Malware is a constant and continual threat to your computer and, if you run Windows especially, your computer has a big target on it. The field of malware is shifting constantly and this leads to security products that sometimes fail to protect the PC against something which is brand new.
For this reason, we expect to see an industry shift to whitelisting to protect your machine.
What is Whitelisting?
Well, a blacklist would be a list of offenders. Anything not on that list is assumed to be OK. The problem, today, is that new attacks are spawning so fast that they are not added to a company’s blacklist quick enough to protect the target PC. So, the opposite approach is the whitelist. Anything on the white list is allowed through, while anything not on the list is assumed evil.
Whitelisting isn’t new. Some security products already use it, such as Comodo Firewall or System Safety Monitor. The problem is that it can lead to an extremely annoying computer experience. You will be subjected to pop-up warnings constantly. So, the challenge for antivirus companies is to switch to whitelisting while not annoying their customer base.
According to Symantec, about 65% of the applications released to the public are malicious. Now, obviously Symantec has a financial interest in perpetuating these kinds of stories, but nonetheless it is an alarming stat. Symantec is also in a position to be privy to this type of data. Their Norton Community Watch program results in a huge database of applications being run on participating PCs.
Bit9 is a company which maintains a huge list of known-good applications. Antivirus company Kaspersky released their new Internet Security 2009 product which takes into account whitelists maintained by Bit9. The software does not automatically block programs not on the whitelist, but uses the white list as a way of focusing the scanning activity onto higher-risk, unknown apps.
The Bit9 whitelist is humongous, including several billion entries. But, no white list is going to be complete. There are a lot of lesser-known applications out there. So, Symantec is looking at perhaps using crowdsourcing as a solution.
Who Maintains The List?
The idea is to use the collective community of users to determine if an application is OK. If they see the same app on a lot of different machines on the network, then the app is probably OK even if it is not on the whitelist. It is similar to the way Cloudmark puts together its spam filtering service. The difficulty with this model is that it would most easily lend itself to the idea of each security product maintaining its own white list. This would be an administration nightmare for software creators who would need to submit their software to multiple white lists. So, the alternative is to have a central white list. Who maintains that whitelist will be an issue and would also likely lead to a lot of politics and conspiracy theories.
Politics aside, whitelisting in some form is perhaps the utopia of PC security. There is just going on to expect a security product to always be able to protect a machine against the fast-changing threat scene.
David Risley is the founder of PCMech.com. He is the brains, the thinker, the writer, the nerd.
What security program would you use Dave?
A little off topic, but I had a new “spam” experience yesterday. Somehow, someone posted an “event” to my Yahoo calender. And of course Yahoo calender automatically notified me by email of the upcoming “event”. Now normally I would mark such a message as junk, but if I do that, it might block all of my notifications from my Yahoo calender.
If the user community is able to vouch for safe applications, how long will it be before a botnet is harnessed to vouch for unsafe applications?
This is the opposite from the Cloudmark model, where a botnet that flagged spam messages as such would be welcomed!