1. Computing

Antivirus Whitelisting: The Bad and Good

By September 25, 2007

Follow me on:

Traditional antivirus works via a blacklist approach, identifying known bad files and responding accordingly. The reverse of that approach, whitelisting, identifies all known good items. Crucial to the success of whitelisting is what occurs after the known good items have been identified.

The bad
Last week, the general manager of Symantec Canada, Michael Murphy, told IT Business.ca that the antivirus giant will "move towards a whitelist philosophy where only the good things will run on the computer. Murphy claims the whitelist approach is sound "because the threats are starting to outweigh the goods".

"Only the good things will run"
The looming question here is, exactly how does Symantec plan to identify and maintain a valid list of all known good software - past, present, and future - much less how can they do so with minimal disruption to users? What impact would such an approach have on small software developers, tool creators, and all the other ad hoc programs that find their way into niche markets based on specific needs? Barring all unknown applications would position Symantec as something akin to big brother, acting as the final authority on what would - or would not - be allowed to run on personal computers. Aren't these the types of decisions only the admin should make? Is this forced compliance what we expect from our antivirus?

Again, the issue here isn't whitelisting as a form of protection, but rather what happens as a result of that whitelisting. And this isn't to say that in some particularly sensitive organizations or on some particularly restricted systems, that such a total lockdown approach isn't valid. Let's hope Symantec has weighed all the issues and that Murphy's comments were either taken out of context or a great deal more was left unsaid.

"The threats are starting to outweigh the goods"
This statement fails the litmus test of credibility because it appears to not even be, well, true. According to Bit9 - arguably the definitive experts on whitelists - the number of valid software "are several orders of magnitude larger and the growth rate at which valid software is growing far outstripped the growth rate of malware." (See: The slow death of AV technology for details).

The good
Antivirus vendor Kaspersky also plans to introduce a form of whitelisting in future products. KAV version 8 is slated to whitelist legitimate applications that have been known to trigger alerts and false positives in the past. The Kaspersky outlined approach is designed to minimize disruption to the user and enhance the performance of the antivirus scanner. In other words, utilizing all the goodness of whitelists without bringing in the bad.

Comments
September 27, 2007 at 9:52 am
(1) Brian Gladstein says:

Even though the volume of valid software is so much larger than the volume of malicious software, it takes far less effort to determine if software is valid than it does to determine if it is malicious.

There are many reasons for this, such as the fact that whitelisted software doesn’t try to hide (like rootkits, polymorphic viruses, and hypervisors). Another reason has to do with how many files are on a customer’s whitelist – usually on the order of a couple hundred thousand even at large companies, as opposed to a million malware signatures.

Here are some more reasons why whitelisting is easier than blacklisting.

Leave a Comment

Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>

©2014 About.com. All rights reserved.