Thursday, September 20, 2007

Symantec Considers White Lists

After years of attempting to convince every Symantec SE I met to drop the Sisyphean virus signature database model, it appears that Symantec is finally seriously considering to use white lists.

Virus signatures, or lists of all the bad software that your AV vendor thinks you wouldn't want to run on your computer, are "black lists" (or "bad lists" for those of you, who like me, aren't in favor of even a nuance of color discrimination in language). For many people, security practitioners included, the thought of the converse model of "white lists" (or, again, "good lists") has not even entered their minds. In AV speaking terms, this would mean building an anti-malware (yes "malware" to encompass any of the garbage that you don't want to get CPU or memory resident on your systems) solution that allows only known good code to execute. "Why would anyone want to do that?" you might ask ... Well, because keeping up with all the bad things is Sisyphean (as in rolling a large boulder uphill only to have it fall back down on you several times).

Here's a quick graph to depict the rate of virus variant increases over the past couple decades, taken from F-Secure's blog:

At first glance, there are portions of that curve that look to be increasing quadratically. [Disclaimer: this chart is not meant to be thoroughly scientific, but more of a generalization to paint a picture in a quick blog post.] Ask your average enterprise IT administrator if the number of good, trustworthy applications is increasing on a scale similar to that. The answer should be not just "no" but "heck, no". If it was, there would be all other sorts of management issues, such as change/release/version control, and redundancy of similar applications. So, to put it simply, "white lists" in AV allow an organization to approach their malware problem at the same pace as they approach their "bonware" (beneware? goodware? niceware?).

Marcus Ranum has been saying this for years, too. Review his "6 Dumbest Ideas in Computer Security", starting with #1 (Default Permit) and #2 (Enumerating Badness) which are exactly this issue.

No comments: