Security Basics mailing list archives
Re: Microsoft Software Auditing ?
From: Adam Jones <ajones1 () gmail com>
Date: Mon, 11 Apr 2005 10:08:59 -0500
Scanning for executables is a poor method of accomplishing things. It misses a lot and requires a large time investment to be effective. Here's why: 1) executable scanning misses a lot: Here are a few ways that I can quickly think of to "hide" an executable: Name it as an harmless-sounding executeable in a reliable known directory. Overwrite a rarely-used legitimate executeable in a known directory. Store it in an NTFS alternate data stream[1] and access it through a script. Store it under another file name and rename it at execution time. In short even a halfhearted attempt to hide the executable will give it a decent chance of getting past strait .exe scanning. 2) Time investment: The only way that executable scanning is going to really be effective is if you begin with a lot of prepwork. To combat file replacement you would have to crc every executable on the system, and update that crc any time you patch the system or update your software. Accounting for overwritten system files would also involve crc checking, but this time on the client system. There are applications that will detect NTFS alternate data streams, those would probably need to be run as a second scan of the system. Looking for alternate extensions would probably be best done by looking for the associated scripting files, which means at least scanning .bat, .js, .vbs, and .wsf extensions, then looking for any rename commands in each of those files. In general scanning for executables is not an effective use of time. In addition to being slow it is error prone and cannot be relied on to detect very much. There are a lot of good open source/free tools to work with for this, and they are generally more effective at the task. Scanning for executables is very time consuming compared to the benefits of it. Your time would be better invested in developing a set of policies to lock down user rights and system access. After that is done executable checking becomes either a non-issue or much easier as the scope of what you need to look at is limited. [1] NTFS alternate data streams http://www.windowsecurity.com/articles/Alternate_Data_Streams.html --------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- RE: Microsoft Software Auditing ?, (continued)
- RE: Microsoft Software Auditing ? Pat Smith (Apr 05)
- RE: Microsoft Software Auditing ? Dante Mercurio (Apr 06)
- RE: Microsoft Software Auditing ? Beauford, Jason (Apr 06)
- Re: Microsoft Software Auditing ? Andrew Rogers (Apr 07)
- Re: Microsoft Software Auditing ? Jonathan Loh (Apr 06)
- RE: Microsoft Software Auditing ? Depp, Dennis M. (Apr 07)
- RE: Microsoft Software Auditing ? Jacob Bresciani (Apr 07)
- RE: Microsoft Software Auditing ? Beauford, Jason (Apr 07)
- RE: Microsoft Software Auditing ? Depp, Dennis M. (Apr 07)
- Re: Microsoft Software Auditing ? Times Enemy (Apr 08)
- Re: Microsoft Software Auditing ? Adam Jones (Apr 11)
- Re: Microsoft Software Auditing ? Ansgar -59cobalt- Wiechers (Apr 13)
- Re: Microsoft Software Auditing ? Adam Jones (Apr 14)
- Re: Microsoft Software Auditing ? Times Enemy (Apr 08)