I'm all for leaving it open. But it should be checked by AV software and related tools. its just common sense. there is almost always infection there. There and some other common locations should be checked. Any apps present should be checked if they are signed. Or have any company detail (most/all are null). And depending, then that should be scanned against the registry.
Its not rocket science, and its not that resource intensive. Especially if we are talking about using an AV/AM app performing a system sweep. -- Espi On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott <[email protected]>wrote: > I’m not referring to whitelisting, which has its own set of issues.**** > > ** ** > > I’m talking about your suggestion of disallowing any .exe files in the root > of AppData.**** > > ** ** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 3:50 PM > > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > ** ** > > While I agree with whitelisting, and I believe its a reasonable solution at > this point. The original intent of this post and what I am proposing dont > involve whitelisting. > > -- > Espi**** > > ** ** > > ** ** > > > > **** > > On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott <[email protected]> > wrote:**** > > My point is that it’s common simply because its allowed. Disallowing .exes > to be stored would make it rare, but the .exes would just have moved with no > net gain. Or maybe I’m misunderstanding what you’re suggesting.**** > > **** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:52 PM**** > > > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > **** > > Thats not my solution. my solution is to check these types of folders and > match against the registry.**** > > > > Its a very common occurance in my experience, and would add lots of value > when they are found. > > -- > Espi**** > > **** > > **** > > ** ** > > On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott <[email protected]> > wrote:**** > > If the OS blocked .exe from the root of AppData, malware would just put it > in a subfolder. Your simple solution is only simple because that’s how > windows is designed. The overhead to block .exe in AppData would take > resources to code and test and would add virtually no value.**** > > **** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:25 PM**** > > > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > **** > > Very true, but there some very basic things that can be checked and have > some very basic logic applied to take action on. Why this isnt addressed is > beyond me. There are key folders that shouldn't have files in them, let > alone executable's.**** > > > > I agree with the concepts of whitelists. But the issue I'm addressing > specifically right now shouldnt need to involve it. > > --**** > > Espi**** > > **** > > **** > > **** > > On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward <[email protected]> > wrote:**** > > Honestly, the Malware game is like a big game of Whack-a-Mole, therefore > there is always going to be “writeable” areas in the OS even for the user, > and the malware authors are using packing and anti-tampering methods that > are evading most anti-virus vendors ( the really targeted attacks), so it’s > a battle that is going to keep going on and on, just as soon as you block > one method they come up with 3-5 more you haven’t thought of. **** > > **** > > The only suggestion would be a good Application White-listing technology to > only allow known good software and disallow anything else to run. I am sure > it has its caveats ( Trust me we are implementing an application > white-listing now, and compared IPS its still got its pain points.) **** > > **** > > Although its been fun reading the Malware Analyst Cookbook and DVD, nice > insight into reverse-engineering malware and seeing what it does so you can > better protect your systems. **** > > **** > > Keep your friends close and your enemies closer**** > > EZ **** > > **** > > Edward E. Ziots**** > > CISSP, Network +, Security +**** > > Security Engineer**** > > Lifespan Organization**** > > Email:[email protected]**** > > Cell:401-639-3505**** > > [image: CISSP_logo]**** > > **** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:28 PM > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > **** > > To be addressed at a later date, yes. ;-) > > --**** > > Espi**** > > **** > > **** > > **** > > On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff <[email protected]> wrote: > **** > > and as to "Maybe I'm nuts." , isn't that a separate issue ??? <grin>**** > > **** > > On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr < > [email protected]> wrote:**** > > Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some > very simple questions about things I almost ALWAYS see on infected systems. > Perhaps someone here can clarify something for me that I have yet to see > Microsoft and any antivirus vender directly address. I'm gonna start this > with one point, and then how the conversation goes: > > I almost always see malware injection points in the allusers\appdata > folder. In these instances I *always* see a reference in one of the "run" > registry keys. > > As far as I know; this top level appdata filer should NOT contain files at > all. I repeat: NO FILES AT F'ING ALL. > > Can someone confirm this? Can someone with contacts at Microsoft or other > AV providers confirm why this is completely overlooked when scanning? This > is were 0-day malware live very commonly. This is very easy to check! > > Thank you for your time and any vender reach-outs you can provide. > > I'm currently working on a set of scripts to check what I consider very > foolish things like this. If anyone wants to team-up, please do. > > -- > Espi**** > > **** > > **** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~**** > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
