As a vast flood of new malware threatens to overwhelm antivirus software, security companies have begun changing how their programs protect PCs. To avoid being left in the dust by the crooks, companies plan to turn the tables on them by allowing only known good programs to run.
The technique, known as whitelisting, could help protect your computer. But though some security apps already use this approach (seethe next pagefor our look at a few free downloads), it can also make using your PC a huge annoyance.
"Whitelisting is probably at the top of the list for what the industry needs to move towards," says Jeff Aliber, senior director of product marketing with antivirus maker Kaspersky Labs.
For Kaspersky and other antivirus companies, the ocean of malicious software in circulation today may mean that just tracking known good software will be easier than trying to keep tabs on all the bad stuff. For example, Symantec, which has been pushing for an industry shift to whitelists since last year, anonymously tracks new applications that appear on PCs participating in its Norton Community Watch program. During one week last November, more than half of the 54,000 new executables reported by Community Watch were malicious, says Carey Nachenberg, a vice president and developer with Symantec Research Labs.
In the face of that sobering reality, Kaspersky this summer will release its first consumer antivirus products that bring in whitelists. It will use lists from Bit9, a whitelisting company that maintains a 6.3 billion-strong list of known good applications. The new Kaspersky applications won't automatically block programs not on the Bit9 list, but instead will focus scanning resources on those programs that Bit9 doesn't recognize. Theoretically, that could allow for more careful scrutiny of unknown files with less risk of false alerts.
But that huge number in Bit9's list--6.3 billion--highlights the risk of using whitelists to fully block unknown apps. Nobody has a full list of all good software, so you can't block everything not on a list without eventually blocking some great but relatively unknown programs. And displaying a pop-up that asks you to decide whether an unknown app is okay to run ensures that you'll eventually make the wrong call and break your software or even your system. Most antivirus companies rightly make every effort to minimize the number of alerts that ask us to make a decision; an overreliance on whitelists could roll back those improvements.
Community-Based Security
Symantec says it's looking at one possible solution, which is to bring in its community, where it checks to see if other Norton users have a given program installed. The company reasons that if, say,a hundred thousand people are running a particular app, with no reports to Symantec that it's a threat, then it's likely safe. Nachenberg says the company is experimenting with this kind of reputation-based system to add to its products over the next few years.
And then there's the big question: Who maintains the list? If every antivirus company maintains its own, as Symantec says it wants to, small developers would have to submit their cool new downloads to at least five different organizations--and gain approval from all of them. But an alternative to that prospect isa central list available to everyone, maintained by the government or a neutral, open organization.
"I think a centralized whitelist would be beneficial to everyone," says Kevin Beaver, an independent security consultant with Principle Logic who has written a number of books on computer safety.
"The problem is," he adds,"politics will likely get in the way of anything productive, especially when the big antimalware players want to maintain control. I think we'll see something like[a centralized whitelist]within the next few years, but this type of collaboration can't be pulled together overnight."
Free Downloads for Whitelist Protection
In the meantime, a number of free security tools already use a whitelist approach to protect PCs. However, in using them you'll typically get many pop-ups that may require a good deal of technical knowledge to interpret--a hassle that makes clear the challenge to the major antivirus companies. But if you're willing to deal with the interruptions--which can includereversing a mistaken decision--these downloads can bring strong protection against malware.
First, the Comodo Firewall Pro Free offers full whitelist-style program blocking in addition to its firewall; it works on Windows XP and Vista. Once installed, the program displays an alert when an unknown program runs, and you'll have to choose to allow or deny the new app. Comodo already knows about popular apps such as Firefox and won't display alerts for them, and also provides some good information in the pop-ups to help you decide whether to let a program take a particular action.
It also has a learning mode that automatically creates rules allowing everything on your system to run while it's enabled. This mode can help cut down on the pop-ups when you first install the program, but you should enable it only if you're sure your system is clean.
During installation, the free version prompts you to install a browser search toolbar and change your home page (a $40/year paid option offers remote desktop support for cleaning malware infections). You can opt out of the toolbar installation and browser changes, and can also choose to install only the capable firewall without the whitelisting protection.
Online Armor Free
Like Comodo Firewall Pro, Online Armor Free provides both a firewall and a whitelist approach to program security for Windows NT, 2000, and XP. It does not show pop-ups for many known good programs, and it scans all your installed programs when it first runs so you can quickly tell it what to do with apps it doesn't know about.
When it does alert you to a new, unknown program, Online Armor's popups are informative but generally somewhat harder to decipher than those from Comodo. However, Online Armor goes beyond Comodo with a 'Safer' mode that allows apps to run, but with stripped-down privileges. Safer mode can work well for at-risk applications like Web browsers or e-mail programs, as it pulls administrator rights from such apps and prevents them from making deep system changes. (Read more about admin rights and their risks.)
Online Armor Free has a learning mode, but you'll have to manually check for program updates with the free version. A $40/year paid option adds automatic updates along with online banking protection and other features.
If you're happy with your firewall and just want a dedicated whitelisting security program, System Safety Monitor Free Edition makes for both a quick download (3.25MB) and a quick installation under Windows XP, 2000, 98, and Me. You can set an advanced level of rules for what any given program can or can't do on your system. On the downside, you'll get an alert for almost every program, including common Web browsers, and the information in the pop-ups can be hard to figure out for nonexperts. It's easy to quickly change a mistaken decision, though.
Finally, if you want to access a whitelist with minimal impact, the Fileadvisor Windows Explorer extension, from Bit9 adds a right-click option to check any given file or program against the company's own online whitelist. You'll need to register with the site to get search results (which display in your browser), but since it doesn't block anything, you don't run any risk by using it.
For other free whitelist download recommendations, head to posts on the Wilders Security Forums and CastleCops, two excellent if somewhat technical security resources.
As these apps show, whitelist security may be a tool for techies today. But soon it'll be de rigeur in the battle against malware.