White Listing – The End of Antivirus???

Some people are talking about a technique called “white listing” as if it were the silver bullet that is going to save the world. It is… in the fantasy worlds. I think I can lay claim to a certain amount of expertise when it comes to white listing. White listing was fundamentally my job at Microsoft for over seven years. My job was to make sure that MS didn’t release or digitally sign any infected code. How did I do that? I used a heck of a lot of………. ok… you guessed it…. antivirus software. Recognizing the shortcomings of signature based detection, I relied upon products, such as NOD32, Norman Virus control, and others to provide heuristics to detect threats that signatures alone cannot protect against. Virtually every Microsoft product went through my labs, and I had to “white list” them before they could be digitally signed or released.

The marketing arm of current white listing companies tout anti-virus as dead and white list as the solution. What they try to hide is that white listing companies would be out of business without antivirus. White listing companies are mega-power users of antivirus software, they can’t get enough of the stuff.

White listing does not *only* allow good programs to run, it allows any program you claim is good to run. If you put a bad program on a white list it will run and do bad things, regardless of whether or not anti-virus products can detect it heuristically or with signatures. If you white list a program with a remotely exploitable vulnerability, it will be allowed to run. This happens all of the time with white listing. The problem is that you can’t patch the vulnerability until the patch and the patched programs are also white listed.

White listing is applied to web sites also. The idea is that you are only allowed to go to good web sites. This falls apart completely when a good web site is hacked, as was the Miami Dolphin’s Super Bowl web around January 2007. Hackers placed an exploit on the site that would download a Trojan horse program to compromise user’s computers. ESET had never seen this Trojan before, but NOD32 users who went to the web site found the malicious file was blocked because it was detected it heuristically. There have been thousands of good web sites that have been compromised. MSN, Tomshardware.com, and Monster.com all come to mind as high traffic, high profile, “good” web sites that would certainly appear on such a white list. More recently Download.com hosted some fake anti-virus programs for download.

White listing is expensive to do well. Think of the TSA. These are the people at American airports who allegedly do security screening. In practice they are white listing passengers. As a result, there are long lines to get to your gate and it costs a lot of money. In practice the TSA (which means “Take Something Away”) has confiscated mostly harmless items, increased the cost of transportation, and added a bunch of time to travel with little discernable impact on security. Proponents of white listing could of course correctly claim that the TSA uses a pretty dumb approach to white listing and that software white listing uses much more intelligence. This is of course quite true, however there is a significant time and cost overhead to white listing.

I’m actually not at all against white listing. White listing can be an exceptionally good level of defense in some organizations. I am preparing to consult with a company that I will strongly recommend white listing to. For this organization, despite the overhead, white listing is cost effective, but it does not reduce the need for antivirus software.
White listing can be a valuable addition to a defense-in-depth strategy, but it is not a complete defense. Can you imagine telling someone that since airbags add safety to cars you don’t need to wear your seat belt any more?

Well, the person who tells you that white listing means antivirus isn’t needed is the airbag that calls the seatbelt obsolete.

Randy Abrams
Director of Technical Education

Author , ESET

  • http://anti-virus-rants.blogspot.com kurt wismer

    hmmm, i’m confused – i was sure the tsa implemented a blacklist (the no-fly list) rather than a whitelist… that is unless you meant those recently revised rules that i had forgotten about until just now…

    great phrase at the end, though… very funny…

  • Randy Abrams

    TSA does use blacklists as well as white lists. The security check is how they whitelist the passengers. The “scan” each passenger and their belongings before the passenger is allowed to go on to their planes. Whitelisting companies use a ton of antivirus software to scan the files they then place on a whitelist.

  • http://anti-virus-rants.blogspot.com kurt wismer

    oh, i get it now… the tsa is CREATING a whitelist (temporary though it may be) by this method, as opposed to simply using one…

    once you’ve passed through the screening process (which is a blacklist lookup among other things) you get added to the whitelist… very comparable to whitelist vendors putting new samples through a screening process (scanning with known-malware scanners) before adding the file to their whitelist…

    just goes to show how little time i spend in airports, i hadn’t considered that they were making (white) lists on the fly in addition to using pre-made (black/white) ones…

  • rap

    “Miami Dolphin’s Super Bowl web around January 2007”

    – since there are a lot of on-line av bundled scanners (virustotal), i believe malware writers nowadays have modules to check if their malwares have virustotal detections before releasing it. Aside from the fact that they might have av softwares in their back end systems and checking their malware before releasing it… how will your heuristic detection help in these cases???

  • Randy Abrams

    Actually, the trojan served up on the Super Bowl web site was heuristically detected by NOD32 for at least 6 months prior to the attack. Heuristics will not help when the malware has been tested to defeat them. That is why defense in depth is required.

  • http://trustifier.com Rob Lewis

    Hi Randy,

    The last sentence in your post is correct as applied to “application” whitelisting.

    When you apply whitelisting to pre-determined (deterministic) “behaviors”, at the more granular level of the system or network call, or file access request, then, and only then, does the dependency on AV go away. Such a system would require context from the business/security policies to be effective.

Follow us

Copyright © 2016 ESET, All Rights Reserved.