Levels of VMWare linked clones

[James Moore <jhmiso () RIT EDU>]

I have VMWare Workstation 6.5.2.  I am extending out my linked clones,
as I want to keep things patched, but run different malware discovery
apps.  What I realized that I hadn't done when I started was to
benchmark what is in the core.

Originally, I had Windows.  And the MS Apps.
Then I added Hashtab, and FileAdvisor, because they support file
identification and transfer, and they aren't too onerous to patch.

I added SnagIt, to help with screen captures and documentation.

In level 1, I set the Windows firewall so that the web browsers can get
out to Microsoft, Bit9, Techsmith, possibly Adobe

I added Adobe Reader in level 1, but took it back out with the latest
vulnerabilities and the time for Adobe to patch.

Firefox, and addins, I added in level 2 of linked clones.  I also am
looking at Sandboxie to sandbox IE and Firefox, and possibly a basic
bi-directional firewall (Comodo w/o all of the bells and whistles)

I am looking at adding various anti-virus, anti-spyware, anti-malware,
HIPS, statistical malware analysis in level 3 of linked clones.  I will
have Gargoyle, and Encase tools running at level 3 as well (but not with
the anti-malware tools.)

I want to be able to patch efficiently.  I don't want interactions
between competing anti-malware   I am concerned about too many levels,
and about placement.  I would like to know what other people are using
for Incident Response analysis.

Jim


- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)


If you consciously try to thwart opponents, you are already late.
Miyamoto Musashi, Japanese philosopher/samurai, 1645


Risk comes from not knowing what you're doing. -Warren Buffet

Confidentiality Notice:  Do the right thing.  If this has the words
"Confidential" or "Private" in the subject line, or similar language in
the email body, or as a label on any attachment, then think.  Do you
know me?  Did you expect to receive this?  Do you recognize and work
with the other addressees?  If not, then you probably received this in
error.  Please, be respectful and courteous, and delete it immediately.
Please, don't forward it to anyone. 

Now, wasn't that simple.  Just, if you had made an error in a sensitive
email, and I received it, what would you want me to do with it?

Attachment: Jim Moore (jhmiso@rit.edu).vcf
Description: Jim Moore (jhmiso@rit.edu).vcf