[Dshield] Windoze Questions...

Corinne Cook corinnec at abdi.com
Fri Feb 20 17:57:13 GMT 2004

I'm sorry, Jon, I had apparently not read closely enough.  You are right.
Tripwire is a Server, not a Workstation app, in Windows.  Protecting the
workstations is a big concern I have for my system as well. Email filtering,
as you said, has been the most helpful for us but it is not a catch-all
solution, no.  I have not found anything to date that really does the job
for workstations.  Many companies are just now getting firewalls on their
clients and teaching laptop users how to update their virus defs while on
the road; even if there were client products like tripwire, the cost would
likely cause many companies to balk.  Just from my experience, many of them
would rather have you rebuild several workstations later than pony up $$'s
for prevention now.  But isn't that how just too much of the world works in
general(reaction vs. prevention)?

I would be interested to hear about it if you find a product that works,
does not impact general productivity on a mid-powered workstation, and is
cost effective.

Thanks and sorry for the wrong info,


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Jon R. Kibler
Sent: Friday, February 20, 2004 8:10 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Windoze Questions...

Corinne Cook wrote:
> Hi Jon-
> While not an expert myself, I can answer a few of your questions:
> 1)Tripwire actually does have products that run on Windows 
> platforms(or at least Win200x, possibly NT4 as well).



Before writing my original post, I had checked out the Tripwire web site and
could not 
find any products for the Windows workstation. They did have some SERVER
products, but 
nothing for an end-user workstation. I talked to our Tripwire sales rep
yesterday and 
he confirmed that they do not have regular market products for the
non-server Microsoft 
environment. To what products were you referring?

Our potential customer that spawned all of these questions has already
experienced a 
problem that I believe that we will all see within the next few months: The
propagation of worms before the AV software vendors are able to publish new
files. This potential customer was looking for alternative (non-AV)
solutions to alert 
them that an end-user's system has been compromised.

It has been our experience that the length of time between when an AV vendor
publishes the signatures for a new worm, and the time that we first observe
the worm, 
has been dropping by about half for each major new worm. For Beagle.B, we
saw the first 
occurrence of the worm in less than an hour after we received the first AV
update for it. (We run 4 different AV scanners. For one of the AV products,
it was almost 
a day AFTER we first observed Beagle.B before they had new signatures
available.) Since 
we update our most critical AV signatures ever half-hour (more often would
be impractical), 
we can easily see the day coming where we will see the widespread
distribution of a worm before ANY AV signatures are available to detect it.

Thus, the interest in products that would detect the modification of a
desktop system 
independent of any AV product. We have developed email filtering tactics
that protect 
our clients should AV fail to detect worms processed by our email systems,
but that 
does not protect an organization from some employee's system becoming
infected when 
they check their personal email on Hotmail or similar services, or bring an
infected laptop into the organization.

Why are worms spreading so fast? Although I know of no one with any evidence
that would 
hold weight in a criminal court, the preponderance of evidence is that
spammers are 
responsible for the majority of the new worms. These new worms are spreading
so fast because 
spammers are using their tens to hundreds of thousands of already
compromised systems to 
rapidly blast the worm to as many recipients as possible. This results in an
ever increasing 
number of compromised systems. Soon (and VERY soon I fear!), spammers will
control enough 
systems to make the distribution of a new worm essentially instantaneous!
(Are you prepared?)

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list