Re: Obfuscated web pages



aha!

Theoretical DOM inspectors may work in theory-land but it is unlikely they'd work in in real world.

Besides that, let's focus back on the original question:

If there anything that successfully detects/prevents *obfuscated* malicious web content from executing at the endpoint?

Not as far as I know, although there are endpoint security product that address this issue I don't have an answer as to how accurate or effective they are.

Regarding the hypothetical Checkpoint IPS-1 (formerly NFR) approach:

Do you really think that writing a JavaScript interpreter in N-code and running it inline is a plausible solution?

-ivan

Mike Barkett wrote:
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Gary Flynn
Sent: Thursday, February 14, 2008 4:18 PM

I suspect that no vendors support this feature ( actual code
execution in some sort of sandbox ) and I was just trying to
verify it.


Gary - Actually, the Check Point IPS-1 (formerly NFR) sensor engine has, for
many years, executed protections in a "sandbox" so that no single protection
can dominate the processor(s). So, if someone were to write N-code to try
to interpret generalized code, it would operate in that same sandbox, for
lack of a better term. This even applies inline. However, just to be
clear, off the shelf, IPS-1 does not do any of the theoretical DOM
validation stuff previously mentioned in this thread.


-MAB

--
Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512

--
"Buy the ticket, take the ride" -HST

Ivan Arce
CTO

CORE SECURITY TECHNOLOGIES
http://www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------