Coming: A change in tactics in malware battle
- — 27 June, 2008 17:10
As a vast flood of new malware threatens to overwhelm antivirus software, security companies have begun changing how their programs protect PCs. To avoid being left in the dust by the crooks, companies plan to turn the tables on them by allowing only known good programs to run.
The technique, known as whitelisting, could help protect your computer. But though some security apps already use this approach, it can also make using your PC a huge annoyance.
"Whitelisting is probably at the top of the list for what the industry needs to move towards," says Jeff Aliber, senior director of product marketing with antivirus maker Kaspersky Labs.
For Kaspersky and other antivirus companies, the ocean of malicious software in circulation today may mean that just tracking known good software will be easier than trying to keep tabs on all the bad stuff. For example, Symantec, which has been pushing for an industry shift to whitelists since last year, anonymously tracks new applications that appear on PCs participating in its Norton Community Watch program. During one week last November, more than half of the 54,000 new executables reported by Community Watch were malicious, says Carey Nachenberg, a vice president and developer with Symantec Research Labs.
In the face of that sobering reality, Kaspersky this summer will release its first consumer antivirus products that bring in whitelists. It will use lists from Bit9, a whitelisting company that maintains a 6.3 billion-strong list of known good applications. The new Kaspersky applications won't automatically block programs not on the Bit9 list, but instead will focus scanning resources on those programs that Bit9 doesn't recognize. Theoretically, that could allow for more careful scrutiny of unknown files with less risk of false alerts.
But that huge number in Bit9's list--6.3 billion--highlights the risk of using whitelists to fully block unknown apps. Nobody has a full list of all good software, so you can't block everything not on a list without eventually blocking some great but relatively unknown programs. And displaying a pop-up that asks you to decide whether an unknown app is okay to run ensures that you'll eventually make the wrong call and break your software or even your system. Most antivirus companies rightly make every effort to minimize the number of alerts that ask us to make a decision; an overreliance on whitelists could roll back those improvements.
Symantec says it's looking at one possible solution, which is to bring in its community, where it checks to see if other Norton users have a given program installed. The company reasons that if, say, a hundred thousand people are running a particular app, with no reports to Symantec that it's a threat, then it's likely safe. Nachenberg says the company is experimenting with this kind of reputation-based system to add to its products over the next few years.
And then there's the big question: Who maintains the list? If every antivirus company maintains its own, as Symantec says it wants to, small developers would have to submit their cool new downloads to at least five different organizations--and gain approval from all of them. But an alternative to that prospect is a central list available to everyone, maintained by the government or a neutral, open organization.
"I think a centralized whitelist would be beneficial to everyone," says Kevin Beaver, an independent security consultant with Principle Logic who has written a number of books on computer safety.
"The problem is," he adds, "politics will likely get in the way of anything productive, especially when the big antimalware players want to maintain control. I think we'll see something like [a centralized whitelist] within the next few years, but this type of collaboration can't be pulled together overnight."
Free Downloads for Whitelist Protection
In the meantime, a number of free security tools already use a whitelist approach to protect PCs. However, in using them you'll typically get many pop-ups that may require a good deal of technical knowledge to interpret--a hassle that makes clear the challenge to the major antivirus companies. But if you're willing to deal with the interruptions--which can include reversing a mistaken decision--these downloads can bring strong protection against malware.
First, the Comodo Firewall Pro Free offers full whitelist-style program blocking in addition to its firewall; it works on Windows XP and Vista. Once installed, the program displays an alert when an unknown program runs, and you'll have to choose to allow or deny the new app. Comodo already knows about popular apps such as Firefox and won't display alerts for them, and also provides some good information in the pop-ups to help you decide whether to let a program take a particular action.
It also has a learning mode that automatically creates rules allowing everything on your system to run while it's enabled. This mode can help cut down on the pop-ups when you first install the program, but you should enable it only if you're sure your system is clean.
During installation, the free version prompts you to install a browser search toolbar and change your home page (a $40/year paid option offers remote desktop support for cleaning malware infections). You can opt out of the toolbar installation and browser changes, and can also choose to install only the capable firewall without the whitelisting protection.