AppSense blocks certain pdfs, dlls and all sorts of other executable stuff in its default configuration as well. I can see this from the "Denied" alerts that we get whenever something is prevented from executing. It must have some form of detection for this because most pdfs, for instance, are allowed to run. It certainly makes me feel quite a bit more at ease, as I can see it stopping all the stupid things users are trying to run.
As I said before though, I'm biased. On 14 July 2011 12:48, Ziots, Edward <[email protected]> wrote: > And its not only .EXE that contain executable code, a lot of time its > PDF’s and word documents with embedded code, or links to download the > malicious code. But in the end its all about controlling executable code in > whatever form it is in. **** > > ** ** > > Z**** > > ** ** > > Edward E. Ziots**** > > CISSP, Network +, Security +**** > > Security Engineer**** > > Lifespan Organization**** > > Email:[email protected]**** > > Cell:401-639-3505**** > > [image: CISSP_logo]**** > > ** ** > > *From:* Crawford, Scott [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 4:41 PM > > *To:* NT System Admin Issues > *Subject:* RE: Thought on malware cleaning**** > > ** ** > > My point is that it’s common simply because its allowed. Disallowing .exes > to be stored would make it rare, but the .exes would just have moved with no > net gain. Or maybe I’m misunderstanding what you’re suggesting.**** > > ** ** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:52 PM > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > ** ** > > Thats not my solution. my solution is to check these types of folders and > match against the registry. > > Its a very common occurance in my experience, and would add lots of value > when they are found. > > -- > Espi**** > > ** ** > > ** ** > > ** ** > > On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott <[email protected]> > wrote:**** > > If the OS blocked .exe from the root of AppData, malware would just put it > in a subfolder. Your simple solution is only simple because that’s how > windows is designed. The overhead to block .exe in AppData would take > resources to code and test and would add virtually no value.**** > > **** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:25 PM**** > > > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning**** > > **** > > Very true, but there some very basic things that can be checked and have > some very basic logic applied to take action on. Why this isnt addressed is > beyond me. There are key folders that shouldn't have files in them, let > alone executable's.**** > > > > I agree with the concepts of whitelists. But the issue I'm addressing > specifically right now shouldnt need to involve it. > > --**** > > Espi**** > > **** > > **** > > ** ** > > On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward <[email protected]> > wrote:**** > > Honestly, the Malware game is like a big game of Whack-a-Mole, therefore > there is always going to be “writeable” areas in the OS even for the user, > and the malware authors are using packing and anti-tampering methods that > are evading most anti-virus vendors ( the really targeted attacks), so it’s > a battle that is going to keep going on and on, just as soon as you block > one method they come up with 3-5 more you haven’t thought of. **** > > **** > > The only suggestion would be a good Application White-listing technology to > only allow known good software and disallow anything else to run. I am sure > it has its caveats ( Trust me we are implementing an application > white-listing now, and compared IPS its still got its pain points.) **** > > **** > > Although its been fun reading the Malware Analyst Cookbook and DVD, nice > insight into reverse-engineering malware and seeing what it does so you can > better protect your systems. **** > > **** > > Keep your friends close and your enemies closer**** > > EZ **** > > **** > > Edward E. Ziots**** > > CISSP, Network +, Security +**** > > Security Engineer**** > > Lifespan Organization**** > > Email:[email protected]**** > > Cell:401-639-3505**** > > [image: CISSP_logo]**** > > **** > > *From:* Micheal Espinola Jr [mailto:[email protected]] > *Sent:* Wednesday, July 13, 2011 2:28 PM > > *To:* NT System Admin Issues > *Subject:* Re: Thought on malware cleaning > **** > > **** > > To be addressed at a later date, yes. ;-) > > --**** > > Espi**** > > **** > > **** > > **** > > On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff <[email protected]> wrote: > **** > > and as to "Maybe I'm nuts." , isn't that a separate issue ??? <grin>**** > > **** > > On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr < > [email protected]> wrote:**** > > Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some > very simple questions about things I almost ALWAYS see on infected systems. > Perhaps someone here can clarify something for me that I have yet to see > Microsoft and any antivirus vender directly address. I'm gonna start this > with one point, and then how the conversation goes: > > I almost always see malware injection points in the allusers\appdata > folder. In these instances I *always* see a reference in one of the "run" > registry keys. > > As far as I know; this top level appdata filer should NOT contain files at > all. I repeat: NO FILES AT F'ING ALL. > > Can someone confirm this? Can someone with contacts at Microsoft or other > AV providers confirm why this is completely overlooked when scanning? This > is were 0-day malware live very commonly. This is very easy to check! > > Thank you for your time and any vender reach-outs you can provide. > > I'm currently working on a set of scripts to check what I consider very > foolish things like this. If anyone wants to team-up, please do. > > -- > Espi**** > > **** > > **** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ****** IMPORTANT INFORMATION/DISCLAIMER ***** This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress...... * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * * The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image002.jpg>>
<<image003.jpg>>
