‘Whitelisting’ Takes Care of Ineffective Anti-Malware Systems

The anti-virus programs curre ntly in use have turned ineffective. This is because they have been designed largely to block known malware, and they are unable to anticipate the nature of a new attack. This blacklisting weakness emerged in 2006 when attackers were developing faster, automated techniques of imposing malware that got around unsuspecting defenses. Today a 'Whitelisting' approach is being employed that behaves like a bouncer operating from a guest list. If the list does not recognize the sender it does not allow passage for its item.

Last year waves of successive, limited-numbered attacks that hit targeted networks comprised slight variants of one malware. This aggravates the problem in question and bares open weaknesses of the blacklisting mechanism.

Security vendors Proofpoint and Commtouch Software reported that the malware variants required individual identification and blockage, which gave malware writers enough time to stay ahead of signature-based anti-virus software.

The Whitelisting approach defines programs that it allows to run within a corporate network. It excludes everything else. This mechanism is just opposite of a blacklist approach. According to Dennis Szerszen, marketing and product development VP at SecureWave, Whitelisting makes administrators responsible to find out what all should the enterprise network execute. SecureWave is a developer of security software using the Whitelisting approach. Whitelisting does not allow zero-day attacks.

Conventional anti-virus products are knowledge-based implying that if the product does not consider a certain code as malware, it won't prevent it. This problem therefore makes it useless in many cases where an unrecognized virus or a malware piece can create havoc, agrees William Bell, director of security at CWIE Holding Co.

Admittedly Whitelisting too has its own demerits. It requires a company to make a list of approved applications. That increases administrative costs by compelling IT managers to prepare lists of approved devices and applications to ensure free passage of legitimate software. The Whitelist also needs to consider upgrades and patches.

Bell acknowledges, while Whitelist incurs overhead expenses for the enterprise in terms of adding applications, patches and clients, it has the advantage of disallowing rogue applications and devices to run within the network.

Related article: “Loopholes did not cause online banking thefts”: ICBC

» SPAMfighter News - 1/24/2007