Over the last few months, certain well regarded figures in the security industry have told me they are considering ditching their antivirus protection altogether.
Those individuals haven't done so yet, but they feel the days are numbered of having a special application scanning to remove malware on the desktop. Malware has changed, but the applications for rooting malware out have not.
Antivirus programs, as we know them today, are based on the 20-year-old technology of pattern matching. Pattern matching may have worked in the days of the Michelangelo virus and even as recently as Netsky, but methodically matching each and every file on a computer against a list of known malware is tedious, if not archaic.
In 2007, Symantec detected more than one million viruses, with two-thirds created within the calendar year. Loading one million signatures, or even a percentage of that, if generic signatures are used, is a pretty serious undertaking.
Vendors embrace whitelisting
That's why vendors are talking to me about newer strategies for 2009 and beyond. One of these strategies is the exact opposite of signature file databases: whitelisting.
If pattern matching is just another way of saying certain bad files have been blacklisted, whitelisting goes to the other extreme: it only allows certain trusted files to run on your machine.
That's more or less what Symantec chief executive John Thompson called for at this year's RSA Conference: "If the growth of malicious software continues to outpace the growth of legitimate software, techniques like whitelisting — where we identify and allow only the good stuff to come in — will become critical."
So how viable is whitelisting? It turns out we've been using it to defend against spam for years.
To see how whitelisting works on an enterprise level, I spoke with Tom Murphy, chief strategy officer for Bit9, a Massachusetts-based company that has been quietly leading the way in whitelisting technology.
For several years, Bit9 has been building a Global Software Registry, or GSR, (formerly called Bit9 Knowledgebase), cataloguing 'known good' and 'known bad' applications and files.
Murphy said Bit9 uses three methods — MD5, SHA1 and Omac — to create a unique hash of the file and ensure that the file is what it claims to be. For the moment, the catalogue is used for Bit9's enterprise products, but the company has also entered into an agreement with Kaspersky, which will be using the registry for its 2009 desktop security products.
Bit9 is not alone. SecureWave's Sanctuary, Savant Protection, and DriveSentry have also been creating whitelisting technology for the enterprise.
In addition, big players have started paying attention to whitelisting, such as Google (through its purchase of GreenBorder Technologies), Microsoft (through its acquisition of Winternals Software's Protection Manager) and now Symantec.
However, if hosting a million antivirus signature files is daunting, how many 'clean' files might there be? Think about all the versions of software that exist, not to mention the files those products create.
The downside of whitelisting, indeed the main argument against it, is that all those clean files outnumber the bad ones by a considerable margin. Currently, maintaining a whitelist file is impractical for the desktop.
Malware detection in the cloud
Trend Micro may have the answer to this problem, if it chooses to enter the whitelisting space.
For the last few years, Trend Micro has been building servers around the world to provide continuous service to its software-as-a-service (SaaS) enterprise systems. In June, Trend Micro chief executive Eva Chen told me it's time to bring that SaaS service down to the desktop. Instead of having all the signature files on the desktop, the desktop application would instead ping 'the cloud' and get results from the much larger database of known malware stored there.
Make no mistake: Trend Micro is still using antivirus signature databases. Chen said that, even after 20 years, there are still advantages to pattern-matching antivirus signature files.
For one thing, she said, it's faster than firing up a heuristic sandbox and testing each individual piece of malware. That's true, although it's a matter of saving nanoseconds between the two processes. Still, with several thousand files, those saved nanoseconds do add up. So, instead of running the operation on the PC, the PC sends all its unknowns to a server in the cloud and gets the results back quickly. An added benefit, said Chen, is that new samples are submitted in real-time and evaluated quickly. In her estimate, Trend Micro can have a new signature file for an unknown threat ready within 15 minutes.
'Fifteen minutes' is also the new mantra at Symantec. Tom Powledge, vice president of consumer product management at Symantec, told me the new 2009 Norton products are lighter and faster in part because they've jettisoned the multiple copies of the signature database found in previous versions.
The products are also not scanning each and every file. Instead, the 2009 products will be building a trust index — that is, the application will declare certain files (photos or MP3s, for example) clean and then not scan them again unless the files change.
Powledge showed me a graphic in which roughly 70 percent of a given machine is trusted, and only the remaining 30 percent is actively scanned.
Like Trend Micro, Norton is experimenting with faster new-malware turnaround. Powledge said Norton should be updating not every 15 minutes but every couple of minutes. This is a vast improvement on some antivirus vendors' hourly or even daily updates.
Given the improvements to the traditional antivirus programs proposed by Trend Micro and Symantec, are the days of antivirus applications numbered?
Yes.
I asked Murphy if whitelists work well enough to replace traditional antivirus protection at some companies. He answered, very diplomatically: "If [a customer feels] that they have a control over the environment, some customers have removed antivirus off their machines."
I'm still not convinced that whitelisting is the way to go, but I do know that security solutions in the enterprise space have a way of trickling down to the desktop.
Talkback
Whitelisting whilst at first glance appears to be a panacea will need to deal with the following scenarios:
1. How do you deal with an application that for 99.999% of the community is bad but good for the 00.001% Eg L0phtCrack or similar programs, these have a legitimate use in narrowly defined cases but not in the rest.
2. How will the mechanism of getting your application whitelisted work? It may be OK for a large software house but what about the shareware / SME companies?
3. How will they defend against rogue software managing to get onto the whitelist?
These are just the few off the top of my head. But having tried to use various whitelisting products I find that the work involved is huge, which again is great for large corporates with the time to spend but not for smaller ones.
Well done. This could take out Windows' remaining advantage and make desktop Linux or Mac OS actually more versatile and open.
This post has been removed by a moderator.