Tavis’ point is that if you’re able to email macros to a user and have them execute them, your target isn’t using whitelisting.
-
-
I don't think it was - it was more by letting users execute macros (and so code) you've already lost a degree of control (correct me if I'm wrong
@taviso)1 reply 0 retweets 0 likes -
Replying to @GossiTheDog @markeldo and
No, Mark was right, macros can be whitelisted just like anything else. If you're allowing arbitrary macros, then you're not whitelisting.
1 reply 0 retweets 2 likes -
Ah! There isn't a macro whitelisting feature in Office, not to get all technical. You can whitelist folder locations though, or rely on digital signatures (but then you get just get a public CA to sign your doc).
1 reply 0 retweets 2 likes -
Replying to @GossiTheDog @markeldo and
I don't follow, what you've just described is a whitelisting feature, right?
2 replies 0 retweets 0 likes -
yes, but it's super flawed - e.g. just get Comodo to sign something, you'll see samples like that in Virustotal too. I don't know if you've ever done it at scale but it's.. not great. As always, combination - disable for users who never need it, add app whitelisting etc.
2 replies 1 retweet 6 likes -
Replying to @GossiTheDog @taviso and
Don’t let perfect be the enemy of good. The ASD E8 has a nice progression of whitelisting/macro restrictions: https://acsc.gov.au/publications/protect/essential-eight-maturity-model.htm …
1 reply 0 retweets 8 likes -
I kinda know about that, haha
1 reply 0 retweets 1 like -
Replying to @GossiTheDog @taviso and
Notice how AV doesn’t appear in that model at all.
1 reply 0 retweets 1 like -
Sure. Also notice how almost nobody runs it (yet).
1 reply 0 retweets 0 likes
Antivirus is entrenched real good, but you agree it doesn't work and we need to make things better, right? I don't understand the pushback, it's like you're saying "nah it's good enough" to me, then I see you complain how terrible it is in other tweets 
-
-
Pragmatism and realism. If most orgs turned off AV right now, they wouldn't have a network in a week. That's my experience. There's a very long road to getting almost every org to a position where they can be AV free.
3 replies 1 retweet 15 likes -
Replying to @GossiTheDog @markeldo and
You're talking about keeping an dangerously insecure network operational, not keeping it secure. You can keep a jet in the air with duct tape, but I hope you're not transporting anything important. So we're in agreement that whitelisting is a good solution, and AV isn't?
5 replies 0 retweets 9 likes - 10 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.