Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26)

From: Alex Keller <axkeller () STANFORD EDU>
Date: Tue, 23 Feb 2016 19:15:36 +0000
Jim et al,

I was interested in Cylance under the heading of “sounds too good to be true”. At the time (mid-2015) their product was 
Windows only but it looks like they may now support OSX. I repeatedly inquired about getting a trial copy for testing, 
but they seemed reluctant and wanted me to brave the pre-canned dog and pony webinar. I let that trail run cold, let us 
know if you have any better luck.

Back to Thomas Carter’s original question, my perspective is that signature based AV has long since been outmoded by 
the malware, it’s a dying approach, but the promises of next gen products based on 
heuristics/behavior/posture/sandboxing/machine learning/pick-your-buzzword, haven’t panned out yet. 

Pretty much everybody is disappointed with their traditional AV solution, but the common refrain is that 'something is 
better than nothing and it may catch some legacy threats'. To some degree this has fueled a race to the bottom, folks 
are simply licensing the cheapest possible solution that will work for their environment because the detection 
differential is fairly narrow (i.e. they are all poor).

I’d love to be wrong on this…who really loves their AV solution and thinks it provides trusted protection against the 
latest threats?

I’ve got a “Locky” crypto malware case 
(https://medium.com/@networksecurity/locky-ransomware-virus-spreading-via-word-documents-51fcb75618d2#.2vef5icl5) on my 
desk right now. Detection rate for the infected Word document vector on VirusTotal is 3/55 with none of the major 
vendors detecting: 
https://www.virustotal.com/en/file/358f442f3d9b318ffcda1942e1e57b9f607a483400b26d91f7973dc753f61a08/analysis/

Yet, there is evidence this vector was observed back in December 2015: 
https://techhelplist.com/spam-list/984-invoice-fastco-malware

BTW, if you are interested in reverse engineering infected Office documents, check out Didier Stevens' awesome tools 
oledump (OLE) and emldump (MIME):
http://blog.didierstevens.com/my-software/ 
http://blog.didierstevens.com/2015/12/21/update-oledump-py-version-0-0-22/ 
http://blog.didierstevens.com/2016/01/24/update-emldump-py-version-0-0-6/

Best,
Alex 

Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu
(650)736-6421



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Beers, 
James
Sent: Tuesday, February 23, 2016 7:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26)

We haven't deployed but we are looking into this now also.

We are focusing on endpoint protection.  Currently looking at Cylance and TRAPS.  If anyone has experience with either 
product, would like to know about it.

Anyone else heading in this direction or just adding anti-malware modules to anti-virus?


---------------------------------------------------
-jwb
Jim Beers '89
Director of Information Security
Information Technology
610-861-1449


IT will never ask you for your username or password for any of our systems.   Please do not include this information in 
any e-mail correspondence with IT (or anyone else!), because e-mail is not a secure means to send sensitive information.

On Mon, Feb 22, 2016 at 12:00 AM, SECURITY automatic digest system <LISTSERV () listserv educause edu> wrote:
There is 1 message totalling 51 lines in this issue.

Topics of the day:

  1. Anti-Malware solutions

----------------------------------------------------------------------

Date:    Sun, 21 Feb 2016 22:52:05 +0000
From:    Thomas Carter <tcarter () AUSTINCOLLEGE EDU>
Subject: Anti-Malware solutions

Has anyone deployed anti-malware in their environment? If so, what are you using and what is your opinion of it? How 
about anti-malware modules as part of your antivirus solution (TrendMicro, McAfee, etc).


Thomas Carter

Network & Operations Manager

Austin College

------------------------------

End of SECURITY Digest - 19 Feb 2016 to 21 Feb 2016 (#2016-26)
**************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: