IDS mailing list archives

Re: IPS Blocking Spyware?

From: Kevin <kkadow () gmail com>
Date: Fri, 3 Dec 2004 16:09:33 -0600

On Fri, 3 Dec 2004 09:16:23 -0500, Murtland, Jerry
<murtlandj () grangeinsurance com> wrote:

The better question is how/where does it stop the spyware?  You can have
companies stop spyware from communicating your information to external web
servers via http all day long with a strongly maintained web filter, but if
you don't stop it from installing on your systems, your chasing your tail!


For spyware applications which install only from their primary domain
(e.g. Gator), blocking all access to the domain will prevent
installation -- the really nasty stuff is hosted all over the
Internet, with arbitrary domains, IPs, and urls.

Additionally, some inline AV scanners which will scan HTTP/FTP content
can be configured to recognize known spyware binaries as undesirable,
and block the download.  But as you mentioned below, this is
maintenance intensive.

I have yet to see a product that is able to stop it from actually being
installed, and yes, I'm aware of disabling ActiveX.  But if a company uses
ActiveX in some of their web apps, what can they do?


Configure a "default deny" policy for ActiveX, then selectively permit
only "known good" (signed?) ActiveX controls from specific sites?

I've not tried it, but Checkpoint claims their host integrity products
(e.g. Integrity Desktop) can enforce a granular policy against mobile
code.

I see it as more of a file search tool, which means it's still reactive and
would be as maintenance intensive as .dat/.nav file updates.
 Some companies boast that
their product can stop spyware, well I can't speak for Tipping Point, but if
they don't stop it from being installed, they haven't stopped it.


Some (most) HIPS can prevent spyware installation, defense at the host
level against installation of unknown binaries is much easier, I agree
that it'd be difficult for a NIDS to be effective against spyware
*installation*.

Where a NIDS can be valuable is in detecting the control channels used
by spyware and trojans to communicate back out to the controller out
on the Internet.


Kevin

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

IPS Blocking Spyware? Ron (Dec 01)
- <Possible follow-ups>
- RE: IPS Blocking Spyware? Maynor, David (ISS Atlanta) (Dec 02)
- RE: IPS Blocking Spyware? Murtland, Jerry (Dec 03)
  - Re: IPS Blocking Spyware? Darren Rogers Mailing Lists (Dec 06)
  - Re: IPS Blocking Spyware? Kevin (Dec 07)
- RE: IPS Blocking Spyware? David Endler (Dec 06)