Pro-Active Protection: The more you ask the worse it gets
Posted by Mario Vuksan on Wed, Aug 06, 2008
Microsoft's luminary Vinny Gulloto, and a fellow Bostonian, talked about latest findings of his threat response team. Few incredible results were shared demonstrating just how many infected end points are there.
For example, Gulloto claims that Windows Defender, Microsoft's Anti-Spyware application, finds in average two pieces of unwanted code per machine. The program runs on 62M machines! But that's not all. His team has performed 42M disinfections over last 6 months, claiming that each day 15M pieces of malicious code executes successfully. Even though most of their tracked end points belong into a consumer segment, and do not represent a corporate end point, these are very sobering statistics.
This certainly proves time and time again that traditional blacklisting is not rising to the challenge. One can certainly argue that proactive protection would do a better job. Heuristic, HIPS, or Behavioral approaches would certainly be beneficial. Yet, the downside of pro-active protection is its false positives and the ubiquitous user prompts. [image] What does an average user do when you ask him or her "Hey there's something potentially malicious or unwanted on your machine. What do you want to do?" User knows what to do, and researcher is absolved of any other responsibility. Sounds odd? It does to almost any researcher that I have ever spoken to, but there was no tangible evidence.
Yet, the latest data available in Microsoft's Security Report shows what we needed to know. Anywhere from 10% to 25% of users ignore warnings that there is something malicious on their machine, that is, if they are given a choice. If you are running an enterprise, these are shocking findings and you wish that you have locked down every one of your personal computers. Application Whitelisting is here a better choice for a concerned IT administrator as it allows him or her to set policies on what types of applications are automatically allowed to run. This set it and forget it approach makes choices up front and does not require an end user downloading an infected video codec to guess whether "do you want to block a trojan?" message is real or not.