Saturday, May 03, 2008

bad really is in the minority

from liam tung's article signature-based antivirus is dead: get over it:
However, there is a problem with the use of blacklists, said Turner. "When the majority of stuff you're handling is malicious, it makes more sense to use a white list because that deals with the exception — blacklists only work if 'bad' is in the minority."
i totally agree with this statement... there's just one thing that turner and just about every other av detractor out there fail to realize... bad really is in the minority... bit9 (an application whitelist vendor) has shown that there are several orders of magnitude more good stuff (on the order of billions) than bad stuff (about a half million at the time) and that microsoft alone produced as many good binaries in a day as there had been bad binaries produced in the previous 20+ years combined (from the bit9 presentation at the international anti-virus testing workshop in 2007)...

furthermore, most of the stuff anyone (other than the anti-malware industry) handles is non-malicious (unless you're looking only at email and are considering spam)... most web pages are safe, most binaries are safe, the majority of stuff most regular people encounter on a day to day basis is safe so if you're going to advocate a security technology that focuses on the exceptions you're going to have to get over your perceptual biases and realize that bad stuff is the exception so blacklists make more sense (at least by that logic)...

you've heard the argument that blacklisting is inferior to whitelisting because the list of all bad things is growing too big too fast, but we have quantifiable proof that the list of all good things is far, far bigger and growing far, far faster... that doesn't mean blacklists don't have serious problems (they do) or that whitelists are unusable (they aren't), it simply means that particular argument is fundamentally flawed and if people took the time to become familiar with the reality of the situation they'd know that...

0 comments: