Control user installs of software

Learn how to verify the status of applications and data without wresting all control over what users put on their hard drives

I've written many times over the years, including as recently as last week, that letting users execute and install their own software will always allow viruses, worms, and Trojans to be successfully installed. Traditionally, I've recommended that users not have admin or root access, that they let system administrators choose what software is allowed and what is blocked. But this recommendation breaks down for several reasons.

First, it doesn't cross over to home computers. Most home users are end-users and system administrators, all in one, even though they're the ones most likely to install malware. Businesses, in general, are less likely to run malware than the average home user because businesses enforce computer security, deploy anti-malware programs, and so on.

Second, I can't think of a single end-user who likes to have someone else decide what they can and can't run and install. I've probably had more hate mail and comments on this than on anything else (other than when I foolishly insult Mac or Linux users). If end-users want to install the latest Windows Media Player codec to watch the newest Paris Hilton waste-of-AV-time video, why not? Who cares if the codec is a Trojan that wants to steal their identity, right? Freedom comes with a cost! I've even had respected InfoWorld colleagues take me to task on this point.

An expert solution

One solution is not to have someone more knowledgeable about nasty software decide whether a particular program or downloaded content is malicious, but to automate the process. I'm not just talking anti-virus programs, which look at only binary signature comparisons and sometimes use heuristics to detect specific behaviors. I mean client-side software examining the program's or content's entire binary (think: cryptographic hash) and making an intelligent, informed decision before the content is executed or loaded.

Several personal firewalls, including ZoneAlarm, will check to see if a local program requesting outgoing network access is normally approved by other users. This is closer to what we need, but it covers only network access and around 100,000 applications. It doesn't prevent local execution, but that's to be expected for a firewall product.

SignaCert, which I've reviewed before, is developing a global file hash database, through which it hopes to catalog every executable file in existence. SignaCert excels at scanning computers to find known and unknown programs, and it's in possibly the best position to contribute to (or lead) the greater vision.

The greater vision

The greater vision is that all computers run a client-side program, potentially embedded in the operating system, that measures the cryptographic hash of all programs and content being downloaded to the computer. Before the program is run or the content loaded, the hash is sent to a global database on the Internet for analysis. The database has a list of programs and content, as well as their related cryptography hashes. Additionally, each registered program has been ranked by security professionals as to the program's security, privacy, and operational methodology. There can be several main categories, each with varying levels of trust, that developers work with. Think of it as kind of like Common Criteria, but with a broader scope.

The idea is that the global database can act as each end-user's personal security advisor and recommend a go or no-go decision. A simple end-user message might say, "This program has been found to collect personal identifiable information, redirect Internet browser searches to paid locations, make potentially malicious modifications to your computer system, and send collected information over outbound network connections to multiple servers. Its legitimate intent cannot be confirmed. Most users have chosen not to install."

Another program, having the exact same behavior, might come from a trusted vendor and be recommended for installation. But at least the end-user would know that the program modifies their system in readily transparent ways. This might encourage legitimate vendors from slipping in "phone home" features without making users aware of why they're doing it.

Media content can be verified not to have known backdoors, malicious scripting, or other unexpected consequences. By default, unregistered programs and content would not run, or they would be subjected to additional scrutiny and controls (for example, sandboxing). Many programs are digitally signed today, but users still don't know what they do.

It is unrealistic for most end-users to be as knowledgeable as a 20-year computer security expert. So doesn't it make sense for us to help innocent end-users, who just want to do their jobs and have a little fun with their computers, make informed decisions?

Because ultimately, we don't want to stop end-users from installing and running any programs they want -- just the bad ones.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?