Bit9 is using the Infosec show as a launchpad for its move into Europe as part of its wider ambitions to displace traditional antivirus technologies from corporate desktops and data centres. The firm is marketing its brand of trust-based application control and whitelisting as a better way of tackling the growing malware menace …
Good old SSM
I remember using good old System Safety Monitor when I was forced to use Windows. Never had a single breach on XP using that, but on Win7 I've had one infection when that _one time_ I forgot to use my VM web browser :(
White list and "cloud" tech implemented years ago by commercial anti virus apps years ago. A real revolution has been pure cloud, now backed real clam.
So, did they start business googling flames by free anti virus users?
One has to wonder
If Bit9 has sold it's products to Iran yet.
Re: One has to wonder
Not a good look if they have. Iran's nuclear infrastructure is still being virus-zapped on an hourly basis. :)
Not on the Bit9 whitelist? I'm sure they will be able to add you to the whitelist for a small fee.
They tend to be managed by the companies who buy them, so just hope the PFY doesn't whitelist that trojan on his usb stick!
What is a program?
I'm not convinced that whitelisting can really work in real-life situations. While it's impressive that they've committed themselves to building such a large database of known programs, there are a few big problems that I can see.
First off is the problem of what a program is. In this day and age so many packages have programming languages built into them. Either that, or the packages are actually development platforms in their own right. In the case of packages that have some form of scripting included as a non-core feature (spreadsheets, word processing apps), it would seem to be impossible to whitelist every single "program" embedded in ordinary files (shared by people) or included in the standard corporate install image (eg, company templates). The problem here isn't just the volume of programs that would need to be whitelisted if you take this expanded (and more correct) view of what a program is, but there would also be confidentiality issues if your company had to send samples of all your in-house macros/script collections for hashing. Even if you could set up the hashing/authentication server in-house, there's still plenty of scope for cock-ups.
Another problem with malware is that quite a lot of it (perhaps the majority?) is exploiting bugs in particular packages. Almost any program that reads in user data has the potential to have bugs which renders what should be just input data into live code. So even though a PDF or a particular set of inputs to a web-based service ostensibly doesn't come under the rubric of "programs", they do become a way for malware authors to trick the application or server into executing whatever they want. The whole whitelisting philosophy completely fails here since user input, data files, and so on simply don't get counted as programs when actually they are.
I noticed in the article that someone attached to the company said that false positives with whitelisting technology were "bad in the early days". It beggars belief that the people building these systems don't even seem to understand the Birthday Paradox when it comes to picking a hashing scheme... That certainly doesn't inspire confidence.
All in all, as it's reported here, the scheme is pure hyperbole, possibly verging on snake oil. IMNSHO.
Re: What is a program?
@Frumious Bandersnatch > All in all, as it's reported here, the scheme is pure hyperbole, possibly verging on snake oil.
Whitelisting deserves a few brushstrokes in in the layered security picture, but touting "pure whitelisting as a 100% replacement for traditional anti-virus/anti-malware protection" is definitely snake oil.
If it looks like a shill and smells like a shill ................................
Think Norton is slow? Just wait
I can only imagine what checking a "5 billion-long list" of apps will do to your PC in terms of app launch latency. Or disk space.
Either that, or every time you want to launch something it has to call home to check if it is OK?
Their idea is being used already
All serious anti virus apps (read: not bundled) have white list functionality in one form or another.
Network based pure heuristic cloud stuff? Exists and it is insanely fast. Check
Just like that signed malicious driver code that occasionally pops up for Windows?
Seriously, this can only work if the whitelisting is done by the entity which owns the computers. Because there always _will_ be that special piece of software you will need, but which isn't in the whitelist.
It also wont help for code executing bugs in whitelisted software. If anything it will delay updates as they first have to be in the whitelist.
So at best its pointless, at worst it's insecure. And I'm not even talking about the possibility of it leaking program usage statistics to the server.
Echoes of Active Directory Group Policy control here
Where MS let you define which executables were "allowed" on target machines.
Tested that for a while, turned it off and went back to regular rebuilds of client machines.
""Antivirus doesn't work and it's only the addition of anti-spam, firewall, data loss prevention and other technologies that have kept customers buying it," Morley told El Reg."
So that's why every AV is getting increasingly crammed with useless shite - people like him think that we actually want all the bloat. By my own experience VERY few people know about, care about, or want all that. They want an antivirus simply to stop viruses, keep out of their way the rest of the time, and not make their machine unreasonably slow.