Control user installs of software

Learn how to verify the status of applications and data without wresting all control over what users put on their hard drives

I've written many times over the years, including as recently as last week, that letting users execute and install their own software will always allow viruses, worms, and Trojans to be successfully installed. Traditionally, I've recommended that users not have admin or root access, that they let system administrators choose what software is allowed and what is blocked. But this recommendation breaks down for several reasons.

First, it doesn't cross over to home computers. Most home users are end-users and system administrators, all in one, even though they're the ones most likely to install malware. Businesses, in general, are less likely to run malware than the average home user because businesses enforce computer security, deploy anti-malware programs, and so on.

Second, I can't think of a single end-user who likes to have someone else decide what they can and can't run and install. I've probably had more hate mail and comments on this than on anything else (other than when I foolishly insult Mac or Linux users). If end-users want to install the latest Windows Media Player codec to watch the newest Paris Hilton waste-of-AV-time video, why not? Who cares if the codec is a Trojan that wants to steal their identity, right? Freedom comes with a cost! I've even had respected InfoWorld colleagues take me to task on this point.

An expert solution

One solution is not to have someone more knowledgeable about nasty software decide whether a particular program or downloaded content is malicious, but to automate the process. I'm not just talking anti-virus programs, which look at only binary signature comparisons and sometimes use heuristics to detect specific behaviors. I mean client-side software examining the program's or content's entire binary (think: cryptographic hash) and making an intelligent, informed decision before the content is executed or loaded.

Several personal firewalls, including ZoneAlarm, will check to see if a local program requesting outgoing network access is normally approved by other users. This is closer to what we need, but it covers only network access and around 100,000 applications. It doesn't prevent local execution, but that's to be expected for a firewall product.

SignaCert, which I've reviewed before, is developing a global file hash database, through which it hopes to catalog every executable file in existence. SignaCert excels at scanning computers to find known and unknown programs, and it's in possibly the best position to contribute to (or lead) the greater vision.

The greater vision

The greater vision is that all computers run a client-side program, potentially embedded in the operating system, that measures the cryptographic hash of all programs and content being downloaded to the computer. Before the program is run or the content loaded, the hash is sent to a global database on the Internet for analysis. The database has a list of programs and content, as well as their related cryptography hashes. Additionally, each registered program has been ranked by security professionals as to the program's security, privacy, and operational methodology. There can be several main categories, each with varying levels of trust, that developers work with. Think of it as kind of like Common Criteria, but with a broader scope.

The idea is that the global database can act as each end-user's personal security advisor and recommend a go or no-go decision. A simple end-user message might say, "This program has been found to collect personal identifiable information, redirect Internet browser searches to paid locations, make potentially malicious modifications to your computer system, and send collected information over outbound network connections to multiple servers. Its legitimate intent cannot be confirmed. Most users have chosen not to install."

Another program, having the exact same behavior, might come from a trusted vendor and be recommended for installation. But at least the end-user would know that the program modifies their system in readily transparent ways. This might encourage legitimate vendors from slipping in "phone home" features without making users aware of why they're doing it.

Media content can be verified not to have known backdoors, malicious scripting, or other unexpected consequences. By default, unregistered programs and content would not run, or they would be subjected to additional scrutiny and controls (for example, sandboxing). Many programs are digitally signed today, but users still don't know what they do.

It is unrealistic for most end-users to be as knowledgeable as a 20-year computer security expert. So doesn't it make sense for us to help innocent end-users, who just want to do their jobs and have a little fun with their computers, make informed decisions?

Because ultimately, we don't want to stop end-users from installing and running any programs they want -- just the bad ones.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Roger A. Grimes

Roger A. Grimes

InfoWorld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?