Security Basics mailing list archives

Re: Microsoft Software Auditing ?

From: Adam Jones <ajones1 () gmail com>
Date: Mon, 11 Apr 2005 10:08:59 -0500

Scanning for executables is a poor method of accomplishing things. It
misses a lot and requires a large time investment to be effective.
Here's why:

1) executable scanning misses a lot:
Here are a few ways that I can quickly think of to "hide" an executable:

Name it as an harmless-sounding executeable in a reliable known directory.
Overwrite a rarely-used legitimate executeable in a known directory.
Store it in an NTFS alternate data stream[1] and access it through a script.
Store it under another file name and rename it at execution time.

In short even a halfhearted attempt to hide the executable will give
it a decent chance of getting past strait .exe scanning.

2) Time investment:
The only way that executable scanning is going to really be effective
is if you begin with a lot of prepwork.

To combat file replacement you would have to crc every executable on
the system, and update that crc any time you patch the system or
update your software.

Accounting for overwritten system files would also involve crc
checking, but this time on the client system.

There are applications that will detect NTFS alternate data streams,
those would probably need to be run as a second scan of the system.

Looking for alternate extensions would probably be best done by
looking for the associated scripting files, which means at least
scanning .bat, .js, .vbs, and .wsf extensions, then looking for any
rename commands in each of those files.

In general scanning for executables is not an effective use of time.
In addition to being slow it is error prone and cannot be relied on to
detect very much. There are a lot of good open source/free tools to
work with for this, and they are generally more effective at the task.
Scanning for executables is very time consuming compared to the
benefits of it. Your time would be better invested in developing a set
of policies to lock down user rights and system access. After that is
done executable checking becomes either a non-issue or much easier as
the scope of what you need to look at is limited.

[1] NTFS alternate data streams
http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

Current thread:

RE: Microsoft Software Auditing ?, (continued)
- RE: Microsoft Software Auditing ? Pat Smith (Apr 05)
- RE: Microsoft Software Auditing ? Dante Mercurio (Apr 06)
- RE: Microsoft Software Auditing ? Beauford, Jason (Apr 06)
  - Re: Microsoft Software Auditing ? Andrew Rogers (Apr 07)
- Re: Microsoft Software Auditing ? Jonathan Loh (Apr 06)
- RE: Microsoft Software Auditing ? Depp, Dennis M. (Apr 07)
  - RE: Microsoft Software Auditing ? Jacob Bresciani (Apr 07)
- RE: Microsoft Software Auditing ? Beauford, Jason (Apr 07)
- RE: Microsoft Software Auditing ? Depp, Dennis M. (Apr 07)
  - Re: Microsoft Software Auditing ? Times Enemy (Apr 08)
    - Re: Microsoft Software Auditing ? Adam Jones (Apr 11)
    - Re: Microsoft Software Auditing ? Ansgar -59cobalt- Wiechers (Apr 13)
    - Re: Microsoft Software Auditing ? Adam Jones (Apr 14)
- RE: Microsoft Software Auditing ? Dubber, Drew B (Apr 08)