Sunday, July 13, 2008

if i have a whitelist, do i still need AV?

on reading this dark reading article about a texas bank dumping AV in favour of application whitelisting technology i was reminded of an email conversation i had with a reader who was dealing with almost the exact same issue only days earlier... i've come to realize this is a question more and more people are going to be wrestling with as time goes on so instead of expecting them to contact me privately i'm going to answer the question of whether you need AV software if you have a whitelist here... the glib answer is no you don't need it...

of course that answer continues with: you don't need the whitelist either, or your computer for that matter - people survived perfectly fine before any of that stuff existed...

clearly, the glib answer isn't all that useful...

the real answer is that i can't decide for anyone whether they need AV... in practice security has a lot to do with making trade-offs and which trade-off is right for any particular person or organization is best decided by those who would have to live with the consequences of that decision... what i can do, however, is point out weaknesses in both individual technologies and describe some of the benefits of using them together...

it's no secret that known-malware scanners are ill-suited to detection of new/unknown malware, updates can be a hassle for large organizations, and the ongoing subscription fees have in the past seemed like a necessary evil but are increasingly seeming less necessary as application whitelisting works it's way into the mainstream...

of course, as we know from figures provided by bit9, the set of good software is larger and growing faster than the set of malware so a vendor-supplied whitelist will almost certainly be worse from an update point of view (and maybe subscription-wise too)... the customer-editable whitelist is much more palatable in that regard because you only put on it those things you actually need in your production environment... coming up with the initial whitelist (not to mention modifying it if/when the needs of that environment change or when software needs updating) puts the customer in the position of having to decide what's safe or not... certainly one should only trust software from known, reputable sources but those sources aren't perfect (even microsoft has accidentally distributed malware in the past) so the first benefit of continuing to use known-malware scanner even though you've chosen to use a whitelist is that you can check the software you intend to whitelist (as whitelist vendors often do for whitelists they provide)... this is an example of the axiom "trust but verify"...

that alone may not seem like it's enough to warrant keeping the desktop av, however, so consider this: just as known-malware scanners don't recognize everything that's malware, application whitelist software doesn't recognize everything that's a program... will the whitelist software block office macros if the office binaries are on the whitelist? will it block batch, perl, kixstart, etc. scripts if their respective interpreter is on the whitelist? will it block javascript from the myriad of ways it can be launched on the system? as an example, i use the application launch control functionality of sunbelt personal firewall as a whitelist and i discovered quite by accident recently that it does not block individual batch files... a known-malware scanner would detect known malware in a batch file, however, and in an office macro, etc... that's a second benefit of keeping known-malware scanners around in a whitelist deployment, and it's one that applies even at the desktop level...

that's not all though... there's also the issue of exploit code that exploits vulnerabilities in whitelisted applications... if the exploit needs to launch additional applications that aren't on the whitelist then the whitelisting software will have interfered with and potentially blocked the exploit, but what if all the applications it needs are on the whitelist? the whitelisting software would be helpless to stop it but a known-malware scanner might still have at least some chance to do so...

known-malware scanners are weak against that which is novel while application whitelists (assuming no malware gets whitelisted) are weak against that which is exotic... together they're only weak against that which is both novel and exotic... this is the essence of what defense in depth means when it comes to the anti-malware world - not using multiple different scanners but rather using multiple and entirely different types of technology so that the second (or third, or fourth, etc) line of defense can stop at least some of what gets through the cracks in the previous line(s) of defense... it's still up to the people affected to decide whether the benefits of a multi-layered strategy warrant the cost but they should definitely consider it as no technology is an island, perfect unto itself...

5 comments:

Samhan said...

Hi ,
This is Samhan from India . I run a cyber cafe and I have to deal with virus/malware all the time . I learn to remove most of them using tools like HijackThis and the like . But still once malware infects things dont work the same again . Now theres malware that cant be removed easily and one toasted the entire XP installation . Im getting a bit weary and cant be bothered to use Antivirus for reasons too long to list here . There are other options like Sandbox software i am investigating and whitelisting.Is there a free lunch out there that can solve many of these problems and reduce effort (It takes only about 1.5 - 2 hours to reinstall) so anything better ?

{email address removed}

Hope you help

kurt wismer said...

for a public access terminal like you'd have in a cyber cafe, i can't imagine not using drive imaging software... i gather there are programs that behave somewhat similarly in that they automatically wipe all changes when you reboot... returnil is the only name i can remember at the moment but there are a number of them discussed at the wilders security forums...

normally i'd still suggest av as both a preventative and diagnostic measure but i'm not sure what kind of responsibility you have to your customers with regards to notifying them that they may have had their session compromised by malware... if you have no way to contact people who used a particular workstation and you aren't using it yourself then diagnostics become wasted effort... and because it's a public access terminal prevention could arguably be considered a lost cause... if the machines are automatically reverted to a known clean state after each person is finished using them then that will probably serve your needs...

Anonymous said...

There is a FREE and easy to use application called DriveSentry that utilised whitelisting, blacklisting and community feedback. This approach means you don't receive pop ups all the time. Any programs that are allowed to run are allowed access unhindered while known malware is deleted and if anything file is so new that it is unknown then there is assistance available from the huge and growing community.

kurt wismer said...

@anonymous:
drivesentry sounds interesting but there are a few things that worry me...

you say known malware is deleted - what if i want to keep the malware? what if it's a false alarm? i realize people don't like being asked questions by their security software but automatic deletion is not a safe alternative...

also, i gather the whitelist is built using a 'wisdom of crowds' philosophy... is the blacklist built the same way? what about all the conceptual problems with the idea of the wisdom of crowds? specifically that crowds are only good at answering specific types of questions that may not include determining which files are safe and which aren't...

grot said...

This is somthing I have been looking for a long time. Thanks!!!