* Posts by Network_Ninja

2 publicly visible posts • joined 27 Jun 2007

The decline of antivirus and the rise of whitelisting

Network_Ninja

Dr. Vesselin Bontchev COULD NOT BE MORE WRONG!

Hmmmmmm Dr. Vesselin Bontchev...

Something strange here... Can you please explain to me how Trusted Ownership can be bypassed? I think we all know which vendor uses this as their flagship method, and that vendor has apparently never, ever, seen anything unauthorised (be it user introduce app or unknown malware) ever execute in it's working environment.

When I say working environment am I am ranging from some of the biggest banks, governtment bodies, telecoms, defence etc.. companies, through to various experts at Hackerfest and many other security conferences... no one over the past 8 years has ever got round it, as long as it is set up, configured and then used correctly.

I have seen them offer large cash prizes for anyone who can execute something unauthorised, either intentional game, applet, script.. or something that would have been deemed a zero or pre zero day threat... by any means, from usb key, to root kit, to scripted exploited of a known good application...

Please, for all of us who have invested in this technology - simply detail exactly how to bypass a proven technology, and i will give your comments the repsect they then deserve. Until then, I'll continue to think that you either have not seen how trusted ownership works, or, understand how it is supposed to by intergrated into 50,000 user environments?

Moving on - what is all this about a global white list? - why on earth do i need to populate a global white list, that will contain appliacions and files that are totally useless to me as they are never going to run in my environment and they are not part of my users build, so why must i search for these new applications to whitelist them? - utter rubbish?

YOU ONLY NEED TO WHITELIST THE AUTHORISED APPLICATIONS WITHIN YOUR ORGANISATION - NOTHING MORE! and this is easier than it seems, most of the vendors have wizard driven approaches to locating all relevent files and scripts, then automatically assigning them with a SHA-1 Digital Signature/Has.. Job Done!? Please xplain where in that scenario do i need to go out and update my whitelist to put on some foerign application i never going to execute? Please... explain!

Yes, AV is pretty good at stopping what it knows about (well, about 98% of what it knows about) - but something more is needed to block the thousands of other pices of code it does not, and proabably will never know about! - Bring on Whitelisting.. but more importantly, for a more secure enviornment Trusted Ownership and partial WhiteListing is optimal... How else would you prevent a targested piece of code that is sent to a specific user within in an organisation? , yes, may get caught in a spam filter, but again, working on lists and rules.. some will get throguh, some will execute, it will not be known my AV and will then happily sit there recording key strokes, sniffing netwroks.. what ever it wants! If Trusted Ownership was installed, regardless of where the code come from, or what it plans to do when executed, Trusted Ownership would block before it executes! by sittig at end of execution queue, simply checks the owner stamp on the file, compares to list of trusted instalers (which for your information does not include everyone as they are admins) and cos the user is not on the list - the script or exe is prevetned from launching!

Please again, tell me how this can be bypassed and why i need to populate a Global List of applications for my whitelist...

Dont forget.. prove some of this technology wrong and there could be a nice hefty cash prize waiting for you! - prove us and them wrong, may be earn your cash and and be the big name in security that broke this so far successfull model, i will then happily eat humble pie.

Network_Ninja

Managing WhiteList - Flexible Users - More Secure Methodologies... Self Healing?

The problems people are mentioend in raltion to what about needing to add new applications to the white list is easy to work with.

Some of the vendors i have looked into allow for a 'Self Authorising Mode' - where admin priveledged user, or, trusted users, have the ability to authorise their own executables that would normally be blocked by the solution.

For example, some guy makes his new application or installs something that needs to run, this is not on a whitelist and would normally be blocked from running. He is assigned as a self authorising user and so he is promoted, this would normally be blocked, do you wish to run it? - can click yes if it is something legitimate (also audited and archived). This protecs also from malware trying to run, again, this is not on the whitelist, do you wish to run it? - nope, i had no idea this awas about to execute, i do not know what it is, so i am going to block it before it even runs!

The other point on here is that people are assuming they need a whitelist for all global executables? - this is uneccassary, only need one for the applicatins within your environment surely? yes this can take to populate..

this has already been mentioned but the long winded approach of whitelisting is superseeded by in my opinion, a more secure and more manageable way to whitelisting.. the trusted users approach.

Only things that are owned by an approved user or account is allowed to run, no need for whitelist of applications, if you are not on the list, you can not execute your own code! no white list needed!

This also protects authorised applications from being exploited with vulnerabilites, for example if something tried to execute as a macro or script from with Word or Excel, the piece of code that is trying to execute is owned by the user, and as the user is not on the list, the bad code can not run, although the word or excel programme is fine..

Whitelisting is ok, but by no means the answer.. there are far more effective ways of securing the environment with the likes of trusted ownership and automaitcally self healing and repairing registry keys from malware drops!

I know of one particualr vendor that does this, and have seen customers that have audit trails of up to 300 instances of blocked scripts and applciatins per week! that would not have been picked up by the antivirus, and anti malware engines...