Application Whitelisting is portrayed by many as the future of anti malware. The idea is, if I can make a list of all the files on my computer that are 'legitimately' there, storing something that will help me clearly identify if they have been 'illegitimately' changed, then I can discard anything else and I can also immediately find out if one of my legitimate files has been modified and I should not use it.
According to Wikipedia, "an emerging approach in combating viruses and malware is to whitelist software which is considered safe to run, blocking all others." Some deem this as superior to the standard signature-based antivirus approach of blocking/removing known harmful software (essentially blacklisting), as the standard approach generally means that exploits are already in the wild.
But Wikipedia also continues :- These products may provide administrative control over program whitelists in addition to preventing introduction of new malware, but they cannot stop exploitation of existing processes in order to gain root (and therefore bypass/disable the whitelisting application). An example is provided to illustrate how this approach can't really stop exploitation of existing processes.
So, while whitelisting sounds like a very nice idea, and, in principle, could well be the future of anti-malware, it does have its limitations and drawbacks.
I want to try and offer some thoughts about them, for those enthusiasts who push this as the absolute future of workstation protection.
Limitations and Drawbacks
In general, when you try to protect something by running the protection on the same something you are trying to protect, you are bound to be subjected to the very issues you are trying to prevent. In other words, we are trying to protect Windows OS from malware intrusions which exploit Windows vulnerablities. But, we run the protection application on the same OS; hence, our protection will suffer from the same vulnerabilities and issues which we are trying to prevent or protect. Seems a bit too obvious that we will have some problems. In fact, one of the first things any malware will try to do will be to deactivate the antivirus. I imagine that once whitelisting becomes mainstream, new malware code will try to find its way around that as well.
To understand possible further issues hidden in whitelisting, we need to understand a bit of the details of how it works.
Obviously, we can't simply create a list that says "explorer.exe is legitimate". Anyone can write malicious code and call it explorer.exe, and replace with it the legitimate one.
So, we need something else. The most common identifier is an MD5 signature. This is very common also in antiviruses; it is a unique identifier, created with a common algorithm, which will uniquely identify a file. We could also add the size of the file to the signature, to be sure we have more than one element to recognize it. So basically now we are building signatures, simple once based on MD5 hashing and expected file size; but still signatures. Whitelisting now becomes nothing more than antivirus signatures, only made for legitimate files rather than for malware.
Let's think of the drawbacks of this.
These "signatures" will need to be kept "somewhere". If we are keeping them on the same computer, how long will it be before malware starts attacking this list, changing it so that the malware itself can replace a legitimate file and not be caught? All it needs to do is rename itself properly, and change the appropriate entry in the list with its own size and MD5 hash. Yes, this is not simple. In theory the protection would fire _before_ the malware can do this and would protect the computer. But this is the theory. In reality the possibility exists that malware might be able to modify that table of protection, and at that point there would be no protection anymore.
Another issue is, how often should that list file change and how big will it be? Think of Windows 7 for example; Microsoft releases new patches every month. These patches modify files on your system, every month. So every month you have a new set of files that have changed. The MD5 has changed, the file size has changed. The signature list needs to be changed as well. The size of that signature file will continue growing, as every single legitimate executable file in every single computer will need its own "signature". This is a list that is rapidly growing to millions of lines.
To overcome both issues (size and the possibility of overwriting) some providers are offering this as a cloud file. So the signature files are no longer on your computer. Which means, you'd better have a live internet connection every time you need to open a new file.
In substance we are replacing long signature files for malware, with long signature files for legitimate applications. For now the latter are smaller for the first - for now. But the list is growing rapidly, every month with every new update from Microsoft, Adobe and the likes. The "size" advantage is rapidly dwindling.
The only real advantage that remains is that this is a 'take no prisoners' approach, which is probably what we really need against malware. I give you a list of legitimate things, and that is it! Everything else is considered dangerous until proven otherwise.
Will this approach truly replace the traditional AV? Some say yes. I continue to be skeptical, simply because I know that sooner or later hackers will find a way around this as they continue to find ways around new antivirus techniques.
My best guess at the moment is that both techniques, and some others that are already emerging, will become common weapons in the daily war against malware; and we will be using all of them.
In the mean time, hackers continue to strike (see the Citibank hack just announced) and we continue to put off fires.
There are a few important security trends that merit watching next year.
The use of DDoS as a tool of political activity and extortion will loom large again and there is no indication that this is a trend that will diminish. As an example, witness the growth of the “Darkness” botnet which has been specifically hired out as a platform for DDoS attacks. This botnet is taking over from BlackEnergy which was previously the leader in this type of attack. It is pretty cheap with prices of $50 per 24 hours being quoted.
A second security trend, social engineering, is going to continue through increasingly sophisticated phishing emails and better websites. The Apr. 29, 2011 marriage of Prince William will be exploited ruthlessly and increasingly SEO will be used to ensure infected websites are high in search results.
And there’s yet another important security trend – financial applications. These will continue to be targeted. Viruses like Zeus and, more critically, URLzone have been used to gain login details for bank accounts. URLzone provides a significant departure, where it acts as a ‘man in the middle,’ able to circumvent two factor authentication (also known as TFA; in brief, the use of two independent mechanisms for authentication; for example, requiring a smartcard and a password. The combination is less likely to allow abuse than either component) by relaying false information back to users). While only able to target a number of banks at present, it is likely that this Trojan or something similar will be developed to encompass more banks in the coming year.
Any other security trends you think we should mention? Call me at (832) 242-5757 or send an email to email@example.com.
Last week, we unveiled the new M-385, which is replacing our popular M-380, as part of the Network Box family of unified threat management (UTM) appliances.
So, why should you upgrade to the M-385? For starters, if you’re a current Network Box USA customer, it won’t cost you a dime – the appliance is lent to you for the duration of your contract and you only pay for the service. So, you don’t have to worry about any hardware purchases or amortizing it over time.
The new M-385 also triples the performance of the M-380 and integrates a wide variety of applications. Some of these include anti-spam, anti-phishing, anti-spyware, firewall, intrusion prevention and protection, and virtual private network. Users get a sophisticated hybrid of hardware and software so your enterprise can fight backdoors, hackers, worms and other online threats.
And there’s more – via our PUSH technology, updates are performed in real time. So whenever a new antivirus signature, security patch or software update becomes available, it’s pushed out to all Network Box devices worldwide in less than a minute.
Support is also provided for Network Box advanced services – such as load balancing, quality of service, and advanced policy-based routing – and the units are monitored from our Global Management System. In addition, they can be integrated with existing clusters and networks of Network Box UTM appliances.
The M-385 is sold through our reseller channel and remotely managed by Network Box USA. Any questions? Click here., call us at 832-242-5758; toll free at 888-315-8886, or inquire via email: firstname.lastname@example.org.
For the second month running, the level of spam and viruses has dropped, as the US and Brazil continue being the primary sources, according to managed security firm, Network Box.
Analysis of Internet threats by Network Box in September 2009 shows that although the overall volume of spam and viruses has dropped slightly, viruses from Brazil have risen by two percent and China has replaced Korea as the third largest source of spam - its levels rising by just one percent in September.
Brazil returns as the world’s number one source of viruses with 16.4 percent of viruses coming from the country, beating the US by 4.6 percent and Korea by a massive 10.4 percent.
Although Brazil tops the spam charts, levels of spam originating from Brazil dropped by 1.6 percent in September. Levels of Spam from the US have also dropped by 1.10 percent.
Phishing attacks, however, remain consistently high at 33.2% of all viruses.
The Network Box global Alert Condition, however, remains at Level 2 for the second consecutive month. While this alert condition continues to be the lowest in nine months, it indicates that Network Box is seeing only limited virus/worm activity, with no major unexploited vulnerabilities or threats.
Mark Webb-Johnson, CTO of Network Box Corporation, says, “Worryingly, phishing attacks remain high, indicating that many Internet users – both corporations and individuals – are still being compromised. We are still concerned about the SMB2 vulnerabilities affecting Vista and Windows Server 2008 (Microsoft Security Advisory 975497) and are keeping a very close eye on how this develops.”
Simon Heron, Internet Security Analyst for Network Box adds: “The proportion of phishing attacks suggests that this is proving to be a successful tactic and it can be see that the exploits are becoming increasingly sophisticated. So, IT departments should take this opportunity as people are back from holiday to repeat their warnings about phising, make themselves aware of the threat and ensure their defence are fully updated.”