Educause Security Discussion mailing list archives
Re: SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26)
From: Thomas Carter <tcarter () AUSTINCOLLEGE EDU>
Date: Tue, 23 Feb 2016 19:52:56 +0000
These are my thoughts exactly; all AV solutions seem mediocre at best and seem relatively bad at the annoying things (adware, toolbars, trick downloads, etc). With no silver bullet solutions, the hope is, unfortunately, an extra layer can help. On the bright side, OSes are getting harder and things like Blaster and Storm haven’t happened in a while. Thomas Carter Network & Operations Manager Austin College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Keller Sent: Tuesday, February 23, 2016 1:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26) Jim et al, I was interested in Cylance under the heading of “sounds too good to be true”. At the time (mid-2015) their product was Windows only but it looks like they may now support OSX. I repeatedly inquired about getting a trial copy for testing, but they seemed reluctant and wanted me to brave the pre-canned dog and pony webinar. I let that trail run cold, let us know if you have any better luck. Back to Thomas Carter’s original question, my perspective is that signature based AV has long since been outmoded by the malware, it’s a dying approach, but the promises of next gen products based on heuristics/behavior/posture/sandboxing/machine learning/pick-your-buzzword, haven’t panned out yet. Pretty much everybody is disappointed with their traditional AV solution, but the common refrain is that 'something is better than nothing and it may catch some legacy threats'. To some degree this has fueled a race to the bottom, folks are simply licensing the cheapest possible solution that will work for their environment because the detection differential is fairly narrow (i.e. they are all poor). I’d love to be wrong on this…who really loves their AV solution and thinks it provides trusted protection against the latest threats? I’ve got a “Locky” crypto malware case (https://medium.com/@networksecurity/locky-ransomware-virus-spreading-via-word-documents-51fcb75618d2#.2vef5icl5) on my desk right now. Detection rate for the infected Word document vector on VirusTotal is 3/55 with none of the major vendors detecting: https://www.virustotal.com/en/file/358f442f3d9b318ffcda1942e1e57b9f607a483400b26d91f7973dc753f61a08/analysis/ Yet, there is evidence this vector was observed back in December 2015: https://techhelplist.com/spam-list/984-invoice-fastco-malware BTW, if you are interested in reverse engineering infected Office documents, check out Didier Stevens' awesome tools oledump (OLE) and emldump (MIME): http://blog.didierstevens.com/my-software/ http://blog.didierstevens.com/2015/12/21/update-oledump-py-version-0-0-22/ http://blog.didierstevens.com/2016/01/24/update-emldump-py-version-0-0-6/ Best, Alex Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu (650)736-6421 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Beers, James Sent: Tuesday, February 23, 2016 7:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26) We haven't deployed but we are looking into this now also. We are focusing on endpoint protection. Currently looking at Cylance and TRAPS. If anyone has experience with either product, would like to know about it. Anyone else heading in this direction or just adding anti-malware modules to anti-virus? --------------------------------------------------- -jwb Jim Beers '89 Director of Information Security Information Technology 610-861-1449 IT will never ask you for your username or password for any of our systems. Please do not include this information in any e-mail correspondence with IT (or anyone else!), because e-mail is not a secure means to send sensitive information. On Mon, Feb 22, 2016 at 12:00 AM, SECURITY automatic digest system <LISTSERV () listserv educause edu> wrote: There is 1 message totalling 51 lines in this issue. Topics of the day: 1. Anti-Malware solutions ---------------------------------------------------------------------- Date: Sun, 21 Feb 2016 22:52:05 +0000 From: Thomas Carter <tcarter () AUSTINCOLLEGE EDU> Subject: Anti-Malware solutions Has anyone deployed anti-malware in their environment? If so, what are you using and what is your opinion of it? How about anti-malware modules as part of your antivirus solution (TrendMicro, McAfee, etc). Thomas Carter Network & Operations Manager Austin College ------------------------------ End of SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26) **************************************************************
Current thread:
- Re: SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26) Beers, James (Feb 23)
- Re: SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26) Alex Keller (Feb 23)
- Re: SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26) Thomas Carter (Feb 23)
- Re: SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26) Alex Keller (Feb 23)