Coming: A Change in Tactics in Malware Battle
As a vast flood of new malware threatens to overwhelm antivirus software, security companies have begun changing how their programs protect PCs. To avoid being left in the dust by the crooks, companies plan to turn the tables on them by allowing only known good programs to run.
The technique, known as whitelisting, could help protect your computer. But though some security apps already use this approach (see
"Whitelisting is probably at the top of the list for what the industry needs to move towards," says Jeff Aliber, senior director of product marketing with antivirus maker Kaspersky Labs.
For Kaspersky and other antivirus companies, the ocean of malicious software in circulation today may mean that just tracking known good software will be easier than trying to keep tabs on all the bad stuff. For example, Symantec, which has been pushing for an industry shift to whitelists since last year, anonymously tracks new applications that appear on PCs participating in its Norton Community Watch program. During one week last November, more than half of the 54,000 new executables reported by Community Watch were malicious, says Carey Nachenberg, a vice president and developer with Symantec Research Labs.
In the face of that sobering reality, Kaspersky this summer will release its first consumer antivirus products that bring in whitelists. It will use lists from Bit9, a whitelisting company that maintains a 6.3 billion-strong list of known good applications. The new Kaspersky applications won't automatically block programs not on the Bit9 list, but instead will focus scanning resources on those programs that Bit9 doesn't recognize. Theoretically, that could allow for more careful scrutiny of unknown files with less risk of false alerts.
But that huge number in Bit9's list--6.3 billion--highlights the risk of using whitelists to fully block unknown apps. Nobody has a full list of all good software, so you can't block everything not on a list without eventually blocking some great but relatively unknown programs. And displaying a pop-up that asks you to decide whether an unknown app is okay to run ensures that you'll eventually make the wrong call and break your software or even your system. Most antivirus companies rightly make every effort to minimize the number of alerts that ask us to make a decision; an overreliance on whitelists could roll back those improvements.