funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Texas Bank Dumps Antivirus for Whitelisting

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 16 Jul 2008 18:15:16 -0400
By default, Word won't run macros that aren't digital signed.  This feature
has been around since Word 2000.  In Word 2007, macros can be disabled
completely as I have set on my computer:

 



 

To deal with .js, .vbs, and .hta files, I set their file associations to
Notepad.

 

Richard

 

 

-----Original Message-----
From: Drsolly [mailto:drsollyp () drsolly com] 
Sent: Wednesday, July 16, 2008 6:07 PM
To: Richard M. Smith
Cc: 'funsec'
Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting

 

That's great for EXE files.

 

But how would you handle DOC files (and similar things that include 

executable macros)?

 

On Wed, 16 Jul 2008, Richard M. Smith wrote:

 


Another option is to have .EXE files digitally signed and the whitelist

work


off vendor names in digital certs and not .EXE MD5 file hashes.  This



stratergy would cut down a great deal keeping a whitelist up to date for



software updates.







Richard 







-----Original Message-----



From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On



Behalf Of David Harley



Sent: Wednesday, July 16, 2008 8:15 AM



To: 'Drsolly'; 'Nick FitzGerald'



Cc: 'funsec'



Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting







You're showing your age. ;-)  Word macro viruses haven't



been much



of a problem for 6 or 7 years ever since Microsoft went to signed 



VBA code in Office.







To be fair, the issue isn't really Word macro viruses: it's the fact that



they represent a class of objects where executable code is found in places



less obvious than a .EXE. A whitelisting solution that doesn't take them



into account is obviously less effective. 







Breaking down the hoary old mindset that has allowed the patently 



stupid blacklisting approach to initially thrive, then survive for 



so long, will be whitelisting's biggest challenge to broader 



acceptability (and likely prevent it ever becoming



widely used



in the least IT-literate parts of the market such as the



SOHO and individual user segment).







Stop me if you've heard this before. Irrespective of the prejudices of the



AV industry, the real problem is the sizeable market sector that thinks we



should be able to detect every malicious program by name, and is enraged



when we fail to do so. A sizeable subset of that group mistrusts any form

of


behaviour analysis because they believe in the magic power of names (which



is why the industry continues to use reassuring names that sound specific



but are actually generic...) Whitelisting doesn't have to be technically



better: it just needs to be presented as a superior form of sympathetic



magic.







The main problem with whitelisting, is the high cost of maintenance.







As opposed to blacklisting, which is... oh, wait a minute. ;-)







--



David Harley, ESET Research Author



AVIEN COO: http://www.avien.org 



http://www.smallblue-greenworld.co.uk  























_______________________________________________



Fun and Misc security discussion for OT posts.



https://linuxbox.org/cgi-bin/mailman/listinfo/funsec



Note: funsec is a public and open mailing list.







_______________________________________________



Fun and Misc security discussion for OT posts.



https://linuxbox.org/cgi-bin/mailman/listinfo/funsec



Note: funsec is a public and open mailing list.








_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: