[unisog] zotob variant?

Jim Dillon Jim.Dillon at cusys.edu
Fri Oct 14 16:22:18 GMT 2005

I'm not sure whether the methods used by this group (WholeSecurity) are
to "know what is normal and good" and flag the rest, or whether it is to
recognize what is generally bad, but I think it may be the former.  In
fact I'm pretty sure it was an effort to categorize normal system
activity and then to alert on things that did not appear normal.  You
can then configure how to respond to that event, quarantine the unusual,
warn, etc.  They did indicate that printer drivers often give their
analysis engine a fit, more than anything else.  In either case I'm not
too concerned if its largely accurate and remains so.  The target
audience for the tool was orgs with large amounts of uncontrolled
desktops (e.g. higher ed with its tremendous student population
turnover?)  Hard to block the C Drive in that population, so how can we
keep it sanely controlled?

Of course the truth behind the concerns is this particular solution is
only offered for the platform largely susceptible to the attacks, and we
know which platform that is.  The characteristic that you don't have to
update signatures every few hours to be largely effective, and that
there is a good chance of catching something new and unique is

Best regards,


Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of John Stauffacher
Sent: Thursday, October 13, 2005 3:30 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] zotob variant?

I've really always wondered why Anti-Floop (shameless..i know) vendors 
always want to "Enumerate Badness", wouldn't it be a whole lot easier to

enumerate the good. I'm sure the avg user will have a pretty small 
"whitelist" of apps that they run. Rather than the overly ambiguous 
"blacklist" of stuff that maybe they don't want to run. Seems like a 
perfect candidate for default deny and then allow based upon 
whitelisting. But, thats all a pipedream, for now we rely on policy 
tools to make sure our computers are up to date and shaky "sig" based 
sollutions, with their hourly updates....I'd rather just writeprotect 
the C drive and be done with it....

clip history...

More information about the unisog mailing list