Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IPS Blocking Spyware?

from [Kevin] Network Security [Permanent Link]
Subject: Re: IPS Blocking Spyware?
Date: Fri, 3 Dec 2004 16:09:33 -0600 
On Fri, 3 Dec 2004 09:16:23 -0500, Murtland, Jerry
<murtlandj@grangeinsurance.com> wrote:

The better question is how/where does it stop the spyware?  You can have
companies stop spyware from communicating your information to external web
servers via http all day long with a strongly maintained web filter, but if
you don't stop it from installing on your systems, your chasing your tail!


For spyware applications which install only from their primary domain
(e.g. Gator), blocking all access to the domain will prevent
installation -- the really nasty stuff is hosted all over the
Internet, with arbitrary domains, IPs, and urls.

Additionally, some inline AV scanners which will scan HTTP/FTP content
can be configured to recognize known spyware binaries as undesirable,
and block the download.  But as you mentioned below, this is
maintenance intensive.



I have yet to see a product that is able to stop it from actually being
installed, and yes, I'm aware of disabling ActiveX.  But if a company uses
ActiveX in some of their web apps, what can they do? 


Configure a "default deny" policy for ActiveX, then selectively permit
only "known good" (signed?) ActiveX controls from specific sites?

I've not tried it, but Checkpoint claims their host integrity products
(e.g. Integrity Desktop) can enforce a granular policy against mobile
code.


I see it as more of a file search tool, which means it's still reactive and
would be as maintenance intensive as .dat/.nav file updates.
 Some companies boast that
their product can stop spyware, well I can't speak for Tipping Point, but if
they don't stop it from being installed, they haven't stopped it.


Some (most) HIPS can prevent spyware installation, defense at the host
level against installation of unknown binaries is much easier, I agree
that it'd be difficult for a NIDS to be effective against spyware
*installation*.

Where a NIDS can be valuable is in detecting the control channels used
by spyware and trojans to communicate back out to the controller out
on the Internet.


Kevin

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  open source ids list for implementation, gaurav_jindal
Next by Date:  [Snort-users] Sguil 0.5.3 Released, Bamm Visscher
Previous by Thread:  Re: IPS Blocking Spyware?, Darren Rogers Mailing Lists
Next by Thread:  RE: IPS Blocking Spyware?, David Endler
Indexes:  [Date] [Thread] [Top] [All Lists]