Educause Security Discussion mailing list archives
Re: Endpoint Security/Policy Enforcement Products
From: Jon Moore <jonm () ISC UPENN EDU>
Date: Thu, 10 Mar 2005 14:41:47 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mar 10, 2005, at 2:21 PM, George Russ wrote:
The agents I have worked with only have one purpose and that is to allow the master server access to the PC they do not report or send back any information so for this product and most others the agent could not be compromised to send improper results. The master server looks in the registry for exact keys identifying products which it has listed as allowed or not-allowed. It also looks at running services to detect proper software is running some can even look for file names and folders.
But this requires code *somewhere* on the PC to run on behalf of the master. *Something* is providing external access to the registry and/or process table, and that something can be compromised and thus forged.
There is no magic application for ensuring a device is 100% safe to allow on the network. But at this point I would settle for having 50% of them "safe" with current patches. Applications to ensure all computers are authorized and to a certain extent "clean" before they are connected to the network will become common place in the near future. I know most colleges are headed this way in some form or another.
I agree here, and in fact, as you noted, you are probably going to do much better than 50% in practice, given that no one has observed "in the wild" a trojan for current products like the ones I describe. My point is just that administrators should keep the possibility of trojans like these in the backs of their heads. If most colleges are headed this way, then crackers will have more motivation to write such malware (and malware that disables anti-virus programs already exist...). Don't get me wrong; I think these products are very helpful and useful. I just think it's important that people know exactly what they provide and what the risks are. Jon - -- Jon Moore ISC Networking & Telecommunications University of Pennsylvania -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCMKMFx8TaElR3qMMRAqp/AJ9J6cUSjx/hmWxfZ3D8WICjNfLaDACeJQp1 oojFzMozVCXM7rPyBCP1PzU= =pxTO -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Endpoint Security/Policy Enforcement Products Penn, Blake (Mar 10)
- <Possible follow-ups>
- Re: Endpoint Security/Policy Enforcement Products Jon Moore (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products George Russ (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Jon Moore (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Gary Flynn (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Wayne J. Hauber (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Jamie A. Stapleton (Mar 10)