…and it’s still hybrid. Or multi-layered, if you prefer. What anti-malware companies (and malware authors, if it comes to that) are constantly doing is revisiting concepts that have worked before so that they fit the current environment better: there’s nothing wrong with an evolutionary approach, but changing the terminology doesn’t make it revolutionary. So what Larry Seltzer is describing in a recent eWeek article isn’t exactly groundbreaking technology, it’s what all anti-malware companies originating in traditional AV are doing, to a greater or lesser extent. "File reputation" is pretty much what we used to call integrity checking, and is close to a limited application of whitelisting that’s been in common use since the 1990s. The main difference is that whereas earlier incarnations of anti-virus tended to bundle an integrity checker as a separate application along with a known-virus (signature) scanner, it’s now common to whitelisting or a near equivalent into the main application. And in those days, no-one described their own server networks as a cloud. ;-)
What’s more interesting is Larry’s critique of various "classic methods" of malware scanning.
What interests me most, however, is his yearning for "a simple solution like absolute whitelisting." It does seem that we’re always looking for the 100% solution that will render current anti-malware solutions unnecessary. The way that firewalls, IDS, IPS, reputation services, NAC and a dozen other panaceas du jour were once seen as The Answer. But the fact is that whitelisting itself is hybrid (by which I mean that you can’t whitelist an application without using other technologies to confirm that it’s what AMTSO like to call "innocent". And it works best as one layer of a defensive strategy, at any rate in the version of the internet in which we currently find ourselves.
David Harley CISSP FBCS CITP
Director of Malware Intelligence