Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's.
I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward <[email protected]> wrote: > Honestly, the Malware game is like a big game of Whack-a-Mole, therefore > there is always going to be “writeable” areas in the OS even for the user, > and the malware authors are using packing and anti-tampering methods that > are evading most anti-virus vendors ( the really targeted attacks), so it’s > a battle that is going to keep going on and on, just as soon as you block > one method they come up with 3-5 more you haven’t thought of. **** > > ** ** > > The only suggestion would be a good Application White-listing technology to > only allow known good software and disallow anything else to run. I am sure > it has its caveats ( Trust me we are implementing an application > white-listing now, and compared IPS its still got its pain points.) **** > > ** ** > > Although its been fun reading the Malware Analyst Cookbook and DVD, nice > insight into reverse-engineering malware and seeing what it does so you can > better protect your systems. **** > > ** ** > > Keep your friends close and your enemies closer**** > > EZ **** > > ** ** > > Edward E. Ziots**** > > CISSP, Network +, Security +**** > > Security Engineer**** > > Lifespan Organization**** > > Email:[email protected]**** > > Cell:401-639-3505**** > > [image: CISSP_logo]**** > > ** ** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:28 PM > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > ** ** > > To be addressed at a later date, yes. ;-) > > -- > Espi**** > > ** ** > > ** ** > > > > **** > > On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff <[email protected]> wrote: > **** > > and as to "Maybe I'm nuts." , isn't that a separate issue ??? <grin>**** > > ** ** > > On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr < > [email protected]> wrote:**** > > Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some > very simple questions about things I almost ALWAYS see on infected systems. > Perhaps someone here can clarify something for me that I have yet to see > Microsoft and any antivirus vender directly address. I'm gonna start this > with one point, and then how the conversation goes: > > I almost always see malware injection points in the allusers\appdata > folder. In these instances I *always* see a reference in one of the "run" > registry keys. > > As far as I know; this top level appdata filer should NOT contain files at > all. I repeat: NO FILES AT F'ING ALL. > > Can someone confirm this? Can someone with contacts at Microsoft or other > AV providers confirm why this is completely overlooked when scanning? This > is were 0-day malware live very commonly. This is very easy to check! > > Thank you for your time and any vender reach-outs you can provide. > > I'm currently working on a set of scripts to check what I consider very > foolish things like this. If anyone wants to team-up, please do. > > -- > Espi**** > > ** ** > > ** ** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image003.jpg>>
