Thats not my solution. my solution is to check these types of folders and match against the registry.
Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott <[email protected]>wrote: > If the OS blocked .exe from the root of AppData, malware would just put > it in a subfolder. Your simple solution is only simple because that’s how > windows is designed. The overhead to block .exe in AppData would take > resources to code and test and would add virtually no value.**** > > ** ** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:25 PM > > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > ** ** > > Very true, but there some very basic things that can be checked and have > some very basic logic applied to take action on. Why this isnt addressed is > beyond me. There are key folders that shouldn't have files in them, let > alone executable's. > > > I agree with the concepts of whitelists. But the issue I'm addressing > specifically right now shouldnt need to involve it. > > -- > Espi**** > > ** ** > > ** ** > > > > **** > > On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward <[email protected]> > wrote:**** > > Honestly, the Malware game is like a big game of Whack-a-Mole, therefore > there is always going to be “writeable” areas in the OS even for the user, > and the malware authors are using packing and anti-tampering methods that > are evading most anti-virus vendors ( the really targeted attacks), so it’s > a battle that is going to keep going on and on, just as soon as you block > one method they come up with 3-5 more you haven’t thought of. **** > > **** > > The only suggestion would be a good Application White-listing technology to > only allow known good software and disallow anything else to run. I am sure > it has its caveats ( Trust me we are implementing an application > white-listing now, and compared IPS its still got its pain points.) **** > > **** > > Although its been fun reading the Malware Analyst Cookbook and DVD, nice > insight into reverse-engineering malware and seeing what it does so you can > better protect your systems. **** > > **** > > Keep your friends close and your enemies closer**** > > EZ **** > > **** > > Edward E. Ziots**** > > CISSP, Network +, Security +**** > > Security Engineer**** > > Lifespan Organization**** > > Email:[email protected]**** > > Cell:401-639-3505**** > > [image: CISSP_logo]**** > > **** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:28 PM > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > **** > > To be addressed at a later date, yes. ;-) > > -- > Espi**** > > **** > > **** > > ** ** > > On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff <[email protected]> wrote: > **** > > and as to "Maybe I'm nuts." , isn't that a separate issue ??? <grin>**** > > **** > > On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr < > [email protected]> wrote:**** > > Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some > very simple questions about things I almost ALWAYS see on infected systems. > Perhaps someone here can clarify something for me that I have yet to see > Microsoft and any antivirus vender directly address. I'm gonna start this > with one point, and then how the conversation goes: > > I almost always see malware injection points in the allusers\appdata > folder. In these instances I *always* see a reference in one of the "run" > registry keys. > > As far as I know; this top level appdata filer should NOT contain files at > all. I repeat: NO FILES AT F'ING ALL. > > Can someone confirm this? Can someone with contacts at Microsoft or other > AV providers confirm why this is completely overlooked when scanning? This > is were 0-day malware live very commonly. This is very easy to check! > > Thank you for your time and any vender reach-outs you can provide. > > I'm currently working on a set of scripts to check what I consider very > foolish things like this. If anyone wants to team-up, please do. > > -- > Espi**** > > **** > > **** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
