Comments on: Bouncer: Going Beyond Whitelisting http://havemacwillblog.com/2008/03/30/coretrace-going-beyond-whitelisting/ Oh please, not another Mac bigot Mon, 08 Sep 2008 19:00:46 +0000 http://wordpress.org/?v=2.6.1 By: Admin http://havemacwillblog.com/2008/03/30/coretrace-going-beyond-whitelisting/#comment-2283 Admin Mon, 25 Aug 2008 18:19:09 +0000 http://havemacwillblog.com/2008/03/28/coretrace-going-beyond-whitelisting/#comment-2283 Right now I know of no existing comparison of products, but most of your questions are answered in the same way for most of these products. Who you designate as the authorizer is up to you and, beyond the initial implementation of a clean-room version of Windows (or other OS) which will authorize about 6000-7000 processes. The process for authorization is usually configurable with these products according to how you want to proceed. Because you can put a sandbox around any computer or user, you can have many strategies. I run a Mac. It always asks me for permission (admin password) whenever I try to run anything that has never been run before and didn't come with the native OS. I always know what the executable is and where I got it. If you want to get very sophisticated you could use digital signatures direct from the software vendor for authorization. It should not be up to the vendor to impose an authorization process, it should be up to the security group to build one. The whitelisting vendor should merely enable. Right now I know of no existing comparison of products, but most of your questions are answered in the same way for most of these products. Who you designate as the authorizer is up to you and, beyond the initial implementation of a clean-room version of Windows (or other OS) which will authorize about 6000-7000 processes. The process for authorization is usually configurable with these products according to how you want to proceed. Because you can put a sandbox around any computer or user, you can have many strategies.
I run a Mac. It always asks me for permission (admin password) whenever I try to run anything that has never been run before and didn’t come with the native OS. I always know what the executable is and where I got it. If you want to get very sophisticated you could use digital signatures direct from the software vendor for authorization.
It should not be up to the vendor to impose an authorization process, it should be up to the security group to build one. The whitelisting vendor should merely enable.

]]> By: john kimball http://havemacwillblog.com/2008/03/30/coretrace-going-beyond-whitelisting/#comment-2282 john kimball Mon, 25 Aug 2008 17:58:34 +0000 http://havemacwillblog.com/2008/03/28/coretrace-going-beyond-whitelisting/#comment-2282 It sounds nice to only allow authorized processes. Who decides what is authorized? What are athe authorization criteria? How is the authorization implemented? Who can configure the authorization criteria? How is the authorization criteria updated? etc., etc., and etc. Need much more detailed and clarifying information before deciding on the appropriate implementation of whitelisting, including CoreTrace, Bit9, etc. Where can the comparison of whitelisting verndors products be located/found? It sounds nice to only allow authorized processes. Who decides what is authorized?
What are athe authorization criteria?
How is the authorization implemented?
Who can configure the authorization criteria?
How is the authorization criteria updated?
etc., etc., and etc.

Need much more detailed and clarifying information before deciding on the appropriate implementation of whitelisting, including CoreTrace, Bit9, etc.

Where can the comparison of whitelisting verndors products be located/found?

]]> By: Chris@Canada http://havemacwillblog.com/2008/03/30/coretrace-going-beyond-whitelisting/#comment-1847 Chris@Canada Fri, 11 Jul 2008 14:46:37 +0000 http://havemacwillblog.com/2008/03/28/coretrace-going-beyond-whitelisting/#comment-1847 This is very interesting concept - love to get more details on it. At the same time, I can't help to wonder over the whole notion of having this tool injecting itself into the OS kernel during boot-up and doing so in a way that "ensures" it being the first one there - love to see how it can be done reliably and consistently, considering it would be the same goal by other rootkits. This is very interesting concept - love to get more details on it. At the same time, I can’t help to wonder over the whole notion of having this tool injecting itself into the OS kernel during boot-up and doing so in a way that “ensures” it being the first one there - love to see how it can be done reliably and consistently, considering it would be the same goal by other rootkits.

]]>