Video Screencast Help

Do not store list of exclusions in clear text

Created: 29 Nov 2012 • Updated: 05 Feb 2013 | 1 comment
zhitenev's picture
3 Agree
0 Disagree
+3 3 Votes
Login to vote
Status: In Review

Right now SEP stores list of exclusions in clear text in the registry. An attacker might take advantage of this. I sugget to add a featre to encrypt exclusions (please don't use "one key fits all workstaions in the world" approach) to enchance security on endpoints.

Comments 1 CommentJump to latest comment

Elisha's picture

I agree it would be nice to hide those rules.  However 'security by obscurity' is not good.  Even if an attacker could not read those exclusions simply having the exclusions in the product could still cause a security risk.  The best idea is to remove the exclusions that could pose a security threat.  Hiding the exclusions does not eliminate the risk.  Ideally your security policy should be such that even if an attacker is able to get the entire policy your systems are still secure.  In other words the security of your systems should not be based on the fact that attackers can't figure out your policies.  There are dozens of ways to get the policy data.

But, you could use Application Control to block access to those keys.  Also, keep in mind that the only way malware could see those keys is if the malware was already running on the system.  But if malware was already running on the system then why would it need to see those keys, it is already running and the damage is done.

Note: these keys are protected with Tamper Protection so an attacker should not be able to modify these keys.

Login to vote