If you log into ThreatLinQ, a search for the keyword "compressed" using the search functionality in the upper right hand corner, returns many of the other filters that address other packers that you may wish to consider enabling in your network.
ThreatLinQ: Enabling Packed Executable Filters
This post highlights TippingPoint IPS filters that look for packed or compressed binaries. Once the bastion of many an anti-virus software, these filters provide decent first level protection for a lot of malware. We have seen statistics as high as 80% of all malware is packed in some fashion or another. While legitimate uses of packers for commercial software has grown as well, I feel that with a bit of tuning, these filters can offer excellent protection for your network. I would recommend putting these filters in "Permit + Notify" or "Permit + Notify + Trace" for a period of time to see how they perform in your particular network. In addition, any feedback you can provide about known-good software that uses packing or perhaps a less scientific measure, such as affirmation that these filters work with little intervention on your part would be of great help. Such feedback would enable us to broaden our recommendation of filters that detect packed and compressed executables. To further substantiate why you should consider turning these filters on, here are a few graphs that show a rise in these types of hits over the past 2 weeks:
If you log into ThreatLinQ, a search for the keyword "compressed" using the search functionality in the upper right hand corner, returns many of the other filters that address other packers that you may wish to consider enabling in your network.
If you log into ThreatLinQ, a search for the keyword "compressed" using the search functionality in the upper right hand corner, returns many of the other filters that address other packers that you may wish to consider enabling in your network.
Tags: filter,upx,aspack
Published On: 2008-09-26 17:17:41
