Some people are talking about a technique called “white listing” as if it were the silver bullet that is going to save the world. It is... in the fantasy worlds. I think I can lay claim to a certain amount of expertise when it comes to white listing. White listing was fundamentally my job at Microsoft for over seven years. My job was to make sure that MS didn’t release or digitally sign any infected code. How did I do that? I used a heck of a lot of.......... ok... you guessed it.... antivirus software. Recognizing the shortcomings of signature based detection, I relied upon products, such as NOD32, Norman Virus control, and others to provide heuristics to detect threats that signatures alone cannot protect against. Virtually every Microsoft product went through my labs, and I had to “white list” them before they could be digitally signed or released.

The marketing arm of current white listing companies tout anti-virus as dead and white list as the solution. What they try to hide is that white listing companies would be out of business without antivirus. White listing companies are mega-power users of antivirus software, they can’t get enough of the stuff.

White listing does not *only* allow good programs to run, it allows any program you claim is good to run. If you put a bad program on a white list it will run and do bad things, regardless of whether or not anti-virus products can detect it heuristically or with signatures. If you white list a program with a remotely exploitable vulnerability, it will be allowed to run. This happens all of the time with white listing. The problem is that you can’t patch the vulnerability until the patch and the patched programs are also white listed.

White listing is applied to web sites also. The idea is that you are only allowed to go to good web sites. This falls apart completely when a good web site is hacked, as was the Miami Dolphin’s Super Bowl web around January 2007. Hackers placed an exploit on the site that would download a Trojan horse program to compromise user’s computers. ESET had never seen this Trojan before, but NOD32 users who went to the web site found the malicious file was blocked because it was detected it heuristically. There have been thousands of good web sites that have been compromised. MSN, Tomshardware.com, and Monster.com all come to mind as high traffic, high profile, “good” web sites that would certainly appear on such a white list. More recently Download.com hosted some fake anti-virus programs for download.

White listing is expensive to do well. Think of the TSA. These are the people at American airports who allegedly do security screening. In practice they are white listing passengers. As a result, there are long lines to get to your gate and it costs a lot of money. In practice the TSA (which means “Take Something Away”) has confiscated mostly harmless items, increased the cost of transportation, and added a bunch of time to travel with little discernable impact on security. Proponents of white listing could of course correctly claim that the TSA uses a pretty dumb approach to white listing and that software white listing uses much more intelligence. This is of course quite true, however there is a significant time and cost overhead to white listing.

I’m actually not at all against white listing. White listing can be an exceptionally good level of defense in some organizations. I am preparing to consult with a company that I will strongly recommend white listing to. For this organization, despite the overhead, white listing is cost effective, but it does not reduce the need for antivirus software.

White listing can be a valuable addition to a defense-in-depth strategy, but it is not a complete defense. Can you imagine telling someone that since airbags add safety to cars you don’t need to wear your seat belt any more?

Well, the person who tells you that white listing means antivirus isn’t needed is the airbag that calls the seatbelt obsolete.

Randy Abrams
Director of Technical Education
ESET LLC