> From: Kayne Ian (Softlab) [mailto:Ian.Kayne (at) softlab.co (dot) uk [email concealed]]
>
> A better way (for example) would be to write an app that
> hooks kernel calls to load a process, then compare a checksum
> of the process in question to a "whitelist" of allowed
> application checksums - if a match is found, the call is
> allowed. If not, the call is denied. Bear in mind that you
> need to checksum the loaded process, not the exe file on disk
> otherwise any packer (UPX etc) would effectively allow a bad
> app to slip by. That somewhat raises the skill required to bypass
> it.
This is generally what ZoneAlarm, ZoneAlarm Pro, and Integrity
products do. Other Endpoint Security/Desktop Firewall software
do similar things as well.
An md5-like hash of the application is saved (in a protected file)
along with the network access permissions associated with that
application.
UPX cannot be used to defeat this*. If you have a malicious program
that has a hash not on your whitelist, UPX-ing it isn't going to
chance that.
The most significant risk to this approach is people having bad
policies
about what is whitelisted or what whitelisted programs are permitted
to do.
*Ok, there is some really small possibility of a hash collision.
- -John
- --
John LaCour
Zone Labs Security Services
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> From: Kayne Ian (Softlab) [mailto:Ian.Kayne (at) softlab.co (dot) uk [email concealed]]
>
> A better way (for example) would be to write an app that
> hooks kernel calls to load a process, then compare a checksum
> of the process in question to a "whitelist" of allowed
> application checksums - if a match is found, the call is
> allowed. If not, the call is denied. Bear in mind that you
> need to checksum the loaded process, not the exe file on disk
> otherwise any packer (UPX etc) would effectively allow a bad
> app to slip by. That somewhat raises the skill required to bypass
> it.
This is generally what ZoneAlarm, ZoneAlarm Pro, and Integrity
products do. Other Endpoint Security/Desktop Firewall software
do similar things as well.
An md5-like hash of the application is saved (in a protected file)
along with the network access permissions associated with that
application.
UPX cannot be used to defeat this*. If you have a malicious program
that has a hash not on your whitelist, UPX-ing it isn't going to
chance that.
The most significant risk to this approach is people having bad
policies
about what is whitelisted or what whitelisted programs are permitted
to do.
*Ok, there is some really small possibility of a hash collision.
- -John
- --
John LaCour
Zone Labs Security Services
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQA/AwUBQAV5IaeZbSyAsADEEQKvjgCgkTQQlKJfK6BgkTdmBIY9ENd87UYAn0s2
R+sEGGThZ/GckW+VBAReHj3L
=+GpG
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]