From blacklisting to whitelisting

: Antivirus software is not dead; it is rather undergoing a game-changing transformation. It has to. After all, the current model of detecting viruses through blacklisting simply cannot keep pace with the volume of malware released every day.

So antivirus must transition to a positive model, shifting from blocking infinite malicious programmes to allowing only proven, legitimate ones.

Among the most promising prospects is a model that uses whitelisting to allow trustworthy applications, blacklisting to block known malware, and reputation-based management to address the ‘long tail’ of unknown malware. The volume of malicious software now outpaces the production of legitimate programmes. Symantec Corp recently measured that out of almost 55,000 unique applications deployed on Microsoft Windows PCs, 65% were malicious.

There’s never been more malware. Nearly half a million new malicious code threats appeared just in the last half of 2007, according to Symantec’s latest Internet Security Threat Report. That’s more than twice as many as were discovered in the first half of 2007 and five times the number detected in the last half of 2006.

And it could get worse as attackers adapt. They have already shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. Using servers that generate a new malware strain every few hours—or minutes—they can unleash individual attacks against each victim. So far, cybercriminals have created millions of distinct malware strains, and antivirus software vendors are collecting tens of thousands more every day.

At the same time, antivirus vendors are feverishly working to generate up to 20,000 new virus fingerprints each day. But most products detect only a fraction of new malware and many strains of older malware go undetected. Attackers can circumvent most generic signatures by generating new permutations that the antivirus software eventually misses one.

As a result, whereas a few years ago a single signature could protect tens of thousands of users, today a single signature typically protects less than 20 users. Nevertheless, antivirus companies still produce hundreds of thousands of signatures every month.

In such an environment, traditional signature-based detection—or blacklisting—alone is not enough.

Identifying good programmes

As the volume of malicious code rises, security techniques must focus less on analysing malware and more on analysing ‘goodware’. For example, combining whitelisting and reputation-based management together with the latest blacklisting technologies can give organisations effective protection against threats.

Whitelisting has traditionally been used on high-value servers because their static configuration makes a whitelist easy...