Re: application whitelisting (was RE: Active Directory Question)

• Previous message: John LaCour: "application whitelisting (was RE: Active Directory Question)"
• Maybe in reply to: John LaCour: "application whitelisting (was RE: Active Directory Question)"
• Next in thread: Kayne Ian (Softlab): "RE: application whitelisting (was RE: Active Directory Question)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: jlacour@zonelabs.com
Date: Wed, 14 Jan 2004 14:36:49 -0500

Some Host Intrusion Prevention Systems (Okena, for example) offer very
granular control of what user can and can not do. Application
installation is one of the things you can control and grant or deny on
group-membership basis, using HIPS products.
Probably a better (if more expensive) way then AD.
My $0.02.

Dimitri

|---------+---------------------------->
| | "John LaCour" |
| | <jlacour@zonelabs|
| | .com> |
| | |
| | 01/14/2004 12:15 |
| | PM |
| | |
|---------+---------------------------->
>--------------------------------------------------------------------------------------------------------------|
  | |
  | To: "Kayne Ian (Softlab)" <Ian.Kayne@softlab.co.uk>, <focus-ms@securityfocus.com> |
  | cc: |
  | Subject: application whitelisting (was RE: Active Directory Question) |
>--------------------------------------------------------------------------------------------------------------|

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: Kayne Ian (Softlab) [mailto:Ian.Kayne@softlab.co.uk]
>
> A better way (for example) would be to write an app that
> hooks kernel calls to load a process, then compare a checksum
> of the process in question to a "whitelist" of allowed
> application checksums - if a match is found, the call is
> allowed. If not, the call is denied. Bear in mind that you
> need to checksum the loaded process, not the exe file on disk
> otherwise any packer (UPX etc) would effectively allow a bad
> app to slip by. That somewhat raises the skill required to bypass
> it.

This is generally what ZoneAlarm, ZoneAlarm Pro, and Integrity
products do. Other Endpoint Security/Desktop Firewall software
do similar things as well.

An md5-like hash of the application is saved (in a protected file)
along with the network access permissions associated with that
application.

UPX cannot be used to defeat this*. If you have a malicious program
that has a hash not on your whitelist, UPX-ing it isn't going to
chance that.

The most significant risk to this approach is people having bad
policies
about what is whitelisted or what whitelisted programs are permitted
to do.

*Ok, there is some really small possibility of a hash collision.

- -John
- --
John LaCour
Zone Labs Security Services

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQAV5IaeZbSyAsADEEQKvjgCgkTQQlKJfK6BgkTdmBIY9ENd87UYAn0s2
R+sEGGThZ/GckW+VBAReHj3L
=+GpG
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: John LaCour: "application whitelisting (was RE: Active Directory Question)"
• Maybe in reply to: John LaCour: "application whitelisting (was RE: Active Directory Question)"
• Next in thread: Kayne Ian (Softlab): "RE: application whitelisting (was RE: Active Directory Question)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]