So in the Encase class today we're discussion hashes and file signatures. And we discuss how you can change the file name but you can't change the hash value. So Gater.exe would still be identified as a bad program no matter what you renamed it.
Wed, Oct 27 2004 22:04
Why aren't we?
So I'm chatting with Eric F and he brings up that much of this can be done with group policy. So off to google I go to check and sure 'nuff, we can block this stuff like this. So why aren't we?
The article “To create a hash rule” talks exactly how to do this in Software restriction policies. Now granted it would probably be tough to do this, and might be easier to build the “here's the good program” database and just put in those programs that CAN be run, but why aren't we utilizing more of this power that we have already under the hood?
Like all the running around with our heads cut off we've been doing for the gdiplus.dll issue. Couldn't we build a restriction policy to either allow only the good one to run or the bad one not to run? Or am I oversimplifying this?
NIST has hash files that you can subscribe to along with other sources on the web.
I just think that as we go forward more of the “kewl” stuff like this will be more integrated and automated.
Filed under: Security