Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whitelist of Applications that Can Run


  • Please log in to reply
7 replies to this topic

#1 Rob McClure

Rob McClure

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 June 2012 - 02:06 PM

We have over 400 xp machines that we use in a medical field. We have been getting a lot of virus lately that I have been fixing remotely via LogmeIn Rescue. All machines are loaded the same.
So i am looking at some options that would allow me to install software such as Anti Exe that would stop any other .exe .com .msi etc files from running without password permission. So if we want to install a specific program we can givem them the password to install it. However if they get a virus and it trys to install it would stop it. Anti Exe with a whitelist works like we want but a little pricey to do for 400 users.

Virus programs work ok but still always dealing wit virus so if u stop any executable files from running unless we approve it with a password. All of the machines are running windows XP and the user is Adminstator privledges.

Edited by hamluis, 06 June 2012 - 03:47 PM.
Moved from XP to AV, Firewall, etc. - Hamluis.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:59 PM

Posted 06 June 2012 - 02:11 PM

For 400 users, I would recommend going with a Domain Controller Environment behind a firewall and block unwanted sites like facebook, twitter, and other non-related sites. And prohibit accessing webmail.

#3 Rob McClure

Rob McClure
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 June 2012 - 02:34 PM

Now they are in 40 differnt offices but like the virus we got in some of them they went ot Yahoo.com and cliced on a ad that ran a setup.exe. I actually went into the index.dat file and found the web site in India that it went to and the setup.exe with the virus was still there so I downloaded it so I could test my options. The problem is u always will be adding sites like we do to our hosts file. But a program that blocks all .exe except the ones we approve I believe would stop any virus...

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:59 PM

Posted 06 June 2012 - 04:21 PM

The firewall will block the bad sites that you set up and any others network wide. There is also AppBlocker GPO in Domain Controlled Environment where you can deny applications and allow certain ones.

#5 Rob McClure

Rob McClure
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 June 2012 - 04:33 PM

correct but like this virus came from a site that was unknown. So if I didn't block it then it still would allow the download. Even if it downlaods to computer the .exe blocker keeps it from running. The object we are tying is to not have to keep adding sites as too many of them out there we just want to control which programs can run or not run.

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:59 PM

Posted 06 June 2012 - 05:45 PM

I used to work for a company that employed a Websense Security Device which was very good at blocking malicious sites and what not and it used a database. Here is more information:

http://www.websense.com/content/Home.aspx

Also cant you create an image that already contains anti-exe and use it for new machines?

#7 Rob McClure

Rob McClure
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 June 2012 - 07:45 PM

will check out that box.. No Anti-exe works and I have an image with it on there. I was just possibly looking for a less expensive method. They charge $40 each machine for 400 machines. It actually works awesome.

Thanks for your help

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 07 June 2012 - 06:20 AM

Can you disclose more info about your environment?

Are the XP users local admins?
Are the XP machines domain members?
How do the machines connect to the Internet? Via a central proxy or gateway, or is it decentralized?

You could look into Software Restriction Policies. Configure it to only allow executables to run from Windows and Programs Files directory.

But if these XP machines are not in a domain, it'll be a lot of work to configure this.
And if the users are local admins, they can easily bypass this.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users