RE: SIM Tools, and endpoint security.

From: Bill Royds (whitehats_at_royds.net)
Date: 05/25/05

  • Next message: Drew Simonis: "RE: SIM Tools, and endpoint security." 
    To: <THolman@toplayer.com>
Date: Wed, 25 May 2005 12:38:46 -0400

    Windows File Protection does NOT verify the integrity of the file, only that the
    File Version field is correct. If it does not match, it then retrieves the file
    from the DLLCache directory which is easily corrupted by a Trojan.
      Spyware/Trojans/Rootkits for windows often actually use this to prevent
    removal. If one removes the spyware code, Windows File Protection conveniently
    restores it.
      Windows File Protection is useful against fumble fingers, but not against
    determined attackers.

    -----Original Message-----
    From: THolman@toplayer.com [mailto:THolman@toplayer.com]
    Sent: Friday, May 20, 2005 5:55 PM
    To: simonis@myself.com; THolman@toplayer.com; focus-ids@securityfocus.com
    Subject: RE: SIM Tools, and endpoint security.

    Hi Drew,

    I'm referring to Windows File Protection -
    http://support.microsoft.com/kb/310747/EN-US/

    This is configurable via Group Policy and offers 100% protection of system
    files on the intended target.

    ..add to this Windows XP SP2, then you've got a pretty rock solid
    workstation base that is not open to infection (as the firewall doesn't
    allow anything in), and maintains integrity of system files (so malicious
    code can't take over the system).

    There's quite a lot more to Microsoft's OS security that often gets
    overlooked, and many sysadmins are steered away from this with clever
    marcoms and end up buying 3rd party applications to fill the gap.

    My point is, be 100% sure that what you've got cannot do what you want,
    before you go and buy something else! ;)

    Regards,

    Tim

    -----Original Message-----
    From: Drew Simonis [mailto:simonis@myself.com]
    Sent: 20 May 2005 14:53
    To: THolman@toplayer.com; focus-ids@securityfocus.com
    Subject: RE: SIM Tools, and endpoint security.

    >
    > Don't discount the power of Microsoft Group Policy at a desktop level -
    they
    > offer state of the art file integrity checking systems that are far more
    > cost-effective and comprehensive than the 3rd party add-ons that
    proliferate
    > the market.
    >

    Huh? I've not see how Group Policy does "state of the art file integrity
    checking". Can you clarify?

    -Ds

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Drew Simonis: "RE: SIM Tools, and endpoint security."
    • Quantcast