RE: Thought on malware cleaning

[Ken Schaefer]

Surely all AV tools do "on access" scanning. So it doesn't matter where the 
file is, when it's accessed, it will be scanned.

And whilst there might not be any files there today, unless Microsoft writes 
something on MSDN telling developers that no files should be there, then it's 
entirely legitimate for vendors to put files there down the track.

Cheers
Ken

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
Sent: Thursday, 14 July 2011 5:04 AM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

I'm all for leaving it open.  But it should be checked by AV software and 
related tools.  its just common sense.  there is almost always infection there. 
 There and some other common locations should be checked.  Any apps present 
should be checked if they are signed.  Or have any company detail (most/all are 
null).  And depending, then that should be scanned against the registry.

Its not rocket science, and its not that resource intensive.  Especially if we 
are talking about using an AV/AM app performing a system sweep.

--
Espi




On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott 
<crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote:
I'm not referring to whitelisting, which has its own set of issues.

I'm talking about your suggestion of disallowing any .exe files in the root of 
AppData.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 3:50 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

While I agree with whitelisting, and I believe its a reasonable solution at 
this point.  The original intent of this post and what I am proposing dont 
involve whitelisting.

--
Espi



On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott 
<crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote:
My point is that it's common simply because its allowed. Disallowing .exes to 
be stored would make it rare, but the .exes would just have moved with no net 
gain. Or maybe I'm misunderstanding what you're suggesting.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:52 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Thats not my solution.  my solution is to check these types of folders and 
match against the registry.


Its a very common occurance in my experience, and would add lots of value when 
they are found.

--
Espi



On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
<crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote:
If the OS blocked .exe from the root of AppData, malware would just put it in a 
subfolder. Your simple solution is only simple because that's how windows is 
designed. The overhead to block .exe in AppData would take resources to code 
and test and would add virtually no value.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:25 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Very true, but there some very basic things that can be checked and have some 
very basic logic applied to take action on.  Why this isnt addressed is beyond 
me.  There are key folders that shouldn't have files in them, let alone 
executable's.


I agree with the concepts of whitelists.  But the issue I'm addressing 
specifically right now shouldnt need to involve it.

--
Espi



On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
<ezi...@lifespan.org<mailto:ezi...@lifespan.org>> wrote:
Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there 
is always going to be "writeable" areas in the OS even for the user, and the 
malware authors are using packing and anti-tampering methods that are evading 
most anti-virus vendors ( the really targeted attacks), so it's a battle that 
is going to keep going on and on, just as soon as you block one method they 
come up with 3-5 more you haven't thought of.

The only suggestion would be a good Application White-listing technology to 
only allow known good software and disallow anything else to run. I am sure it 
has its caveats ( Trust me we are implementing an application white-listing 
now, and compared IPS its still got its pain points.)

Although its been fun reading the Malware Analyst Cookbook and DVD, nice 
insight into reverse-engineering malware and seeing what it does so you can 
better protect your systems.

Keep your friends close and your enemies closer
EZ

Edward E. Ziots
CISSP, Network +, Security +
Security Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505<tel:401-639-3505>
[CISSP_logo]



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

<<inline: image001.jpg>>