Dr. Vesselin Bontchev COULD NOT BE MORE WRONG!
Hmmmmmm Dr. Vesselin Bontchev...
Something strange here... Can you please explain to me how Trusted Ownership can be bypassed? I think we all know which vendor uses this as their flagship method, and that vendor has apparently never, ever, seen anything unauthorised (be it user introduce app or unknown malware) ever execute in it's working environment.
When I say working environment am I am ranging from some of the biggest banks, governtment bodies, telecoms, defence etc.. companies, through to various experts at Hackerfest and many other security conferences... no one over the past 8 years has ever got round it, as long as it is set up, configured and then used correctly.
I have seen them offer large cash prizes for anyone who can execute something unauthorised, either intentional game, applet, script.. or something that would have been deemed a zero or pre zero day threat... by any means, from usb key, to root kit, to scripted exploited of a known good application...
Please, for all of us who have invested in this technology - simply detail exactly how to bypass a proven technology, and i will give your comments the repsect they then deserve. Until then, I'll continue to think that you either have not seen how trusted ownership works, or, understand how it is supposed to by intergrated into 50,000 user environments?
Moving on - what is all this about a global white list? - why on earth do i need to populate a global white list, that will contain appliacions and files that are totally useless to me as they are never going to run in my environment and they are not part of my users build, so why must i search for these new applications to whitelist them? - utter rubbish?
YOU ONLY NEED TO WHITELIST THE AUTHORISED APPLICATIONS WITHIN YOUR ORGANISATION - NOTHING MORE! and this is easier than it seems, most of the vendors have wizard driven approaches to locating all relevent files and scripts, then automatically assigning them with a SHA-1 Digital Signature/Has.. Job Done!? Please xplain where in that scenario do i need to go out and update my whitelist to put on some foerign application i never going to execute? Please... explain!
Yes, AV is pretty good at stopping what it knows about (well, about 98% of what it knows about) - but something more is needed to block the thousands of other pices of code it does not, and proabably will never know about! - Bring on Whitelisting.. but more importantly, for a more secure enviornment Trusted Ownership and partial WhiteListing is optimal... How else would you prevent a targested piece of code that is sent to a specific user within in an organisation? , yes, may get caught in a spam filter, but again, working on lists and rules.. some will get throguh, some will execute, it will not be known my AV and will then happily sit there recording key strokes, sniffing netwroks.. what ever it wants! If Trusted Ownership was installed, regardless of where the code come from, or what it plans to do when executed, Trusted Ownership would block before it executes! by sittig at end of execution queue, simply checks the owner stamp on the file, compares to list of trusted instalers (which for your information does not include everyone as they are admins) and cos the user is not on the list - the script or exe is prevetned from launching!
Please again, tell me how this can be bypassed and why i need to populate a Global List of applications for my whitelist...
Dont forget.. prove some of this technology wrong and there could be a nice hefty cash prize waiting for you! - prove us and them wrong, may be earn your cash and and be the big name in security that broke this so far successfull model, i will then happily eat humble pie.