Good old SSM
I remember using good old System Safety Monitor when I was forced to use Windows. Never had a single breach on XP using that, but on Win7 I've had one infection when that _one time_ I forgot to use my VM web browser :(
Bit9 is using the Infosec show as a launchpad for its move into Europe as part of its wider ambitions to displace traditional antivirus technologies from corporate desktops and data centres. The firm is marketing its brand of trust-based application control and whitelisting as a better way of tackling the growing malware …
I'm not convinced that whitelisting can really work in real-life situations. While it's impressive that they've committed themselves to building such a large database of known programs, there are a few big problems that I can see.
First off is the problem of what a program is. In this day and age so many packages have programming languages built into them. Either that, or the packages are actually development platforms in their own right. In the case of packages that have some form of scripting included as a non-core feature (spreadsheets, word processing apps), it would seem to be impossible to whitelist every single "program" embedded in ordinary files (shared by people) or included in the standard corporate install image (eg, company templates). The problem here isn't just the volume of programs that would need to be whitelisted if you take this expanded (and more correct) view of what a program is, but there would also be confidentiality issues if your company had to send samples of all your in-house macros/script collections for hashing. Even if you could set up the hashing/authentication server in-house, there's still plenty of scope for cock-ups.
Another problem with malware is that quite a lot of it (perhaps the majority?) is exploiting bugs in particular packages. Almost any program that reads in user data has the potential to have bugs which renders what should be just input data into live code. So even though a PDF or a particular set of inputs to a web-based service ostensibly doesn't come under the rubric of "programs", they do become a way for malware authors to trick the application or server into executing whatever they want. The whole whitelisting philosophy completely fails here since user input, data files, and so on simply don't get counted as programs when actually they are.
I noticed in the article that someone attached to the company said that false positives with whitelisting technology were "bad in the early days". It beggars belief that the people building these systems don't even seem to understand the Birthday Paradox when it comes to picking a hashing scheme... That certainly doesn't inspire confidence.
All in all, as it's reported here, the scheme is pure hyperbole, possibly verging on snake oil. IMNSHO.
@Frumious Bandersnatch > All in all, as it's reported here, the scheme is pure hyperbole, possibly verging on snake oil.
Whitelisting deserves a few brushstrokes in in the layered security picture, but touting "pure whitelisting as a 100% replacement for traditional anti-virus/anti-malware protection" is definitely snake oil.
If it looks like a shill and smells like a shill ................................
Just like that signed malicious driver code that occasionally pops up for Windows?
Seriously, this can only work if the whitelisting is done by the entity which owns the computers. Because there always _will_ be that special piece of software you will need, but which isn't in the whitelist.
It also wont help for code executing bugs in whitelisted software. If anything it will delay updates as they first have to be in the whitelist.
So at best its pointless, at worst it's insecure. And I'm not even talking about the possibility of it leaking program usage statistics to the server.
""Antivirus doesn't work and it's only the addition of anti-spam, firewall, data loss prevention and other technologies that have kept customers buying it," Morley told El Reg."
So that's why every AV is getting increasingly crammed with useless shite - people like him think that we actually want all the bloat. By my own experience VERY few people know about, care about, or want all that. They want an antivirus simply to stop viruses, keep out of their way the rest of the time, and not make their machine unreasonably slow.