In the
September 2007 issue of VirusBulletin, our CSO Ian Poynter wrote a response to an opinion piece that was originally written by Dr. Vesselin Bontchev in the previous issue of the magazine. You need to be a subscriber to VirusBulletin to read both pieces (
register!), but the substance of the discussion centers on whitelisting and was driven by this
comment thread on The Register.
Dr. Bontchev took the position in his article that whitelisting will never replace antivirus as a basic security technology. My response? Never is a long time. Here are some other well-known "never's" (and I paraphrase):
There will never be a market for more than 5 computers in the world.
-- Thomas Watson, chairman of IBM, 1943
A PC will never need more than 640K of memory.
-- Bill Gates, founder of Microsoft, 1981
There will never be a reason anyone would want a computer in their home.
-- Ken Olson, president, chairman and founder of Digital Equipment Corp., 1977
And my favorite:
"Guitar music is on the way out."
-- Decca Recording Co. rejecting the Beatles, 1962
I thought the comments to the Register article were fascinating because they reveal why people are so concerned about the concept of a whitelist. Let me summarize the top fears as I interpreted them in that thread:
- A dominant vendor controlling the whitelist would stifle competition in the marketplace – particularly from open-source projects and small vendors – by not including them in the whitelist.
- There’s simply too much software out there to make a whitelist efficient.
- Viruses that don’t run as executables could not be stopped by a whitelist
Let me address each of these briefly:
A dominant vendor controlling the whitelist would stifle the marketplace
The intellectual in me recognizes that people are concerned with a specific overall model, so let me state this clearly: whitelist-based security should not be implemented with a centrally-managed list of “good” software that is maintained by a single vendor. Bit9 certainly doesn’t work this way and never has. The whitelist itself should be maintained by the customer, a community, or even an individual PC owner. That way you decide what software should and shouldn’t run.
The idea behind whitelisting is to move to a computer management model where the software on the PC is controlled. So rather than being a wide-open platform where any software can be launched by a user or another piece of software, a whitelist-based security model only allows the stuff you want to run. And often that includes non-malicious software you don’t own, want, or need.
Now, the cynic in me says “Don’t you realize that this is already happening?!” The antivirus companies collect and distribute signatures that label software as malicious. There have been cases where spyware companies have
fought that verdict and won. On the flip side, there are legitimate companies out whose behaviors have been questioned as getting a free ride from the AV companies (we all know about
Sony and
Windows Genuine Advantage).
There’s simply too much software out there to make a whitelist efficient.It’s true there is a lot of software on the Internet. As I write this, our
Bit9 Knowledgebase which crawls the web to identify and assess software has cataloged over 4.3 billion software files that make up some 9 million applications… and it grows by about 50 million files every day. Those numbers may sound extreme – but remember, you will only run a tiny, tiny fraction of these, even in a large organization.
I think the confusion comes from a key difference in the way a whitelist model works as compared with a blacklist model. Remember, with a blacklist model like antivirus, the system is looking trying to match every file on a PC against one of the million or so known signatures for malware.
On the contrary, with whitelists, the system is only trying to match files against what’s on the whitelist. A typical PC has about 10,000 executable files on it, but because of the commonalities between PCs, even a large organization typically won’t have more than a couple hundred thousand unique executable files across the entire organization. So the set of data you are comparing against is only about 1/5-1/10 the size of the malware signature set. Plus all the files on the PC need to be re-assessed every time the blacklist gets updated with new signatures. Not so with whitelists - enforcement is a simple check at program launch time.
The only time the 4.3 billion files come in is when new software comes into your environment. Then you have to identify it (you can use the knowledgebase for that) and decide whether to approve it or not. And this is a highly automated, very efficient process… but I’ll save that for another post.
Viruses that don’t run as executables could not be stopped by a whitelistFinally, there’s the concern from the Register comments that a whitelist can’t stop every attack – in particular, those that don’t run as executables. One again, the cynic in me says that neither do antivirus solutions stop every attack – no security solution stops every attack -- that’s why the industry promotes layered security in the first place.
But what does a good application control solution stop?
- Any type of exploit delivering any type of payload
- A product with a known vulnerability that is being exploited
- Older versions of applications that are not up to patch specifications
- The installation of rootkits, botnets, and other software that is virtually undetectable once it does get installed
As part of your security strategy, this provides significantly more flexibility and power than anything currently in your arsenal.
So there it is. Read
VirusBulletin – it’s worth it. And let me know what you think!