I had always been wondering if it is a good idea allow whitelisting of certain third party application and folders at anti-malware platform so that it can run smoothly without interference from AV scanning. With whitelisting a requirement for the solarwind onion platform, whitelisting would had prevented the anti-malware from detecting malicious activities originating from the compromise software. So should be put a stop to all such whitelisting? Is there a good reason and guidelines to allow whitelisting safely?
Not necessarily. I put many of these types of software on a bit higher scrutiny. WAF, outer ring before the next protection zone, higher degree of logging etc. as a matter of best practice beginning after the Target fiasco. Have I found the magic bad packet? No, eventually I will or someone will get lazy and miss something stupid.
I am just waiting for the final forensics on this and FireEye before jumping to any conclusions, though.
Early this week, FireEye said that the hackers were infecting targets using Orion, a widely used network management tool from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.