Sunday, November 16, 2008

Is Whitelisting really this lame?

From White Listing - The End of Antivirus?


Some people are talking about a technique called “white listing” as if it were the silver bullet that is going to save the world. It is… in the fantasy worlds. I think I can lay claim to a certain amount of expertise when it comes to white listing. White listing was fundamentally my job at Microsoft for over seven years. My job was to make sure that MS didn’t release or digitally sign any infected code. How did I do that? I used a heck of a lot of………. ok… you guessed it…. antivirus software. Recognizing the shortcomings of signature based detection, I relied upon products, such as NOD32, Norman Virus control, and others to provide heuristics to detect threats that signatures alone cannot protect against. Virtually every Microsoft product went through my labs, and I had to “white list” them before they could be digitally signed or released.

The marketing arm of current white listing companies tout anti-virus as dead and white list as the solution. What they try to hide is that white listing companies would be out of business without antivirus. White listing companies are mega-power users of antivirus software, they can’t get enough of the stuff.

5 comments:

Matt Franz said...

Update Kurt Wismer has some more background on the topic. Stay tuned.

Wes Miller said...

Matt - I’m the Senior Product Manager at CoreTrace (www.coretrace.com), working on our own whitelisting product, BOUNCER by CoreTrace.

This past year has had more and more traditional AV vendors beating the “whitelisting” drum – but of course what they really mean is, “buy our reputation list that will help our slow, inefficient blacklisting software scan your box faster every day”. We’re pretty strong believers that using blacklists as a means to whitelist apps are fundamentally flawed. They are only as good as the blacklist backing them 1) you’ll miss most of your core Line Of Business apps (you’ll have to approve them by hand) 2) you’ll miss zero-day and targeted threats (isn’t that the reason why we’re all giving up on AV/AM/AS and *.blacklisting software overall? “3) Clouds” of trusted content are of course subject to poisoning, depending on how secure the cloud is kept. 4) Just as importantly, everyone overlooks the threat posed by buffer overflows in already whitelisted content – this is a HUGE window of opportunity that blacklisting misses, and most whitelisting software just glosses over (even though it’s the largest window of opportunity on any Windows system).

We’ve made a fundamental decision at CoreTrace, and our ethos is that whitelisting is NOT based around blacklist scanning something until it’s whitelisted – that just doesn’t work. We think customers are sick of paying for a gravy train of signature updates that aren’t really secure them – and we’re having numerous great discussions with AV customers who agree with us.

kurt wismer said...

i'm curious then, wes... does coretrace provide a ready-made list for people to use or do you leave it to the customer to decide what's safe?

if you provide a list, how do you decide what's safe to add to the list without looking for known bad things... if customers have to make their own lists, how are they supposed to know what's safe to add to their own lists without looking for known bad things?

Wes Miller said...

A great question, Kurt. Sorry for the delay!

In our most common scenario, customers will use us a) to secure systems that have been traditionally scanned via AV/AS/anti-malware or b) on newly deployed endpoints with a gold master image. In scenario a, there _is_ an potential possibility that you are whitelisting malware - but this reveals a bigger problem - if your AV/AS/AM technologies haven't been protecting you, how will they going forward as zero-day threats continue to become the norm, not the exception? In the less likely (in a typical enterprise) scenario b, you get the better solution, but obviously with much more work (unless you're already planning a desktop refresh).

So today, the answer is that if your AV/AS/AM has said that your systems are clean, then we leave it to the customer to decide what's safe beyond that.

We are working behind the scenes on several pieces of discovery technology for our next version that will help remove this intrinsic fear (and the manual work that results from it), and give much more visibility into the enterprise as to things that truly should be suspect, and help organizations remove them from their systems.

kurt wismer said...

well wes, not to put too fine a point on it but based on what you describe blacklisting is still the key technology keeping malware off the whitelist...

in scenario a) it's obviously the customer using the blacklist, however in scenario b) it's the 3rd party software vendors that use it to make sure they don't release anything with malware attached and the customer is simply trusting that the 3rd party did a good job of it...

as such, although you may feel (either personally and/or as a company) that using blacklists to determine what's safe to whitelist is a bad idea, in practice that's ultimately what's going to happen unless you actually provide a list of what is safe...