Traditional antivirus works via a blacklist approach, identifying known bad files and responding accordingly. The reverse of that approach, whitelisting, identifies all known good items. Crucial to the success of whitelisting is what occurs after the known good items have been identified.
Last week, the general manager of Symantec Canada, Michael Murphy, told IT Business.ca that the antivirus giant will "move towards a whitelist philosophy where only the good things will run on the computer.” Murphy claims the whitelist approach is sound "because the threats are starting to outweigh the goods".
"Only the good things will run"
The looming question here is, exactly how does Symantec plan to identify and maintain a valid list of all known good software - past, present, and future - much less how can they do so with minimal disruption to users? What impact would such an approach have on small software developers, tool creators, and all the other ad hoc programs that find their way into niche markets based on specific needs? Barring all unknown applications would position Symantec as something akin to big brother, acting as the final authority on what would - or would not - be allowed to run on personal computers. Aren't these the types of decisions only the admin should make? Is this forced compliance what we expect from our antivirus?
Again, the issue here isn't whitelisting as a form of protection, but rather what happens as a result of that whitelisting. And this isn't to say that in some particularly sensitive organizations or on some particularly restricted systems, that such a total lockdown approach isn't valid. Let's hope Symantec has weighed all the issues and that Murphy's comments were either taken out of context or a great deal more was left unsaid.
"The threats are starting to outweigh the goods"
This statement fails the litmus test of credibility because it appears to not even be, well, true. According to Bit9 - arguably the definitive experts on whitelists - the number of valid software "are several orders of magnitude larger and the growth rate at which valid software is growing far outstripped the growth rate of malware." (See: The slow death of AV technology for details).
Antivirus vendor Kaspersky also plans to introduce a form of whitelisting in future products. KAV version 8 is slated to whitelist legitimate applications that have been known to trigger alerts and false positives in the past. The Kaspersky outlined approach is designed to minimize disruption to the user and enhance the performance of the antivirus scanner. In other words, utilizing all the goodness of whitelists without bringing in the bad.