tag:blogger.com,1999:blog-7347279.post9138113682107810925..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: the blacklist value propositionkurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-7347279.post-2144235493093855112008-12-01T12:37:00.000-05:002008-12-01T12:37:00.000-05:00You are right, and that has been a shortcoming of ...You are right, and that has been a shortcoming of OS security in the past. We evaluate and govern the entire user space including system libraries, and monitor right into the application stack if so required.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-24589020335191928522008-11-30T18:16:00.000-05:002008-11-30T18:16:00.000-05:00"Sure malware may get "through"; it's getting thro..."Sure malware may get "through"; it's getting through now."<BR/><BR/>good of you to admit that... there is no panacea, malware will always find a way...<BR/><BR/>"Trustifier is not about filtering or patching;it is a kernel level behavior enforcer "<BR/><BR/>you may not realize it but you're contradicting yourself here... trustifier IS about filtering - it's about filtering behaviours...<BR/><BR/>and since it's looking at the kernel, things that are executed through other components can only be controlled by controlling the components that execute them (ie. indirect control), which is inherently coarse-grained...kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-87651719526510315962008-11-30T13:24:00.000-05:002008-11-30T13:24:00.000-05:00Sure malware may get "through"; it's...Sure malware may get "through"; it's getting through now. Trustifier is not about filtering or patching;it is a kernel level behavior enforcer that is deterministic in setting execution privileges. There are a few ways that it prevents malware execution:<BR/><BR/>1) Security policies are ownership-centric using users, user-roles or groups and the language of trust relationships and data flows, to allow intuitive rule setting and reduce complexity. Note, that this is the language of business rules. This provides context for allow/deny decisions.<BR/><BR/>2) Persons, code, apps or devices can all be defined as users and easily ranked for secrecy or integrity.<BR/><BR/>3) Trustifier has special handling of root privileges, with the ability to give (or take away) partial root privileges when required and to set limits for their use. Thus an application may be given the right to execute a system call or network protocol only once, preventing embedded or rogue malware from executing in a second attempt. (This is also handy in protecting web servers-by allowing netbind a single time only)<BR/><BR/>4) Trustifier prevents privilege escalation.<BR/><BR/>5) Trustifier controls the release and flow of business data. If malware attempts to send home a payload that is say a trade secret from the R&D user group, Trustifier will not allow the release of that data to anyone who does not have privileges outside of that user group.<BR/><BR/>The thing to remember is that it is not necessary to protect everything in the enterprise, but one can start with the crown jewels and work down as necessary.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-48750766422889867672008-11-30T12:02:00.000-05:002008-11-30T12:02:00.000-05:00yes, i recall our discussions about trustifier and...yes, i recall our discussions about trustifier and behavioural whitelists... i recall that it is much more fine-grained than an application whitelist, but i also understand that the question of what is a program is itself even more fine-grained than that...<BR/><BR/>since it's still coarser-grained than the problem it's attempting to address (control what programs do) there is still room for malware to get through (a lot less room, but room none-the-less)...kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-90248037155780518472008-11-29T18:48:00.000-05:002008-11-29T18:48:00.000-05:00Kurt,I didn't know whether to comment here or in y...Kurt,<BR/><BR/>I didn't know whether to comment here or in your whitelist smackdown post. I think I am straddling the two.<BR/><BR/>You commented on Digital Bond, "if the whitelist is applied against a broader range of behaviours in addition to simple execution then it may be possible for the whitelist to stop exploitation in it’s tracks".<BR/><BR/>I have followed-up there and on Randy Abrams blog with comments about behavior whitelisting, which is of course much more granular than app whitelisting and impacts this discussion.<BR/><BR/>Your comment describes what Trustifier technology does. If you think back to some of our past discussions (both here and at other blogs) then you may better now understand my position at the time, which I attempted to continue to express until I reached my non-technical limit of understanding. (Hey, I'm only a biz dev guy).Anonymousnoreply@blogger.com