IDS mailing list archives
Re: IPS Blocking Spyware?
From: Kevin <kkadow () gmail com>
Date: Fri, 3 Dec 2004 16:09:33 -0600
On Fri, 3 Dec 2004 09:16:23 -0500, Murtland, Jerry <murtlandj () grangeinsurance com> wrote:
The better question is how/where does it stop the spyware? You can have companies stop spyware from communicating your information to external web servers via http all day long with a strongly maintained web filter, but if you don't stop it from installing on your systems, your chasing your tail!
For spyware applications which install only from their primary domain (e.g. Gator), blocking all access to the domain will prevent installation -- the really nasty stuff is hosted all over the Internet, with arbitrary domains, IPs, and urls. Additionally, some inline AV scanners which will scan HTTP/FTP content can be configured to recognize known spyware binaries as undesirable, and block the download. But as you mentioned below, this is maintenance intensive.
I have yet to see a product that is able to stop it from actually being installed, and yes, I'm aware of disabling ActiveX. But if a company uses ActiveX in some of their web apps, what can they do?
Configure a "default deny" policy for ActiveX, then selectively permit only "known good" (signed?) ActiveX controls from specific sites? I've not tried it, but Checkpoint claims their host integrity products (e.g. Integrity Desktop) can enforce a granular policy against mobile code.
I see it as more of a file search tool, which means it's still reactive and would be as maintenance intensive as .dat/.nav file updates. Some companies boast that their product can stop spyware, well I can't speak for Tipping Point, but if they don't stop it from being installed, they haven't stopped it.
Some (most) HIPS can prevent spyware installation, defense at the host level against installation of unknown binaries is much easier, I agree that it'd be difficult for a NIDS to be effective against spyware *installation*. Where a NIDS can be valuable is in detecting the control channels used by spyware and trojans to communicate back out to the controller out on the Internet. Kevin -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IPS Blocking Spyware? Ron (Dec 01)
- <Possible follow-ups>
- RE: IPS Blocking Spyware? Maynor, David (ISS Atlanta) (Dec 02)
- RE: IPS Blocking Spyware? Murtland, Jerry (Dec 03)
- Re: IPS Blocking Spyware? Darren Rogers Mailing Lists (Dec 06)
- Re: IPS Blocking Spyware? Kevin (Dec 07)
- RE: IPS Blocking Spyware? David Endler (Dec 06)