool-proof, but again its controlling execution, and you have a method
of vetting what software is good and what is bad in your environments,
which is a ton better than just putting AV on the system and calling it
a day...
Z
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan
Organization
401-639-3505
[email protected]
-----Original Message-----
From: Ken Schaefer [mailto:[email protected]]
Sent: Tuesday, May 11, 2010 10:44 AM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better....
How is whitelisting or blacklisting going to help? Answer: it's not. The
problem is thread pre-emption and storing values in user-mode memory
space where it can be altered (assuming you can get the timing right).
But, if your AV was any good, it would detect the problem "on access"
Cheers
Ken
-----Original Message-----
From: Ziots, Edward [mailto:[email protected]]
Sent: Tuesday, 11 May 2010 9:16 PM
To: NT System Admin Issues
Subject: RE: Life just keeps getting better....
You can also read the blurb on San's ISC page also, some vendors say its
important, and of course Mcafee discredits it, not that suprises me. But
it is an attack vector to consider. Controling the execution of code on
your system is the difference between keeping your systems clean and
getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting,
otherwise, you are going to have to have more on your systems than just
AV to combat todays threat landscape.
Sincerely,
EZ
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan
Organization
401-639-3505
[email protected]
-----Original Message-----
From: Ben Scott [mailto:[email protected]]
Sent: Tuesday, May 11, 2010 9:11 AM
To: NT System Admin Issues
Subject: Re: Life just keeps getting better....
On Mon, May 10, 2010 at 12:40 AM, Kurt Buff<[email protected]> wrote:
How to bypass almost all AV software
http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d
esktop-security-software.php
Sophos's response:
http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-
shaker/
They're an AV vendor and thus not a disinterested party, so take it as
you like.
-- Ben
