By Laura Yecies
Last month, Rob Vamosi at CNET wrote a pretty forward-thinking story called “Will you be ditching your antivirus apps anytime soon?”
In a nutshell, some people now believe you could theoretically use pure whitelisting strategies to prevent malware from infecting your PC. The idea is that your computer would only be allowed to run ‘known good’ programs and scripts, and anything else would automatically be blocked. It would give users unprecedented control and even potentially replace traditional antivirus technologies.
At face value, it may seem like a crazy idea. Would it really be possible to deem safe all of the legitimate software programs available today? There are thousands, and between updates and new vendors more every day. But the answer is…maybe.
Today, most A/V and A/S programs work by scanning your PC and checking the files against a database of known bad programs, IE viruses, spyware, Trojans etc. Many also have on-access scanning, checking files for viruses as you download them. And in an extra step, several are also now using sophisticated heuristics to identify similarities between old malware and so-called “zero-hour” malware…meaning that an a/v signature doesn’t yet have to be available to protect you.
On its own, A/V’s effectiveness is valuable but not fool-proof. However, with a good bi-directional firewall as the foundation, the combination provides good solid protection.
The whitelisting debate is particularly intriguing to our ZA folks, because we’ve long believed it to be a very valuable tool in our arsenal of tricks. SmartDefense Advisor, first launched with ZoneAlarm Pro, is a feature in the ZA firewall that unobtrusively checks newly downloaded software against a vast database of both “known good” and “known bad” programs.
ZA Whitelist: Everything tagged as good is automatically allowed and no ZoneAlarm Alert is shown.
ZA Blacklist: Everything tagged as malicious, or on the blacklist, is “killed” and quarantined to prevent damage to your PC, and no alert is shown.
Unknown: With any program that is previously undectected or not in the database, users receive an alert and are allowed to choose to allow or block it.
Currently, over 2 million programs are identified by the SmartDefense white and black lists. How do we find and catalogue new programs, both good and bad? That’s a unique attribute of ZoneAlarm. As a part of SmartDefense Advisor, we launched a program called DefenseNet. Millions of ZoneAlarm users have opted-in to this program to share their everyday security decisions with us. So when a new good or bad program shows up in the wild, and one of these users clicks “allow” or “deny”, we receive notification and can follow up. Our engineers know very, very quickly. It’s like one giant honeypot.
Our OSFirewall works along the same philosophy, except it monitors the communications and actions internally. So if one program tries to access or alter another, the OSFirewall can check the whitelist or blacklist to check and see if that process should be allowed. For example you need Microsoft Word to be able to work in harmony with your keyboard, but a malicious keystroke logger must be blocked.
Pure whitelisting strategies can currently fail in multiple scenarios, but most notably when hackers use packed malware, IE malware hidden within legitimate files or programs. And new software programs are launched every day, and others patched and updated with new features. Code isn’t static. How can all security vendors constantly keep up? True, you can make the same argument for blacklisting…even with heuristics a small percentage of malware can break through current A/V solutions because vendors simply can’t keep the databases fully populated in real time.
BUT, what is more acceptable? A small percentage of malicious programs occasionally leaking through but being caught by other security layers, or legitimate companies being denied the ability to conduct business-as-usual because of vendor delays?
In sum, focused whitelisting is a valuable layer of security. However as things stand, as a solo strategy it is not as effective as a solution that uses multiple layers of protection. Despite some seemingly insurmountable issues, it’s definitely an area that deserves more focus.