* Posts by James Smith

1 publicly visible post • joined 27 Jun 2007

The decline of antivirus and the rise of whitelisting

James Smith

There are better alternatives to White listing

I have read the comments posted so far with great interest.

There are some great arguments for white listing as an alternative to AV technologies. I personally believe that AV has had its day and we as IT professionals must have a solution that is more secure, scalable, and maybe most importantly of all easily manageable.

My feelings on whitelists are simple. They are way too difficult to manage effectively by far. The arguments against whitelisting are very valid. How do you manage a white list for 10'000 machines? It just isn't practical. Who wants a global list of "safe applications" held by some corporation somewhere? I certainly don't. There are others ways and only one person here has mentioned it so far.

Trusted Ownership. Yes, I do use a product where trusted ownership is key, and I would say that as a simple yet very effective way of stopping all unauthorised executions not just of exe files but anything that asks to be execute., In my opinion there is no better solution.

I have an installation account (install_user) and install all my apps as that user. That user account is one of the "Trusted Owners" in my list, once deployed, any application that tries to run that is not owned by install_user will be denied. That means if I (admin) or any of my users download spywhere, it won't run. If a user downloads some software they shouldn't, it won't run. I have complete control, and my trusted owners list is tiny. There is other functionality but I'll leave that for another time

Secure, scalable & manageable. Works for me

AV worked, Whitelisting is better, however trusted ownership solves the issues that Whitelisting can't by its very nature