If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that's how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value.
From: Micheal Espinola Jr [mailto:[email protected]] Sent: Wednesday, July 13, 2011 2:25 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be "writeable" areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it's a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven't thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected]<mailto:email%[email protected]> Cell:401-639-3505<tel:401-639-3505> [CISSP_logo] From: Micheal Espinola Jr [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, July 13, 2011 2:28 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff <[email protected]<mailto:[email protected]>> wrote: and as to "Maybe I'm nuts." , isn't that a separate issue ??? <grin> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <[email protected]<mailto:[email protected]>> wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the "run" registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
