Malware: A Shift To Whitelisting

by on Sep 12, 2008 | 3 comments

Picture 7 Malware is a constant and continual threat to your computer and, if you run Windows especially, your computer has a big target on it. The field of malware is shifting constantly and this leads to security products that sometimes fail to protect the PC against something which is brand new.

For this reason, we expect to see an industry shift to whitelisting to protect your machine.

What is Whitelisting?

Well, a blacklist would be a list of offenders. Anything not on that list is assumed to be OK. The problem, today, is that new attacks are spawning so fast that they are not added to a company’s blacklist quick enough to protect the target PC. So, the opposite approach is the whitelist. Anything on the white list is allowed through, while anything not on the list is assumed evil.

Whitelisting isn’t new. Some security products already use it, such as Comodo Firewall or System Safety Monitor. The problem is that it can lead to an extremely annoying computer experience. You will be subjected to pop-up warnings constantly. So, the challenge for antivirus companies is to switch to whitelisting while not annoying their customer base.

According to Symantec, about 65% of the applications released to the public are malicious. Now, obviously Symantec has a financial interest in perpetuating these kinds of stories, but nonetheless it is an alarming stat. Symantec is also in a position to be privy to this type of data. Their Norton Community Watch program results in a huge database of applications being run on participating PCs.

Picture 8 Bit9 is a company which maintains a huge list of known-good applications. Antivirus company Kaspersky released their new Internet Security 2009 product which takes into account whitelists maintained by Bit9. The software does not automatically block programs not on the whitelist, but uses the white list as a way of focusing the scanning activity onto higher-risk, unknown apps.

The Bit9 whitelist is humongous, including several billion entries. But, no white list is going to be complete. There are a lot of lesser-known applications out there. So, Symantec is looking at perhaps using crowdsourcing as a solution.

Who Maintains The List?

The idea is to use the collective community of users to determine if an application is OK. If they see the same app on a lot of different machines on the network, then the app is probably OK even if it is not on the whitelist. It is similar to the way Cloudmark puts together its spam filtering service. The difficulty with this model is that it would most easily lend itself to the idea of each security product maintaining its own white list. This would be an administration nightmare for software creators who would need to submit their software to multiple white lists. So, the alternative is to have a central white list. Who maintains that whitelist will be an issue and would also likely lead to a lot of politics and conspiracy theories.

Politics aside, whitelisting in some form is perhaps the utopia of PC security. There is just going on to expect a security product to always be able to protect a machine against the fast-changing threat scene.

Free eBook!

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below:

Post A Comment Using Facebook

  • SupaChalupa

    What security program would you use Dave?

  • http://www.geezergeek.net Floyd Bufkin

    A little off topic, but I had a new “spam” experience yesterday. Somehow, someone posted an “event” to my Yahoo calender. And of course Yahoo calender automatically notified me by email of the upcoming “event”. Now normally I would mark such a message as junk, but if I do that, it might block all of my notifications from my Yahoo calender.

  • SAP

    If the user community is able to vouch for safe applications, how long will it be before a botnet is harnessed to vouch for unsafe applications?

    This is the opposite from the Cloudmark model, where a botnet that flagged spam messages as such would be welcomed!

What’s Your Preference?

Daily Alerts

Each day we send out a quick email to thousands of PCMECH readers to notify them of new posts. This email is just a short, plain email with titles and links to our latest posts. You can unsubscribe from this service at any time.

You can subscribe to it by leaving your email address in the following field and confirming your subscription when you get an email asking you to do so.

Enter your email address for
Daily Updates:

Weekly Newsletter

Running for over 6 years, the PCMECH weekly newsletter helps you keep tabs on the world of tech. Each issue includes news bits, an article, an exclusive rant as well as a download of the week. This newsletter is subscribed to by over 28,000 readers (many who also subscribe to the other option) - come join the community!

To subscribe to this weekly newsletter simply add your email address to the following field and then follow the confirmation prompts. You will be able to unsubscribe at any time.

Enter your email address for
Free Weekly Newsletter: