Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

'Whitelisting' Repairs Broken Anti-Malware Model

Today's antivirus model is broken, largely because it seeks to block known malware without any way of anticipating the nature of the next attack. This blacklisting approach hit a rough stretch last year as attackers developed faster, automated ways of launching variations of malware that eluded unsuspecting defenses. As a consequence, a newer "whitelisting" approach has emerged that acts like a nightclub bouncer working from a guest list. If you're not on the list, you're not getting in.

The emergence last year of successive, low-volume attacks that struck targeted networks in waves, each containing slightly varied versions of a particular malware, exacerbates the problem and exposes blacklisting's weaknesses. According to a report on e-mail-borne malware produced last week by e-mail security vendors Proofpoint and Commtouch Software, malware variants each had to be individually identified and blocked, allowing malware writers to stay ahead of signature-based antivirus programs.

"No heuristic can block all of the variants, and by the time a signature is released, that particular outbreak has ended and several new variants have been released," the report says. "In 2006, the massive-variant viruses turned every hour of an attack into a zero-hour."

Whitelisting abides by the concept of defining up front the programs allowed to execute inside one's corporate network, and excluding everything else, similar to a photo-negative of a blacklist. "Whitelisting puts the onus on the admins to know what things should be running in the enterprise," says Dennis Szerszen, marketing and product development VP at SecureWave, a maker of endpoint security software that applies the whitelisting approach. "With whitelisting, there's no such thing as a zero-day attack."

Microsoft is impressed with SecureWave's work. On Monday, the software company gave Sanctuary 4 its stamp of approval by listing it in the Windows Embedded for Point-of-Service catalog. This should give SecureWave traction protecting endpoints used in the retail and hospitality industries, where Windows Embedded for Point of Service is used to build and run software on a variety of devices, including smartphones and ATMs.

  • 1