Redefining Anti-Virus Software
Microsoft Windows users have long been advised to shield their PCs from attacks by using anti-virus software, which principally relies on technology designed to quarantine or delete files that possess certain characteristics of known hostile programs.
But as the anti-virus firms continue to struggle to stand their ground amid a flood of new malicious programs being unleashed each day, a complementary approach to fighting malware is beginning to take root. This approach seeks to identify the universe of known good programs and treat the outliers with extreme prejudice.
Bit9, is on the forefront of this tactic. The Cambridge, Mass., firm was jump-started in 2003 by a grant from the National Institute of Standards & Technology to develop computer immune systems to protect PCs and networks from previously unknown attacks. The company has since indexed approximately 6.2 billion programs available online, scanning each against 28 different anti-virus engines to see if any of them detect the files as malicious. If one of the anti-virus vendors flags it, Bit9 informs customers that the file is suspicious. If two or more AV engines say it's suspect or malicious, Bit9 labels it as such and blocks the application from running, unless the customer overrides the decision.
"We hit a big inflection point in 2007, where for the first time ever more malware was produced than the amount of known good software," said Patrick Morley, Bit9's chief executive. "Users can see fantastic improvements in the time and resources it takes to scan a PC."
Bit9 markets its product mainly to businesses who may want to block all but a subset of known, safe applications from running on their employees' PCs. But this hybrid approach is gaining traction in the larger anti-virus industry, which is beginning to incorporate this same "whitelist" strategy into products sold to consumers.
In an interview with Symantec's vice president of consumer products last month that engendered a strong reaction from readers, Security Fix detailed how Big Yellow was working on a similar whitelist approach, noting that "Symantec engineers are experimenting with different approaches to reduce the time it takes Norton to scan files or hard disks. A big part of that effort seeks to harness Symantec's huge user base to learn which files have a high probability of being safe and therefore do not need to be repeatedly scanned."
Perhaps more telling than the whitelisting approach is the recent move by Russian anti-virus firm Kaspersky Lab, which says it plans to incorporate Bit9's technology in its 2009 family of products. While Kaspersky consistently scores rather high in detecting new malicious software, it is also considered by many to be among the most reliant of all anti-virus firms on signature-based technology.
It's true that Bit9's strategy for fighting malware is tied to the same "blacklist" technologies that have come to define the anti-malware industry to date. And while I don't expect this approach to revolutionize the anti-virus industry, it is refreshing to see at least a few of the heavy hitters acknowledging chinks in their armor, particularly given the dangerous window of vulnerability between the time malware authors ship their latest creations and when anti-virus firms issue new updates to detect these files as hostile.
By Brian Krebs |
June 10, 2008; 9:45 AM ET
From the Bunker
,
Misc.
,
Safety Tips
Previous: Ransomware Encrypts Victim Files With 1,024-Bit Key |
Next: Microsoft, Apple Issue Security Updates
Posted by: Moike | June 10, 2008 10:32 AM
Brian: Security technology changes constantly, but lawmakers treat it as static. New regulations from the Massachusetts Office of Consumer Affairs & Business Regulation say that if you store sensitive consumer data, you MUST have anti-virus software with "virus definitions". As we evolve away from definition-based protection, this regulator is locking us into it. Similarly, state legislatures are mandating "encryption" for security in ways that don't always make sense. -Ben http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html
Posted by: Benjamin Wright | June 10, 2008 11:00 AM
The way I see it th AV vendors are planing to use the whitelist approach in order to achieve faster scanning of hard drives and not as a way to increase security if only whitelisted files would be allowed on a system.
Posted by: Igor | June 10, 2008 1:21 PM
What is to say that the bad guys can't just write their programs to mimic a good program to pass a whitelist scan?
Posted by: Dynex | June 10, 2008 4:59 PM
3 things spring immediately to mind here:
1) bit9 uses conventional anti-virus products to keep malware out of their whitelist... a whitelist that is maintained by a blacklist can be no more accurate than that blacklist...
2) the set of good programs is several orders of magnitude bigger than the set of bad programs so they actually have to keep track of more things than an anti-virus company would...
3) patrick morley told a big fat lie about the comparative rates of good/bad software production as bit9's own data (see http://www.slideshare.net/frisksoftware/building-leveraging-white-database-for-antivirus-testing/) pegs microsoft alone as producing the same number of binaries in a day as malware has been produced in the past 20 years...
Posted by: kurt wismer | June 11, 2008 1:26 AM
While this is a good and interesting article, it has some inaccuracies that have confused at least one reader who has posted here. That is: Whitelisting is tied to blacklisting. In reality, Whitelisting does not require Antivirus, nor is it tied to AV or blacklisting. Whether it is whitelisting from Bit9 or another vendor, the enterprise customer determines the known good applications that are authorized to run in a company, business unit or organization. These are typically identified by hash. Those become the whitelisted applications that are allowed to execute. Any others that are not on the whitelist -- whether it is malware that has not been seen before, custom malware that the AV vendors do not have signatures for yet or Skype or Google Toolbar, Kazaa -- it will not run.
The confusion the writer encountered here likely came up because Bit9 offers an add-on, on-demand look-up reputation service that is based in part on the AV scans. That is a different solution and is not whitelisting. As for the quote on malware, that quote should have been attributed to John Thompson, CEO of Symantec during his keynote at the RSA Conference 2008. It was also spoken about by Peter Firstbrook, Gartner analyst, last week at the Gartner IT Security Summit.
Posted by: Kate | June 11, 2008 12:23 PM
Whitelisting equals censorship. If you produce a new web page and are unknown, where do you apply to be whitelisted.
Maybe I got this all wrong, but a big well known website that is already whitelisted appears from the above to have a better chance of introducing new web pages, under its own name.
Posted by: Stephen John Davis | June 12, 2008 5:42 AM
I have used Symantec's Norton Anti Virus for years and absolutely love it.
Posted by: John Thomas | June 12, 2008 8:22 AM
@Dynex: Each piece of software has a unique checksum signature. Any malware's attempt to look like legitimate software could never match the signature of the real software.
Whitelisting could work, but instead of forcibly dis-allowing the entry of any files/programs that aren't on a whitelist, it may be best to ask the user...? Maybe the user knows what they're doing in a special situation...
Posted by: Matt | June 12, 2008 8:27 AM
AV firms once again are behind times. Malware,spyware or viruses can often fool the whitelist approach. You need more! Application control and NTSF permission based security is a great start. Virtual sandboxes and virtual security is the new wave
Posted by: White list not enough | June 12, 2008 8:38 AM
I have been using BlackIce for years, for precisely this feature. Thus I have never needed an antivirus!
Posted by: denizen | June 12, 2008 9:23 AM
One thing that everyone forgets is education, your common joe doesn't know how to avoid places in most cases that could cause them viruses too.
Techwarrior Network and Computer Services
Posted by: TECHWARRIOR | June 12, 2008 9:34 AM
Well my first thought is poor developer trying to run the new apps he is working on. My next thought is the viruses will just get embedded in modified versions of existing products.
Ultimately you decide if you get infected downloading a dozen cracked bit-torrent apps will get you there. Running out of date operating systems will do it. Opening the latest email attachment without scanning.
Running a patched up to date Windows, Linux, OSX and only downloading stuff from known safe places like download.com or Linux users distro repositories will probably keep you safe.
Posted by: matthews | June 12, 2008 10:53 AM
To the comment on whitelisting meaning censorship, this is not website whitelisting we are discussing here -- this is application whitelisting. This is a form of IT control for corporations and governments and organizations that want to protect and manage their laptops, desktops and servers. It does not affect what websites you go to or what you do with your personally-owned computer. There are separate solutions out there for website whitelisting. As for providing users with options - a lot of vendors do offer the "Block and Ask" mode or Monitor mode.
Posted by: Kate | June 12, 2008 11:41 AM
good points by Kurt. Agreed, current whitelisting technology available today is NOT sufficient to secure an enterprise network as long as vulnerabilities in white-listed applications still exist.
Malware authors target vulnerabilities. Shell code running in a buffer overflow is not something white-listing will stop.
Posted by: Anonymous | June 12, 2008 10:07 PM
Check out SignaCert, a much more holistic and configuration integrity approach:
www.signacert.com
Posted by: itripn | June 13, 2008 1:00 AM
I used Symantec for years, right up until it started using as much of my computers resources as everything else I was doing combined. I switched to Firefox, free anti-virus software and watch what I do and never seem to have problems. Something in this industry has to change soon but not sure if this is the answer.
Posted by: David | June 13, 2008 1:21 PM
NIST is taxpayer money. US taxpayers are paying money because Billy 3 Gates refuses to scrap his Windows and give his customers a properly secured system. Richest man in the world? Because he sells junk like that at outrageous prices and taxpayers have to pick up the slack?
Posted by: Rick | June 14, 2008 9:34 AM
I'd like to know if Kate is single.
Posted by: Bret Treasure | June 15, 2008 10:59 AM
As the only defense against the bad guys, we have to run antivirus and firewall software and anti-malware and anti this and anti that.
Would it not be great if you could connect to the internet with a PC based system that would immune to hack, attacks and any kind of online flu.
I prefer a safe environment online but you have to be aware of all the numerous ways your PC can be hacked and attacked and then still it is no guarantee.
I would vote for application whitelisting any time but I will only agree to "selective Windows lockdown" procedures.
Posted by: Gert Hough | June 16, 2008 12:38 PM
The comments to this entry are closed.
It will be good to see the move to Whitelists instead of Blacklists and shift the power away from the bad guys for the first time : at least then they cannot load malware onto a system silently by sneaking it past AV software.