Tech Un-penetrable

how long have you been working there? how many people does the company consist of?

the company would be Hoffman-La Roche. pharmacheutical.

they can view pictures, they cant save them though..

1) Standard PC's running on the internet don't have Domain Policies on them. Does your home PC have a Domain policy on it?
You just said your software was not for the home user. Additionally, an advanced user can set up similar policies without using Active Directory.
2) The task of setting Group policies, Domain policies, Software restriction policies..etc..etc is such a tedious and time consuming job that companies either don't set them up right, or don't bother setting them up at all.
Purchasing software to do it for them isn't always done-- and if they do, they buy it from a vendor they've heard of.
3) How many corps. shut off Safe mode? I probably can count on one hand the number of pc's in an organization that have their pc's ability to boot into safe mode is disabled.
My company does. It's not my fault that others don't. That's not the issue.
4) All those policies use system drivers, to which Safe mode turns off system drivers if you boot into it. Do you also have Safe mode w/ Networking disabled? Do you also have Safe mode w/command prompt disabled too? Reboot your machine and hit F8 to see what it does.
Safe Mode with Networking is the only one that IS enabled-- so you can authenticate to the domain before entering Safe Mode. Without the authentication, you can't get in.
Do me a favor, Actually do some of the things I have suggested before you assume it dosen't or isn't going to work. And so far your 1 for 3. Cause you tried:

james.txt by double clicking which = opened in notepad(your victory, my loss).

and you tried

james.txt from command prompt = it worked(my victory, your loss)


regedit in a .bat file which = it worked(my victory, your loss).

However, when I was right and you were wrong, you just wrote it off as it's not "That" harmful. "You can't do MUCH damange". But you have yet to try the other code I posted. Wonder why that is?

I will try this on a system for which I have a ghost image. I surmise, knowing what I know about file permissions in Windows NT, that the main thing that will be affected is the user folder under Documents and Settings, but nothing in \windows and its subdirectories will be affected. There will be some deletion of files from \program files\, as well, depending on the NTFS permissions. So, yes, there may be some lost data, but the OS as a whole will not be brought down, nor will that enable that user to escalate his permissions.

You describe all these methods in which someone can attempt to victimize a machine. But with McAfee Enterprise 8.0i, there are all kinds of access protections availablerevent IE from launching anything from the Temp folderPrevent IE from launching files from the Downloaded Program FilesPrevent Outlook from launching anything from the Temp folderPrevent Outlook Express from launching anything from the Temp folderPrevent Packager from launching anything from the Temp folder(along with MSN, Winzip32, WinrarPrevent execution of scripts from the Temp folderPrevent access to suspicious startup items (including .exe, .scr, .hta, .pif, .com)Prevent remote modification of files (.exe, .scr, .ocx, dll)Prevent remote creation/modification/deletion of files in the Windows
folder and subfoldersPrevent remote creation/modification/deletion of anything in the system rootPrevent remote creation of autorun.inf filesPrevent creation of new files in the Windows & System32 folder (.dll, .exe)And also allows you to write new rules-- rules I could write in the ePolicy Orchestrator console and deploy to all machines. I could, then, prevent creation, execution, modification, or deletion .txt and .bat and whatever files in whatever directory I want to.

Additionally, I can use VSE8.0i to block access to any ports I want to. There's a set of predefined rules-- I can add to those.

There's built-in buffer overflow protection.

There are "unwanted programs" policies covering spyware, adware, remote administration tools, dialers, password crackers, "jokes", and a rather nebulous "other potentially unwanted programs." (I should call NAI and ask them about that one.) I can even add specific programs to the list if I so choose.

Your software may be good, it may work well-- but it's not the end-all in security, nor is it unique.

I say give it a rest guys... heh...

https://www.immunitysec.com/piperma...ust/000825.html
http://archives.neohapsis.com/archi...04-q3/0150.html
http://www.prnewswire.com/cgi-bin/m...TE=Feb+17,+2003
http://castlecops.com/modules.php?n...=print&sid=2144
http://www.techzonez.com/print.php?id=1217
http://www.techweb.com/wire/26800750

I already knew that, that's why I was trying to get you to change the NAME and the EXTENTION and then use cmd.exe to launch the progam.<br />
<br />
Somehow we just got confused somewhere in the middle. I didn't know you were trying it both ways. So, you were confusing me, cause you were doing things different than what I said to do.

Malicious code, is still Malicious code. Who cares what the classification is (exploit or non-exploit), you need to stop them from destroying your machine.

OMG! Where did I mention doing a simple remove directory? I said to input the following code into the .bat file:

del c: /s /q /f

That code is far more dangerous than just a simple rd command. If you ran that, your AV is not going to stop it. And you will have to re-install your OS. Group Policy will not stop batch files. ANY user can create a .bat file, and launch it to do whatever you want it to. If every .bat file that came into your e-mail from a trusted source had the .bat extention on it clearly visible, then yes that would be the case. That's why I said if the .bat file came through and it looked like a .txt file because it was desguised. What will you do then?

A little over a year now. The company has been around longer than that though. #of employees is confidential. But we are small. You got to start somewhere I reckon. At one point, Microsoft was a small company...lol.

Hoffman-La Roache, that's cool. How long have you bee there? What do you do there?

<b> Just wanted to let you know that I have just finished setting up Live meeting on my demo machines. It is now 3:58 AM here in TN, and I have to be at work around 8ish. So, I'm going to bed now. I will launch Live meeting tomorrow after work, to give my &quot;LIVE&quot; demonstration. Only two people were non-EGOTISTICAL enough to call my bluff and actually want to participate in the demo. So, I will demo it for them, and they can then provide feedback your the rest of you. Like I said, Moderators I have made a deal that I will be banned from this site for good if I am BS everyone, and dragged out 5 pages on the subject of this software. Have a good night/day or whatever time frame your in. Tune in tomorrow, SAME TIME, SAME CHANNEL.</b>

Ok, first you said you didn't check it, then you turn right back around and said you did. Which is it AlaricD? Because my instructions told you NOT to check it. Therefore, because you didn't follow directions, your actual file when you renamed it from "calc.exe" to "james.txt". Infact, you only replaced the "calc" part. So, your executable actually says "james.txt.exe". That is NOT what I asked you to do, if you put aside your ego, and follow the directions closely, your file would be "james.txt" and not "james.txt.exe" To which the icon would change, and you would also get the "YES" or "NO" dialog box.

OK, you got me their. I tried again and you are RIGHT for a change. I was mistaken, and did not finish my test. The file will infact open in notpad with a bunch of jiberish. HOWEVER! I tried something else. I opened the command prompt and navigated to the file and typed in james.txt at the command line, and the program ran. So, we are BOTH RIGHT! Try it again, this time instead of the "double clicking", run it from command prompt.

Strange, in http://vvti.net/forums/showpost.php...02&postcount=58 you said:

Which way is it going to be? Do everything from the command prompt? All of it? None of it?

You keep changing the parameters over and over whenever I get precisely the results you don't want me to get-- results that show you're not always right.

I did it BOTH ways-- and posted the results for BOTH ways. *READ* what I type.

Also, you need to realize that the filename has two parts-- the NAME and the EXTENSION. Yes, we can say that the full name of "SYSTEM.INI" is "SYSTEM.INI", but really, it is an .INI file named "SYSTEM". When you HIDE the extensions, all the rename operations in the GUI work only on the NAME part, not the extension part. Therefore, with extensions hidden, when you rename calc.exe to james.txt, you are really modifying the name part of the file from calc to james.txt. The extension is left alone because it is hidden, therefore the extension remains .exe. It's really quite simple, and as you become more familiar with computers you'll come to understand that.

<br />
*READ* what I typed after that in bold. I said we BOTH are correct, because YES if you double click on it, you will see it come up in Notepad. But if you go through the command prompt, the calculator program will run.

What's the definition of a zero-day exploit?

found at http://searchsecurity.techtarget.co...i955554,00.html

A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. Ordinarily, after someone detects that a software program contains a potential exposure to exploitation by a hacker, that person or company can notify the software company and sometimes the world at large so that action can be taken to repair the exposure or defend against its exploitation.

If you were to take that .bat file and e-mailed it to your friends and say that it was a text document to trick them into launching it, that would be the same thing as a ZERO-Day. It's not the CODE in the file, It's the actual FILE itself that is the ZERO-DAY exploit.

But we've generally known there's a vulnerability in that users trust other people and will run their .BAT which contains no code that exploits the operating system, but rather does what it is supposed to do by design. rd is a tool to remove directories. It shouldn't make any difference to the OS what directory that is. But, again, there are different user classes in XP, so that the end-user in the enterprise, having only User access, will be able to do far less damage than the Administrator. And since a .BAT is human-readable, anyone that runs a .BAT someone sends him before looking at it to see what it does is a complete idiot.

I told you that I screwed it up. If you do NOT check, remember NOT have a check mark in "HIDE KNOWN FILE TYPES". so that the GUI shows "CALC.EXE" and NOT just "CALC", and rename it to "JAMES.TXT" NOT so that it's saying "JAMES.TXT.EXE" and GET the YES/NO dialog box to change it. It WILL change the icon to a text icon, and YES you will see it in notepad if you DOUBLE CLICK IT. But if you go through the command prompt, and type in "JAMES.TXT" it WILL run the program. That is the last time I'm going to say it.

It's only malicious much in the same way that a shovel can be malicious when misused. It's still a valid tool that belongs in every shed. Just because some people whack other people over the head with a shovel once in a while doesn't mean that my own shovel should be taken away.

I don't see why my AV needs to protect me from deleting files from my system.

Additionally, there's a thing in Windows NT called "NTFS", or the "New Technology File System." NTFS allows access controls to be applied to files and folders such that deletion of files cannot be performed by those people not listed properly in the ACL. This is how group policy can prevent people from deleting too much of the wrong thing. Obviously, if you are the Creator/Owner of a file, it belongs to you and you can do with it what you want.

Code:

	
C:\WINDOWS\system32>cacls calc.exe
C:\WINDOWS\system32\calc.exe BUILTIN\Users:R
                             BUILTIN\Administrators:F
                             NT AUTHORITY\SYSTEM:F
                             Everyone:R


C:\WINDOWS\system32>del calc.exe
C:\WINDOWS\system32\calc.exe
Access is denied.

C:\WINDOWS\system32>

As you can see, "calc.exe" has access controls on it such that Users can only READ the file, while Administrators and the System account have full control over the file.

I then attempted to delete that file-- and "Access is denied" is my reward for my attempt.

This is an example of how not allowing users (or yourself) to run as an administrator (except when actually performing administration tasks) protects your system-- because the system doesn't give the User class the ability to run rampant over the system.

You fail to see the "WHOLE" picture. Batch files can, will, and have been used to perform malicious activity. Did you see the code I posted from that other website? Did you read what that code did? You already tested the theory of creating a batch file on the fly, it worked, and your AV software did nothing about it. But the best you can do is tell me, "oh, well know one codes batch files to do malicious stuff that much". Get with the program dude. Here is the POINT, your AV can't catch any newly created batch file on the fly! That in itself is a problem! Get the WHOLE picture now?

There is a such thing as important data. If you have a whole list of important documents, you don't want some stupid little batch program(mind I'm just giving an example, dosen't have to be a batch program, it can be an unknown virus) coming in and deleting all of your precious data.

Group policies will not do a thing for you when it comes to batch files. I don't think will do anything for you when it comes to scripts either.

You know what, do me a favor. Take a system you don't mind screwing up and open the command prompt. now type in the command

Code:

	del c: /s /q /f

hit enter, and tell me what happens. By the way, make sure you have only user level access.

Exactly! and that's why corporations/gov. want to have control over that. Our software gives them that control.

Dosen't matter if I'm an admin or user on the box. If I have command line access to the machine, then I can run rampant all over it. And what about booting into Safe mode? Can I not boot into Safe mode, and turn off your AV? Yes I can. You should not have the right to do that either. And if you come back with a weak response like "well, people rarely boot into safe mode and turn off the AV?" Then I'm going to ask "then why are we getting request for such a feature as being able to run in Safe mode?" "Why do agencies want that functionality, if it's not a threat?"

If you have command-line access on a machine, NTFS permissions still limit what you can do. Read up on NTFS a little bit. If the Administrator doesn't want you removing or modifying a file, you won't be able to. Opening a CMD.EXE window doesn't automatically render NTFS permissions useless. If you're a user in the GUI, you're a user when you open CMD.EXE.

Can I not boot into Safe mode, and turn off your AV? Yes I can. No, you can't. Believe me. You cannot. Domain Policy prevents people from going into Safe Mode on our machines except for certain logins-- logins of trusted IT personnel. They will NOT be going to Safe Mode to turn off their AV because they will be unable to. Granted, they could go to the Recovery Console but then would need the local admin password and the XP CD to do it with. Physical access will eventually allow you to override security anyway.

i would like to participate in the live demo, but i wdont have any time...
you still haven't answered any of my questions...what the hell...

i work at a fortune 500 as well and we have had these "lockdowns" since 1999
..a normal user cannot even download a picture per say....

That's my point. With ImmuneEngine physical access dosen't matter. You can not bypass the system like you did with that .bat file I had you create.

1) Standard PC's running on the internet don't have Domain Policies on them. Does your home PC have a Domain policy on it?

2) The task of setting Group policies, Domain policies, Software restriction policies..etc..etc is such a tedious and time consuming job that companies either don't set them up right, or don't bother setting them up at all.

3) How many corps. shut off Safe mode? I probably can count on one hand the number of pc's in an organization that have their pc's ability to boot into safe mode is disabled.

4) All those policies use system drivers, to which Safe mode turns off system drivers if you boot into it. Do you also have Safe mode w/ Networking disabled? Do you also have Safe mode w/command prompt disabled too? Reboot your machine and hit F8 to see what it does.

Do me a favor, Actually do some of the things I have suggested before you assume it dosen't or isn't going to work. And so far your 1 for 3. Cause you tried:

james.txt by double clicking which = opened in notepad(your victory, my loss).

and you tried

james.txt from command prompt = it worked(my victory, your loss)

and you tried

regedit in a .bat file which = it worked(my victory, your loss).

However, when I was right and you were wrong, you just wrote it off as it's not "That" harmful. "You can't do MUCH damange". But you have yet to try the other code I posted. Wonder why that is?

Man, I have been posting so much stuff, I must have over looked your questions. What were they again? I'm to lazy to go back. And what fortune 500 company would that be? <br />
<br />
Can your normal users view a picture on the internet? Cause that's all it takes. And if everyone felt they were secure with everything that is out now(which there are compaines who just don't have major problems like other organizations, and our software was just to powerful for them), then why do they feel the need to hear what we have to say?

I don't want a copy, free or otherwise. Thanks, though.

And no, most of my family (except for my cousin Gerhardt in Germany, and to an extent, my brother) are NOT advanced users. Why would you imply that I said that? And if they have questions, they call me. My mother consults me before buying new hardware-- and had me set up her security. Spyware free for the past 7 years at least.

I did not say specifically that the software was ONLY for configuring other software-- with the exception of the ePolicy Orchestrator, which lets me set AV policies by departments. It makes it a lot easier to make a configuration change to 300+ desktops when it can be done from a central console.

And yes, I *am* an Admin. Another assumption you made that is incorrect (one being that you could log in to Safe Mode on computers in my Domain.) However, I choose not to run my OWN machine as Administrator except when performing administration tasks-- and neither does anyone else in the IT department. I *can* su to an account that does give me local admin privileges should I actually need them-- but you can bet I wouldn't connect to any other websites but Microsoft's when I am using an Admin account.

If you are logged into your machine at this moment with an Administrator-level account and you are reading this-- you are wrong, and do not know as much about computer security and safe operating practices as you would like to think.

I also manage a PBX-- and if I'm just looking at the ACD screen (which, as I have it configured, requires level 3 access) I only log in with level 3 access-- why log in with level 9 access if I don't NEED to use it at that time? If I need higher access, I log out and back in to the switch with a higher level of access-- and usually even then, level 7 is all I need. Sure, it's a few extra steps-- but it sure beats having to restore a backup of the system programming if I accidentally hit a key combination that resets the ACD programming or restores all the phone button programming to the standard configuration.

Wow, that must have been a really fun seminar Microsoft put on for you-- you picked up some good buzzwords there.

It's just adapted from the military, based along similar lines but an adaptation nonetheless.

dragon I think you are trying to hard to get us to accept your product as the best, when no smart consumer would accept that from an annoymous source on an internet message board.... especially one that works for the company he is promoting.

Obviously you are going to say "Ours does this and theirs doesn't" as well as "Ours doesn't have any of the problematic byproduct such as X, Y, Z, ..." because it would be in your best interest...

Maybe if someone told us what you are saying who didn't have any kind of personal interest in the product (or even better, one who had an interest against your company), it would be easier to swallow.

Guess I just imagine you said that last part. Point was, 9 out of 10(probably 1million) are NOT advanced users.

I didn't say that was it's only function. I was just pointing out the tedious work of it has driven companies to write software just to be able to use a security architecture.

I really didn't think I would have to point this out to you, but here is the BIG picture. The concern is not that great with users. IT'S THE ADMINS man! They WANT control over the ADMIN's. They have not found a solution to do that yet. ImmE is that solution.

Wow! Now I realize what type of person you are, just by that childish comment you just made. You come off as one of those guys who is SO smart, and that there is not another person that knows more about computers than you do. I have a college degree just like you sir. Difference is, I don't insult your intelligence.

I am no longer going to entertain your comments any longer. Your attitude and closed mind has provoked me to turn a deaf hear to you. I have two people on this board who I am preparing a demo for later this evening. So, they will get the demo, and provide an unbiased opinion of the software, and judge it AFTER they have seen it. Thank you for your time

I hate to point it out, but you and he are not very different. Are there any professional reviews of your program?

That's what I have been trying to do since post 1. I have two people from this board who are going to participate in the viewing of the demo. Laz and Kickarse, to whom I only know via this board, will provide you guys with an unbias opinion of the software.

I have some things to take care of here at work, and also prepare for the live meeting demo later today.

So, all comments and questions should be put on hold until the demo is over with.

I, too, am finished with you. You speak of being in IT but you talk like a marketer. And when you say things like "You do know what X means, right?", it comes across like a 4th-grade teacher asking his class if they know a term that was recently defined in their textbook.

With my computer experience starting with programming in 1983, and continuing later with a stint in the US Army (in the Signal Corps and in Civil Affairs), and with my present job as a telcom administrator and assistant domain admin, I believe I can place myself as an advanced user, and any biases I have in my opinion towards software is the natural result of my years of experience. While my own knowledge of your company's software is information filtered through your own observations and training of it, I can compare it to my experience with other products, such as, for example, the Desk Tracy software that Kinko's used to bill users for their computer time, as well as greatly restrict their access.

I'll be happy to hear their opinions after seeing the demo, and would also like to know more about their background, education, and training in such areas. That's not to discount their opinions of the software-- but to understand better what they say they have seen.

I am not making any *blatant* comments like his towards me, such as when he made the comment..."you picked up some good buzzwords there." That was a direct insult to my education and intelligence. And if there are any comments that I made, then I apologize for that. But I didn't start off by insulting him like he did me WAY earlier in this thread. There is only so much a person has to put up with before they start getting nasty right back with you.

If you want professional opinions are the software, visit FCW.com and do a search on "ImmuneEngine".

YES we have a home ver. and NO you can't have a free copy. Let me guess, your mom, dad, uncle, and everyone else in your family is considered an advanced user.

Do you know how ridiculous that sounds. "You need to buy more software to configure the security software you already have."

1) Highly doubt they by software to configure group policies for them.

2) Funny how you think you know the ends and outs of security practices, and know the compaines operation, and your not even an Admin.

Security hole = an issue.

Ability to get to it = security breach enough. So, now you are 1 for 4.

Look who is changing the parameters now. Security breach = Damage(big or small).

You just proved my point in that you have to TELL IT to do certain things. With every hole in Microsoft, you would be telling the software MANUALLY everything you need it to do. Even then, you can't be sure you covered everything. ImmE is AUTOMATIC, NO UP DATE, Protection.

THat's what a firewall is for.

Automatic protection from ImmE out the box. No additional preconfiguring required. No need to add specific programs, it won't allow them anyway. AGAIN you don't have to TELL ImmE to block a specific program, ANY program(old or new) is not going to get in and run period.

I don't claim it's GOD. But next to traditional AV it is. If your company put all their money on one product, Then they are a fool, and the term "Defense In Depth Architecture" would not exsist. Our slogan is "The last line of defense".

You are aware of what Defense In Depth means right? When you have a security mechanism at the different layers of the OSI model.