+1 75000 new pieces of malware *DAILY* - and that will probably only increase, never decrease, because the automation for morphing malware will only get better.
LUA + base installs + whitelisting is the only reasonable stance I can see. Layer in other protections as necessary, including HIPS, etc., but the first line of defense seems to be limiting the ability of users to run new software. Kurt On Tue, May 11, 2010 at 08:07, Ben Scott <[email protected]> wrote: > On Tue, May 11, 2010 at 10:44 AM, Ken Schaefer <[email protected]> wrote: > [re: vulnerabilities in AV software, especially >> How is whitelisting or blacklisting going to help? Answer: it's not. > > Whitelisting is not directly going to address the problem of > vulnerabilities in anti-virus software. But I agree with the stance > that looking for signatures of known bad software is fast becoming > infeasible. > > Whitelisting and similar strategies bypasses the entire problem. > Rather than try to identify software you don't want (which is > potentially infinite), you identify software you do want. I like > ASB's analogy by firewall policy: "Deny by default, allow known good" > has long been the accepted best practice. It makes sense to do the > same for software. > > LUA ("Limited User Access", Microsoft's term for least privilege, > i.e., running without admin rights) is already a big step in this > direction. We don't let users modify C:\WINDOWS or "C:\Program > Files", because that's where the software lives. From there, the > obvious next step is to deny execution from "C:\Documents and > Settings". > > There's the usual heavy sprinkling of compatibility headaches -- > it's amazing how much software expects to execute things from %TEMP% > or "All Users\Application Data" -- but much like LUA, while initial > implementation can be a hassle, I think it will pay off big in the > long run. > > Done right, this could vastly reduce or even eliminate the > traditional anti-virus role. > > (For well-managed environments. Clueless home users are still > screwed. :-( ) > > I do agree with the premise that AV software should not have > security vulnerabilities. I just think that the problems are bigger > than that, and the apparent way forward may make the smaller issue of > AV software vulnerabilities moot, by making traditional > signature-based AV software obsolete. > >> But, if your AV was any good, it would detect the problem "on access" > > At this point I don't expect signature scanning to stop anything. > Malware evolves too quickly to keep up. We have traditional AV > software, we use it, we even depend on it more than I would like, but > I don't expect it to keep up with the morphed-threat-of-the-minute > whack-a-mole problem. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
