|
Ha, yeah. It had no problems flagging poo poo on removable USB media. What a rigorous test, those files definitely aren't under high levels of scrutiny by default or anything.
|
#
?
May 5, 2016 17:56
|
|
|
|
| # ? Apr 27, 2024 16:25 |
|
|
Mustache Ride posted:Yeah, in the sit down the Sales Engineer had some intersting things to say about some of the questions I had, including, and I quote "We're not on Virustotal because we would catch everything and then the big 6 would use us as a reputation source and everyone would be using our engine." http://blog.eckelberry.com/a-bomb-just-dropped-in-endpoint-security-and-im-not-sure-anyone-noticed/
|
|
#
?
May 5, 2016 18:16
|
|
|
It's a vague metric too - SecureWorks was "impressed," but that doesn't really mean anything in a vacuum. If the other solutions they looked at blocked 10% of the attacks and Cylance blocked double that it might be seen as impressive but still isn't all that great real world. That said, their demos apparently allow BYOM and they seem to hold up pretty well there, although I'd like to know how much of the BYOM was just the latest CryptoLocker variant the attendees got hit with. edit: Supposedly Cylance works on offline systems so it's probably doing something more than "check with virustotal" but who knows wyoak fucked around with this message at 18:23 on May 5, 2016 |
|
#
?
May 5, 2016 18:17
|
|
|
Seven million characteristics.
|
|
#
?
May 5, 2016 18:43
|
|
|
dpbjinc posted:Seven million characteristics. gee bill, your mom lets you have SEVEN million characteristics?!
|
|
#
?
May 5, 2016 18:46
|
|
|
Related, but how many of you are using FireEye HX at all? I don't care about the other FireEye products for this response.
|
|
#
?
May 5, 2016 21:59
|
|
|
Someone got a little butthurt, thanks for the title infosec, you made my day 
|
|
#
?
May 6, 2016 00:24
|
|
|
Mustache Ride posted:I had an interesting meeting with Cylance. yesterday, who said they are using math models to predict the APIs and library loads commonly used by malware instead of signatures or I got to talk to someone with a startup doing the same thing, and they were using GAs to evolve useful featuresets for some standard classification/clustering techniques - SVM and whatnot. Seems like it might be fruitful.
|
|
#
?
May 6, 2016 01:32
|
|
heuristics
|
The poo poo that pisses you off thread made me wonder: Does anyone know any good information security related blogs? If possible, ones that are more accessible to people who don't really know much. I'd say a book, but I have to be honest with myself, I never read books anymore. I started OverTheWire Bandit a while ago, I'll try finishing that and working on the rest. I really like working in terminals, so I enjoyed what I did.
|
|
#
?
May 13, 2016 01:03
|
|
|
MF_James posted:Someone got a little butthurt, thanks for the title infosec, you made my day Bah, same title, wrong dude. Sickening fucked around with this message at 02:18 on May 13, 2016 |
|
#
?
May 13, 2016 01:47
|
|
|
He only had one other post in that thread, and it was from six months ago?!?
|
|
#
?
May 13, 2016 02:05
|
|
|
22 Eargesplitten posted:The poo poo that pisses you off thread made me wonder: Does anyone know any good information security related blogs? If possible, ones that are more accessible to people who don't really know much. I'd say a book, but I have to be honest with myself, I never read books anymore. http://krebsonsecurity.com fits that bill
|
|
#
?
May 13, 2016 02:16
|
|
|
What does this thread feel about Bruce Schneier? I've been getting his CRYPTO-GRAM since I want to say the late '90s or early '00s. Way before blogs were a common thing.
|
|
#
?
May 13, 2016 02:21
|
|
|
Trabisnikof posted:http://krebsonsecurity.com fits that bill Thanks.
|
|
#
?
May 13, 2016 03:22
|
|
|
This thread has been an enjoyable read. Especially red text in response to  I know antivirus, all the best antiviruses.
|
|
#
?
May 13, 2016 17:21
|
|
|
How serious is this?quote:When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products. The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage.
|
|
#
?
May 17, 2016 02:16
|
|
|
Cugel the Clever posted:How serious is this? quote:This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it. Real serious
|
|
#
?
May 17, 2016 02:19
|
|
|
It is challenging to imagine a more dangerous bug. ring0 RCE, file opening not required...it's gorgeous. Easier and more powerful to exploit than anything malware might otherwise do to infect a machine.
|
|
#
?
May 17, 2016 03:59
|
|
|
I had to read that again. Remote ring0 with little to no user interaction. Root level on Linux/Unix systems. 
|
|
#
?
May 17, 2016 12:19
|
|
|
Is Norton/Symantec actually widely used in Linux land? I'm using Linux with no AV, although I'd go for clam or Sophos if I wanted it, since those are the ones I've heard of people using on Linux.
|
|
#
?
May 17, 2016 14:06
|
|
|
DeaconBlues posted:Is Norton/Symantec actually widely used in Linux land? I would guess many email and web security gateways are affected, from Barracuda through to Untangle.
|
|
#
?
May 17, 2016 15:40
|
|
|
A patch for that particular CVE has already been pushed via the update channel which is why they are disclosing it now. Check for version 1.1.1.4 of eng.sys/eng64.sys. The bigger issue is what the hell is going on with their coding standards where they think it is 1) acceptable to unpack malware in the kernel and 2) disable buffer security checks at compile because more eyes are going to be looking at their products for low hanging fruit after this and they won't bother disclosing it like Tavis did.
|
|
#
?
May 17, 2016 16:42
|
|
|
DeaconBlues posted:Is Norton/Symantec actually widely used in Linux land? I'm using Linux with no AV, although I'd go for clam or Sophos if I wanted it, since those are the ones I've heard of people using on Linux. A lot of Linux servers have AV installed only to fulfill some arbitrary requirement for it, for example from PCI auditors. I'm sure in a lot of shops that happened to go with Symantec, some very choice words about those requirements are being exchanged in the sysadmin teams right about now.
|
|
#
?
May 17, 2016 17:00
|
|
|
BangersInMyKnickers posted:A patch for that particular CVE has already been pushed via the update channel which is why they are disclosing it now. Check for version 1.1.1.4 of eng.sys/eng64.sys. The bigger issue is what the hell is going on with their coding standards where they think it is 1) acceptable to unpack malware in the kernel and 2) disable buffer security checks at compile because more eyes are going to be looking at their products for low hanging fruit after this and they won't bother disclosing it like Tavis did. I have yet to see how AV improves security but what do I know. 
|
|
#
?
May 17, 2016 17:05
|
|
|
MrMoo posted:I would guess many email and web security gateways are affected, from Barracuda through to Untangle. There's no doubt quite a few appliances that have expired service subscriptions running affected versions of their scan engine.
|
|
#
?
May 17, 2016 17:10
|
|
|
Thanks Ants posted:There's no doubt quite a few appliances that have expired service subscriptions running affected versions of their scan engine. Even then many organizations apply updates and patches at glacial speeds. Some don't apply them at all. This will be around for a while.
|
|
#
?
May 17, 2016 18:32
|
|
|
Thanks Ants posted:There's no doubt quite a few appliances that have expired service subscriptions running affected versions of their scan engine. We run about 750 endpoints on SAV due to mandate from above. On any given day, 40 of them will fail to pull updates correctly. Some of them self-correct, a lot of them don't. This error state will not be reported to the SAV management console and the only way to detect it is to either monitor for orphaned definition directories in ProgramData or run the symantec diagnostic tool on every system, multiple times per day which will see it. The documented resolution involves killing a bunch of services/drivers to disable the self-protection modules before you cleanup the definitions does not work and will waste and hour+ of your life. The only consistent way we have found to fix it is to do a re-install. I would not count on clients with valid licenses getting the update in a consistent manner. Symantec, your poo poo is garbage.
|
|
#
?
May 17, 2016 18:36
|
|
|
BangersInMyKnickers posted:We run about 750 endpoints on SAV due to mandate from above. On any given day, 40 of them will fail to pull updates correctly. Some of them self-correct, a lot of them don't. This error state will not be reported to the SAV management console and the only way to detect it is to either monitor for orphaned definition directories in ProgramData or run the symantec diagnostic tool on every system, multiple times per day which will see it. The documented resolution involves killing a bunch of services/drivers to disable the self-protection modules before you cleanup the definitions does not work and will waste and hour+ of your life. The only consistent way we have found to fix it is to do a re-install. I would not count on clients with valid licenses getting the update in a consistent manner. Perhaps the same could be said of all antivirus products.
|
|
#
?
May 17, 2016 19:26
|
|
|
Stanley Pain posted:I had to read that again. Remote ring0 with little to no user interaction. Root level on Linux/Unix systems. 
|
|
#
?
May 17, 2016 20:10
|
|
|
So I stumbled into a pretty glaring security flaw in a medical licensing board's Web portal by doing nothing more nefarious than trying to reset my password. Any idea how I should go about reporting this?
|
|
#
?
May 17, 2016 20:49
|
|
|
andrew smash posted:So I stumbled into a pretty glaring security flaw in a medical licensing board's Web portal by doing nothing more nefarious than trying to reset my password. Any idea how I should go about reporting this? Is this the US?
|
|
#
?
May 17, 2016 20:55
|
|
|
Yes
|
|
#
?
May 17, 2016 21:03
|
|
|
Is it run by the state or is it private?
|
|
#
?
May 17, 2016 21:21
|
|
|
State
|
|
#
?
May 17, 2016 21:40
|
|
|
andrew smash posted:So I stumbled into a pretty glaring security flaw in a medical licensing board's Web portal by doing nothing more nefarious than trying to reset my password. Any idea how I should go about reporting this? Make yourself a podatrist and go sniff some feet.
|
|
#
?
May 17, 2016 21:47
|
|
|
andrew smash posted:State  be careful dude, the track record on responsible disclosure to the us govt isnt great
|
|
#
?
May 17, 2016 21:53
|
|
|
half serious/half comedy answer: tails, tor, public wifi, mixmaster, full-disclosure
|
|
#
?
May 17, 2016 21:55
|
|
|
Sharktopus posted:
I know, here's hoping I don't end up in jail
|
|
#
?
May 17, 2016 22:15
|
|
|
Sharktopus posted:half serious/half comedy answer: tails, tor, public wifi, mixmaster, full-disclosure 100% this
|
|
#
?
May 17, 2016 23:40
|
|
|
|
| # ? Apr 27, 2024 16:25 |
|
|
Can't the government track through TOR pretty easily if they decide it's an act of  E-TERRORISM?
|
|
#
?
May 18, 2016 00:15
|
|