On Thu, 8 Oct 2009, Joseph Kern wrote: > On Thu, Oct 8, 2009 at 12:48 AM, <da...@lang.hm> wrote: >> On Wed, 7 Oct 2009, Joseph Kern wrote: >> >>> Does anyone have experience with using application whitelisting on >>> user workstations? This would be used instead of anti-virus. >> >> the problem with doing this _instead_ of AV is that many vunerabilities come >> through 'data' files, and then go on to infect legitimate files. > > *narrows eyes* are you sure about this? I thought the execution of all > code had to be "vetted". This would include even errant chunks of > overflows ... I thought.
possibly we are using different defintions for whitelisting. I am thinking that you would whitelist particular binaries (say firefox or acroread) and then allow those to execute (doing whatever it is that they do) since both of these apps have had vunerabilities that will let the attacker execute arbatrary code by feeding them invalid files you hve not solved the problem yet. if you re using whitelisting to mean 'firefox is allowed to read these files, and write to those files' or something like this you may have a chance, but that's a lot further than I would have thought the term would mean. If that is what you mean, then you need to write a custom SELinux (or equivalent) policy for every application on your system. It will need to be significantly tighter than what any linux distro currently uses. David Lang >> so just whitelisting isn't going to be enough, you are going to also need to >> do tamper detection (tripwire or equivalent) >> >> >> you also are going to have to figure out how to deal with users wanting to >> install things like browser toolbars and plugins. > > Users aren't allowed to anyway. So this isn't a problem. > >> >> David Lang >> >>> Any help or opinions will be most welcome. I am interested in doing a >>> few experiments, and comparing different products. I want to test the >>> complexity and viability of using a whitelist on a single workstation >>> instead of an AV product that needs updating. >>> >>> It seems to be hard even locating free demos of any software. I've >>> been googling around a bit, but real opinions are more valuable than >>> white papers. >>> >>> 1. What whitelisting applications have you tried? >>> 2. What did you like? >>> 3. What did you dislike? >>> >>> Thanks. >>> >>> -- Joseph Kern >>> _______________________________________________ >>> Discuss mailing list >>> Discuss@lopsa.org >>> http://lopsa.org/cgi-bin/mailman/listinfo/discuss >>> This list provided by the League of Professional System Administrators >>> http://lopsa.org/ >>> >> > _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
