'Whitelisting' Repairs Broken Anti-Malware Model

The emergence last year of successive, low-volume attacks that struck targeted networks in waves, each containing slightly varied versions of a particular malware, exacerbates the problem and exposes blacklisting's weaknesses. According to a report on e-mail-borne malware produced last week by e-mail security vendors Proofpoint and Commtouch Software, malware variants each had to be individually identified and blocked, allowing malware writers to stay ahead of signature-based antivirus programs.

"No heuristic can block all of the variants, and by the time a signature is released, that particular outbreak has ended and several new variants have been released," the report says. "In 2006, the massive-variant viruses turned every hour of an attack into a zero-hour."

Whitelisting abides by the concept of defining up front the programs allowed to execute inside one's corporate network, and excluding everything else, similar to a photo-negative of a blacklist. "Whitelisting puts the onus on the admins to know what things should be running in the enterprise," says Dennis Szerszen, marketing and product development VP at SecureWave, a maker of endpoint security software that applies the whitelisting approach. "With whitelisting, there's no such thing as a zero-day attack."

Microsoft is impressed with SecureWave's work. On Monday, the software company gave Sanctuary 4 its stamp of approval by listing it in the Windows Embedded for Point-of-Service catalog. This should give SecureWave traction protecting endpoints used in the retail and hospitality industries, where Windows Embedded for Point of Service is used to build and run software on a variety of devices, including smartphones and ATMs.

The problem with conventional antivirus systems is that they're knowledge-based, meaning that if the system doesn't recognize a piece of code as malware, it won't block it, agrees William Bell, director of security at CWIE Holding Co. "If you let in a virus or a piece of malware, it can run amok," he says.

Bell has become a fan of the whitelisting approach, where a security system will only execute binary code that he approves ahead of time. CWIE runs Sanctuary 4, which includes application control and device control capabilities. This lets Bell control which applications run on the company's PCs and servers as well as whether users are allowed to plug iPods or memory sticks into their computers.

While CWIE still runs antivirus software despite also using SecureWave's software, the company doesn't use anti-spyware software. Because it's not whitelisted, Bell says, "spyware can't run on our machines."CWIE isn't the only company adapting this new defense paradigm. First National Bank of Bosque County in Texas has dropped antivirus protection from its desktops, although it does use antivirus at the network gateway, thanks to SecureWave's Sanctuary Application Control software. "I don't like the existing antivirus model because it's like sitting around and waiting for the bad guys to shoot you," says First National VP Brent Rickels.

Still, the whitelisting approach comes with its own set of challenges. A company has to identify all of its approved applications to Sanctuary to ensure that legitimate software isn't blocked. Rickels tested the success of First National's implementation by blocking access to games on users' PCs and then asking them to try to open these applications. They couldn't.

The main argument against whitelisting is that it creates administrative overhead by forcing IT managers to inventory their systems so all approved devices and applications can be added to the lists. Once this is done, the whitelist must also take into account software upgrades and patches.

Sanctuary works with automated patching systems like PatchLink and includes a utility tool that automatically updates the list with patches and upgrades once the user creates a baseline listing of applications initially on the network. "There's going to be some administrative overhead in terms of adding clients, applications, and patches," Bell acknowledges, "but the benefits are that rogue applications and devices can't run on your network."

If your enemies are going to adopt new and creative ways to attack you, it makes sense to get proactive about investigating your defense options.