Whitelist security applications?

Discussion in 'other anti-malware software' started by raven211, Jul 15, 2010.

Thread Status:
Not open for further replies.
  1. raven211
    Offline

    raven211 Registered Member

    I know about BluePoint as an alternative, but are there any others out there going the whitelist approach in a similar way? I can think about Faronics AE now that I'm writing this, but the approach of a pure AE is still different - so I mean the approach which is like a sort of (cloud) AV.

    EDIT: Quorum maybe? Still it doesn't seem to kick in at all times, hence the pure whitelist approach is still not there, and hence it misses stuff as it doesn't utilize a (auto-)sandbox (yet) to kick in. Any thoughts on this?


    Thanks
  2. Persian Boy
    Offline

    Persian Boy Registered Member

    KIS ( Application Control - Kaspersky Security Network Database)
    CIS ( Digital signatures and whitelist from COMODO Network)
  3. raven211
    Offline

    raven211 Registered Member

    I know COMODO is Default Deny, but I haven't seen that in KIS yet? Is that a part of 2011 edition?
  4. Persian Boy
    Offline

    Persian Boy Registered Member

    Both 2010 and 2011 has this white list option. maybe 2009 also, i'm not sure!

    I use KIS 2010 and it has both digital signatures apps and white list from kaspersky Security Network Database.

    Default action for unsigned application is up to you and it's not deny allways!
    You can change the settings to ask you or deny.

    example...
    If an application has not digital signature.
    If an application has not been white listed by Kaspersky

    Ask?
    Deny?
    Allow?
    Deny something?
    Ask for something?
    etc...

    Attached Files:

  5. Eirik
    Offline

    Eirik Registered Member

    When I look at application whitelisting, I consider the distinction between user-space and system-space important. BTW, I consider user-space to be any hard-drive location where an end-user or process without local admin rights can perform write operations.

    Also, there are two kinds of application whitelisting implementations. One allows executable launches that are consistent with a reference hash checksum. Another, much easier approach, allows launches of digitally signed executables.

    The hash checksum approach is why I divide a PC into user-space and system-space in this context, to make a point regarding 'level of effort'. Managing the checksums is hardly effort free. It requires enumerating what is authorized to launch or be used in system-space. But, a PC running with LUA (and NOT installing software from untrustworthy sources), is unlikely to get its system-space compromised. Supplementary protections make this even more unlikely. Most of the 'combat' takes place in user-space whereas with checksum based whitelisting, most of the work regards system space.

    In user-space, legitimate application launches take place (e.g., GotoMeeting). So, default-deny in user-space requires exceptions: a white list.

    But, all these applications that are allowed to launch, cannot be fully trusted after they have launched. A hijacked Adobe Reader can unleash a world of hurt! So, launch control is not enough.

    With AppGuard, as the name implies, we place at-risk applications 'under guard'. And in user-space, we only allow 'guarded' applications to launch. I like to call this "user-space application whitelisting". I like to contrast this with ENTERPRISE application whitelisting. Incidentally, AppGuard is starting to leverage 'digital signage' (e.g., allow Microsoft signed MSI's to launch, block others).

    Well, my 2 cents... Regarding my self-promoting stuff on AppGuard, at least I left it till the last paragraph. :)

    Cheers,

    Eirik
  6. raven211
    Offline

    raven211 Registered Member


    Ah, silly me. :D I forgot about this. :D Would you say that makes Kaspersky pretty waterproof?



    @Eirik: Don't worry about your promo. :D Your input was great for food for thought. ^^
  7. Persian Boy
    Offline

    Persian Boy Registered Member

    If you use "untrusted" mode in application control settings you are safe 99.9999%( I can't say 100%)

    I have tested KIS without AV against a lot of 0day threats and nothing bypassed KIS(URL from MDL).

    TDSS, Zbot, Rootkits, Fake-AV, Worm, Sality, Jeefo, ZEUS, Autorun etc... nothing could bypass KIS bacaus these malware can't execute when they don't have digital signatures or white list from kaspersky.

    You don't even need Kaspersky AV signatures to protect a system.:rolleyes:
  8. raven211
    Offline

    raven211 Registered Member

    Yeah, that's pretty cool indeed :) - but then again the really tough malware uses a Digital Signature right, hence that option might be best to turn off in terms of security? o_O
  9. Persian Boy
    Offline

    Persian Boy Registered Member

    What I know is that there is no Malware with digital signatures, of course there is some example to bypass Micro$oft dll's like...

    http://www.sophos.com/blogs/sophoslabs/?p=10078

    But in the end it's need an executable file to run and use the dll which it can't have a digital signature. Just a dll file can't do anything.

    Have a look here...
    http://www.wilderssecurity.com/showthread.php?t=273508

    I think that nothing can be 100% safe in Security applications but it's very hard to bypass digital signature. May be if you search hardly you could find few samples, therefor I said that you are safe 99.9999% not 100%

    another one
    http://www.sophos.com/security/threat-spotlight/index.html

    What I do is that add something like SandboxIE to protect browsers.:)

    Edit: If you will to know how to check files for digitale signatures just follow these instruction..
    1. Click the windows globe in the bottom left.
    2. In the search programs and files type “sigverif”.
    3. Click Start. Sigverif will quickly scan your system files for unsigned files.
    4. A window will open showing you which system files are not digitally signed. Also, I log was created. You can access the log by opening sigverif.exe, clicking advanced and then clicking view log.
    5. There are some files that are LEGITIMATE and have NO digital signature. You can verify if a file that does not contain a digital signature is malware by uploading it to virustotal.com (which scans the file against dozens of av engines)

    Attached Files:

    Last edited: Jul 15, 2010
  10. Rmus
    Offline

    Rmus Exploit Analyst

    Hello, Eirik,

    Too bad this sound advice isn't made available when people purchase their first computer!

    But wouldn't launch control block the malware executable that the Reader attempts to download? All the PDF exploits I've seen do something similar. Typical:

    wep_1.gif

    wep_3.gif

    wep_2.gif

    [more readable:]

    code-urlmon.gif

    ff-acroKerioAe.gif

    Your AppGuard, or any Default-Deny solution, would easily stop this in its tracks!

    regards,

    -rich
    Last edited: Jul 15, 2010
  11. wat0114
    Offline

    wat0114 Guest

    Would it make a difference? People still want to run as admin because, and here's a good one I've heard recently: "yeah but you can't install programs in a limited account" Yeah, good reason :rolleyes:
  12. Persian Boy
    Offline

    Persian Boy Registered Member

    I have just found a Fake-AV with digital signatures! :D

    ~VT results removed per Policy.~

    Attached Files:

    Last edited by a moderator: Jul 15, 2010
  13. raven211
    Offline

    raven211 Registered Member

    Last edited by a moderator: Jul 15, 2010
  14. Eirik
    Offline

    Eirik Registered Member

    Agreed.

    There are two other vectors that are much less common, particularly in the consumer space.

    1) The initially exploited application does not spawn an executable that carries out the attacker's agenda but actually conducts the 'instructions' itself (i.e., Adobe Reader does what the normally spawned executable does, or what the executable spawned by the spawned executable:ouch: )

    2) The initially exploited application injects instructions into the memory of another process

    These more sophisticated attacks are more difficult to implement and do not as easily re-use existing code. Such attacks are relatively rare in the consumer space. It would be irresponsible of me to imply anything other than the prospect that a consumer is far more likely to encounter an attack that spawns an executable to be launched in user-space than the more sophisticated attacks I listed above.

    Most consumers have not battened down their user-space, which makes it the lowest hanging fruit. So, default-deny in user-space is a very effective protection.

    Cheers,

    Eirik
Thread Status:
Not open for further replies.