Whitelisting, alone, can't stop malware
While using whitelisting together with AV might make some sense, whitelisting alone will never be able to stop malware.
I recently attended a speech by some marketroid from Bit9 about what they are doing. Well, they are trying to establish a global whitelist of all known good software - and, apparently, are failing miserably (although he didn't say so, of course). According to him, just Microsoft, SourceForge and Mozilla produce about a quarter a million of new executables every day. Each. Currently, just the index of Bit9's database of hashes of known good software is more than a hundred gigabytes - and they are nowhere near finished.
How are you going to deliver that to the end user's computer? It's much worse than the daily (hourly?) updates that AV currently does. And a centrally accessed database simply doesn't work. What are you going to tell the customer - you can't use your computer today, because we have a networking failure and can't check the programs you want to run against our whitelist just now?
And how are you going to prevent malware from ending on the whitelist? The AV people have their hands full trying to analyze 5000+ new malware programs every month. And these guys are experts. Do you really believe that a whitelisting company is going to analyze a million programs per day, in order to determine whether they are malware or not - and not make mistakes?
And you can't offload the decision whether something should be allowed to run or not to the user, either - because the user is even more incompetent and will make mistakes even more often. After all, if the users could really decide whether a program should be allowed to run or not on their computers, they wouldn't get infected in the first place!
Preventing access to types of files by policy doesn't work, either. Are you going to prevent access to Word documents by default? That would make the machine unusable. And, if you don't, the user can get hit by a Word document containing an exploit. Yes, you can prevent unknown macros from running, and if the exploit downloads, drops and runs an executable - you can prevent *that* from running. But an exploit doesn't have to do that. The shellcode in it can do plenty of damage and it runs in memory directly from the document; unless you prevent access to the document to begin with, you can't stop that.
And what about viruses like CodeRed that don't exist as executable files in the first place?
The rumors of AV's demise are greatly exaggerated, I'm afraid.
P.S. Yes, I work for an AV company. That might make me biased, but at least I know what I'm talking about.