digg

Facebook Connect Join Digg About

Redefining Anti-Virus Software

blog.washingtonpost.com "Anti-virus firms continue to struggle to stand their ground amid a flood of new malicious programs being unleashed each day, a complementary approach to fighting malware is beginning to take root" Interesting white list approach - albeit it's still based on anti-virus (black list approach at the back) it shows a new direction is needed.

Who dugg this? Made popular Jun 12, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

73 Comments

show profanity settings
expand all
  • JamesMorris, on 06/12/2008, -1/+61Don't install random active x toolbars to watch your 1980's milf porn. Problem solved. The Human brain and common sense is the best anti-virus.
  • TheBogie, on 06/12/2008, -2/+56Any good anti-virus should detect and automatically remove Norton "Anti-virus".
  • whytey, on 06/12/2008, -3/+22NOD32 ftw
  • Viliam, on 06/12/2008, -0/+15So if am working on a small free software project, how exactly should I add it to the whitelist? Should I send an e-mail to the whitelist keepers? Will they check thousands of submissions daily? How much will it cost the software developer?

    The idea "use whitelists instead of blacklists" seems interesting, but without answering these details it is not obvious if it is a good idea. It may result in a world where software developers have to pay a lot of money to various whitelist providers just to keep their products included. Also if the company's whitelist is built using blacklists from 28 antiviruses (as is writen in the article), I do not understand why should such whitelist be better than original blacklists. It is just using someone else's work and pretending that they have something completely new.
  • waebi, on 06/12/2008, -2/+12But I want boobs :(
    and setup.exe cant be dangerous, right, it will just install them.
  • NihilFist, on 06/12/2008, -0/+9You could have HAL 9000 for an antivirus and you'd still get infected if you go around the "dark side" of the web downloading all kinds of crap.

    No antivirus will be better than some good ol' human common sense.
  • webcrumb, on 06/12/2008, -0/+7Didn't that game get really bad reviews?
  • sjmulder, on 06/12/2008, -2/+7You should see Norton Anti-virus on a laptop that's "Vista-basic" certified running Vista. Not a joy.
  • TheSuperunknown, on 06/12/2008, -0/+5Furthermore, the average user who can't manage to run Windows safely doesn't have a prayer operating Linux in any capacity.
  • Kotori146, on 06/12/2008, -0/+5Your quite wrong, a lot of the security holes and vulnerabilities are in applications i.e Flash, web browsers etc. These are the vectors for the viruses and not the OS.
  • kahrn, on 06/12/2008, -0/+5This is true for personal use. But when you try and apply it to the corporate environment it ultimately fails.
  • remakeru, on 06/12/2008, -0/+4I've been using no antivirus for a while now and I haven't had any problems with any spyware or virus... It's important though not to open muzic.mp3.exe and visit stupid porn sites that require you to install and activex control...
  • TheWindBlows, on 06/12/2008, -0/+4Comodo Firewall is great i hear people with a bit of knowledge turn off Vista UAC and use Comodo Firewall's Defense+ instead because it gives better information than the UAC prompt and is easier to understand most of the time.
  • sjmulder, on 06/12/2008, -0/+4From the article I understand that it works more like a whitelist -and- a blacklist. Gray apps are treated with suspicion, but not entirely blocked.
  • sjmulder, on 06/12/2008, -2/+6Dugg up for truth. It's time we see some viruses for Mac and Linux ;)
  • rmxz, on 06/12/2008, -1/+5Or better, OS's where even malicious executables do limited harm. Then it's not as big a deal if you run an unsigned app. SELinux comes to mind.

    One could also argue that you shouldn't be downloading executables (signed or not) but rather signed source code packages that get compiled on your system.

    Otherwise you are putting too much trust in the signer - and IIRC even microsoft themselves sometimes packaged malware.
  • relinquish, on 06/12/2008, -0/+3See point number two @ http://www.ranum.com/security/computer_security/ed ...

    Although more suited towards the corporate environment, some modifications of this technique could prevent a large percentage of viruses in the home.
  • Eezyville, on 06/12/2008, -0/+3Whats the worst it could do on linux? Mess up your "my Documents" folder? It needs the admin password to mess with anything serious.
  • rmxz, on 06/12/2008, -0/+3White Lists aren't new. Long popular programs like Tripwire are essentially whitelists.
  • mynameistux, on 06/12/2008, -9/+12May I be the first (and probably most buried for it) to suggest that people abandon windows (aka swiss cheese when it comes to security holes) and use linux. (or mac, if that works for you I suppose)
  • hmunkey, on 06/12/2008, -0/+3Because in large corporations, people always isntall active x toolbars to watch milf porn.
  • ZachSka87, on 06/12/2008, -0/+3F-ing Worst. Game. Ever.

    Save your money and buy Windows.
  • chrispr, on 06/12/2008, -0/+3This was a silly article.
    To sum it up:

    A few anti-virus companies are tired of getting beat by malware, so they're trying a white-list approach (Anything not verified is forbidden).

    In my opinion, Heuristics is the only way from here. It needs a lot of research and perfection, but the ways malware can obfuscate their signatures so easily destroys any hope for signature scanning to remain useful past another few years.
  • TheSuperunknown, on 06/12/2008, -0/+3Well... Yes. You can't control everybody. There will always be some idiot to ***** it up for everyone else.
  • FZero, on 06/12/2008, -0/+2If MS ever fixes Windows, all anti-virus makers will be out of jobs. In fact they've tried it with Vista - yep, there was an effective system-file protection feature in there in one of the pre-releases - but the feature was removed due to market pressure. Ridiculous innit?
  • kahrn, on 06/12/2008, -0/+2Neither whitelists or blacklists (or any form of list) are the right approach imo.
  • s32843, on 06/12/2008, -0/+2i move to ubuntu/xubuntu 2 months ago. the issue of finding a good ant-virus is gone.
  • init100, on 06/12/2008, -0/+2"Or better, OS's where even malicious executables do limited harm. Then it's not as big a deal if you run an unsigned app. SELinux comes to mind."

    I agree. SELinux allows a program to perform only those actions previously allowed in the security policy, nothing else. This is the correct way to solve the problem. Signatures only show that a certain file was made by a certain entity, it shows nothing else. Signature-based whitelists require you to trust the signing entity and the developer completely. Signatures do not protect against incompetence or malicious intent of the original developer.
  • snapcase, on 06/12/2008, -1/+3Safe habits are always the best defense but I wouldn't want to go without at least some extra line of protection. Especially if there's any chance of someone other than you using your computer.
  • chrispr, on 06/12/2008, -0/+2Linux and Mac malware exists.
  • encrypteduser, on 06/22/2008, -0/+1Most likely there will be some type of algorithm through correlation to determine if a file is good or bad based on patterns found in family's of malware.
  • Tenoq, on 06/13/2008, -0/+1*facepalm*

    If you can't see your brain, how do you know you're not brainless?
  • finezapa, on 06/12/2008, -0/+1Appsense is another popular one. Commonly used in Citrix environments.
  • linuxpenguin, on 06/12/2008, -1/+2Digital signatures aren't enough. They can be forged if you know what you're doing.
  • Inquisition, on 06/13/2008, -0/+1I'm hoping you meant "clicking" and that "licking" was a typo. I would have to wonder about your surfing habits.
  • nickert0n, on 06/12/2008, -0/+1yup
  • snapcase, on 06/12/2008, -0/+1Good AV program (my personal choice for my machines) but isn't a behavior blocker.... which is what this article is referring to.

  • snapcase, on 06/12/2008, -0/+1Haven't heard of OpenOffice.org yet? Only reason you'd bother with MS office.

    And man you need to switch to decaf if you get that worked up for someone suggesting to use linux...

    Especially when it's a moot point. Not like Linux can't be effected by malware... it is safe at the moment but if the majority of users switched to either Linux or Mac then they would be the most targeted systems by malware.
  • BinaryCortex, on 06/12/2008, -0/+1I have been using the free version of AVG anti-virus for 8 years, and now it comes with anti-spyware as well. That coupled with firefox and I have been virus free the whole time. Oh yea, and patch your friggin windows will ya. Half the time there is already a patch that negates said virus.
  • snapcase, on 06/12/2008, -0/+1Kaspersky is only a script watcher in regards to behavior blocking. It's a good addition but not a full behavior blocker.
  • weebit, on 06/13/2008, -0/+1And that may not be the answer to the problems either. First you get a reputable software company or website. Then you get some idiot or a person not in the know that accidentally allows malware in either the software or on the website. So the website has been whitelisted and you get a couple hundred or so people visiting the website, or download, or maybe even a cd/dvd and TA DA! It has happened.

    I don't know myself what needs to be done about all the crap. All I do know is that we are continuously getting more and more security software. You name it, probably it's out there. for now you have spyware scanners, anti-virus scanners, Trojan scanners firewall scanners, adware scanners, botnet scanners, etc. when does this end? Everyone doing reviews are saying the same thing. Everyone out there for years to come will be asking the same thing. "Do I need this? Is this any good?" And what will happen is many other security software makers will make a copycat software for whitelist too. We are starting to get swamped with security scanner software now as it is. Sheesh the security software makers will have us milked dry eventually. We will be dishing out a 400 buck fee just to cover the security software for a new computer if we don't take a stand. Plus the one thing is... just like all of the other security software we have already, there will always be those malware creators doing their best to out think the security software industry. Give em time, they will figure out a way to get around the new ones. What they should of done was permit Microsoft to really tighten the security down in the OS. The system-file protection feature should of been fought. At the rate things are going now soon we will be paying 200 bucks for a computer, and 400 bucks for the security software to protect it. Sheesh give me a break!
  • TheWindBlows, on 06/12/2008, -0/+1Arch Linux core. Try to infect me now.

    Naw im just screwing with ya.
  • thenonhacker, on 06/12/2008, -0/+1Guys I tried the Bit9 Software but Avira found it's infected with a Trojan. >:(
  • snapcase, on 06/12/2008, -0/+1Yeah, another decent AV program but not a behavior blocker. Read up a little on the subject: http://wiki.castlecops.com/Lists_of_freeware_behav ...

    Basic description there and some free ones that work well.
  • kineticarl, on 06/12/2008, -1/+2mynameistux: no, you may not.
  • grumpyrain, on 06/12/2008, -0/+1Um, no they can't.

    Unless you are claiming to have broken the public/private key encryption (making SSL/https/most vpns/sftp/ssh useless), the only way to generate a valid digital signature is to know the private key or to compromise the trusted third party and send out a maliciously wrong public key.
  • grumpyrain, on 06/12/2008, -0/+1There is and will always be contention between security and convenience. Additional security always comes at the cost of certain conveniences. The additional security provided by SELinux comes at the cost of having to decide up front what mandatory access control policies are required and for the end user to meaningfully decide whether granting such policies is appropriate.

    Again convenience comes into the argument about downloading prebuilt packages. Different versions of gcc or msvc?.dll have different build requirements. You even get differences in the build process when building for NPTL or not. Signed source packages are certainly ideal, but few end users have the time and skill to sift through the changes made in every point release to determine whether they are 'safe'.

    There are still people out there who think that clicking OK in UAC is too much effort when installing an application, imagine trying to convince them to sit down and allow specific policies?

    Microsoft packaged malware back in Dos 6 days - unintentionally, existing malware ended up on the master disk. It wasn't built by their compile process, and certainly wouldn't have been digitally signed by them. I think that like them or not, you should probably give them some credit for the progress in security they have made since the early 1990s.

    If you are using Firefox 3 or IE8 (beta - actually I think IE7 has it too) and you visit a site with an invalid SSL certificate, you will see the sort of idea I am thinking of. They are both well thought out in this area. Where previous versions just throw up a popup and highlight the certificate in red, the new versions display an error page that a non techo will probably mistake for a 404. My suggestion of implementing something similar when installing an app, telling you the registered company name through a SSL signature does not make things any harder, but should start raising suspicions about the executables generally dropped in drive by installs.
  • Giga, on 06/13/2008, -0/+1Most malware these days have visible symptoms, such as frequent application crashes and IE popups despite only ever using Firefox and no browser was open at the time etc. It is possible to be hosting something that has no symptoms without knowing it, but a quick manual check of the startup items and running processes usually finds those too.
  • init100, on 06/12/2008, -0/+1@TheSuperunknown

    Then setup permissions appropriately, so that only system administrators can install software. Or have you already given up?
  • TheSuperunknown, on 06/12/2008, -0/+1Given up? What? I don't work in IT and I'm not commenting from an IT perspective. I'm saying people will always screw up somehow, and that could include the administrator not setting up appropriate permissions.
  • Fetching more discussions...
    Show 51 - 76 of 76 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.