The recent rise in awareness of whitelisting has led to claims that it will eventually replace traditional antivirus techniques. Whitelisting keeps a database of safe programmes and applications and only allows network access to those on the safe list.
Graham Cluley, senior technology consultant and Sophos, insisted that the rise of whitelisting will not spell the end for antivirus. He told CBR: Rumours of the death of antivirus are things we’ve heard many times over the last 20 years. You’re always going to need antivirus, because before whitelisting applications you have to scan it to see if it’s a known virus.
Cluley believes without the use of antivirus alongside whitelisting, corporate networks could be more vulnerable. The problem starts when you scan an application and the result is negative, meaning you whitelist the application. If the antivirus is then updated and you discover that the application contained a new virus that you didn’t know about, you’ve just approved that throughout your organisation if the antivirus is not engaged.
He says that while there is a place for whitelisting, the technique does have its drawbacks. I hate to break this to people, but there are more good programmes than bad out there. You would have to manage a huge database a do a huge amount of research to ensure that all of those programmes really are good and don’t have any vulnerabilities. How would you update your users with such a significant database? he asked.
Cluley does concede that there are places where whitelisting will work, specifically in controlled environments where the user is given a computer and a specific list of applications they are allowed to run. You will still have to manage the situation when software updates are released, or if the OS needs updating. But most companies don’t work in that environment, they still find it easier to block the bad stuff, he said.
The emergence of cloud computing has led to suggestions that antivirus vendors may be forced to move their protection from the desktop to the cloud. Cluley dismisses these claims. We have to defend against a threat wherever it comes from. It doesn’t matter how it gets to the user, whether it’s via the Internet or a USB stick for example, we will intercept it, he said.
Sophos’ security threat report update for the first six months of 2008 indicated that the company detected 16,173 malicious web pages a day on average. That equates to one every five seconds and is three times faster than the rate seen in 2007.
The company estimates that over 90% of malicious web pages are part of legitimate sites that have been hacked through SQL injection. Blogspot.com, owned by Google, accounts for 2% of all malware hosted on the web, according to the report.
