Which implies that no protection is possible *after* a compromise. Which is not in dispute. We're talking about prevention, Ken.
The point being made is that whitelisting as an approach does not suffer the inherent drawbacks of zero-day malignant code -- e.g. it won't allow it to run, thereby avoiding the doomday scenario you have articulated below. Stopping only things you know to be bad will not sufficiently scale, since by definition, you don't know about any new malware in advance. Allowing only things you know to be good to execute is far more sustainable, as it will not change to the degree that the list of malware will... -ASB: http://XeeSM.com/AndrewBaker On Wed, May 12, 2010 at 2:59 AM, Ken Schaefer <[email protected]> wrote: > Once you have code running as system/root, your whitelisting software > becomes irrelevant. Because the system that implements ACLs on anything can > simply be subverted or replaced. > > Cheers > Ken > > -----Original Message----- > From: Kennedy, Jim [mailto:[email protected]] > Sent: Tuesday, 11 May 2010 11:58 PM > To: NT System Admin Issues > Subject: RE: Life just keeps getting better.... > > In the context of simple whitelisting systems I agree, but in the case of > something like CSA unless your fake Notepad has specific permissions to > modify scvhost (for example) it will get denied. By specific I mean VERY > specific. That process started by a specific user from a specific path has > the ability to do a specific modification to scvhost and again only to a > specific path and a specific modification. > > So that code can run and do things, but taking over a box or modifying a > box isn't going to happen. > > > -----Original Message----- > From: Ken Schaefer [mailto:[email protected]] > Sent: Tuesday, May 11, 2010 11:29 AM > To: NT System Admin Issues > Subject: RE: Life just keeps getting better.... > > > Once code is running as system, it's irrelevant what system you try to put > in place to prevent it. > Whitelisting is not going to help, because the rootkit can simply report > that it's notepad..... > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
