Whitelisting and Elegance

Opinion: Did the security software industry make a historic blunder with their reactive approach? I think it's much easier to criticize them than it is to come up with better alternatives.

The weaknesses of conventional anti-virus are well-known: Its mostly a reactive approach, looking for problems after theyve already been identified. Threats which havent already been found—"zero-day attacks"—either have to be identified through more generic threat detection techniques or slip through undetected.

The generic detections, also known as heuristics, are prone to false positives. Kaspersky Anti-Virus, for example, frequently identifies real e-mails from Bank of America to me as Trojan-Spy.HTML.Fraud.gen. Ive seen false positives on real executable programs too, although its pretty rare from good AV.

Respected kernel researcher Joanna Rutkowska recently blogged on the subject, saying that the signature/heuristics model was a strategic mistake.

"This is an example of how the security industry took a wrong path, the path that never could lead to an effective and elegant solution," she wrote.

But every now and then I get a pitch from a vendor or a note from a reader proposing a whitelist approach. Securewaves "Positive Model" approach is a good example, as is Bit9 Parity. In both cases the idea is to specify which programs can run on the system and disallow anything else.

This sure is a tempting approach, and at least some form of it is surely a good idea on all managed networks. Why should IT in a business allow anything other than approved programs to run on the system? But the idea that this will prevent malware from running on the system in all contexts is wishful thinking, and I think its impractical to implement such systems for homes and very small businesses where there is no experienced administrator with authority over system policies.

/zimages/4/28571.gifF-Secures Internet Security 2008 offers greater detection and scanning capabilities.. Click here to read more.

A related technology that does good in this regard, but falls short of perfection, is the digital signature. Microsoft recently took a lot of guff for blocking a device driver that allowed other drivers to elude their requirement on 64-bit Windows Vista that all drivers be digitally signed and that the signature be issued by a trusted certificate authority.

Microsoft wasnt the first to require digital signatures, although it often seems that way from the claims of those with a "blame Microsoft first" attitude. Java applets, for example, need to be signed in order to perform operations outside of the sandbox, to interact with the file system for instance,. For a good example of this behavior, try the Secunia Software Inspector, an applet that traverses your file system reporting old and vulnerable applications.

Next page: Is there a solution?