On Tue, May 11, 2010 at 10:44 AM, Ken Schaefer <[email protected]> wrote:
[re: vulnerabilities in AV software, especially
> How is whitelisting or blacklisting going to help? Answer: it's not.
Whitelisting is not directly going to address the problem of
vulnerabilities in anti-virus software. But I agree with the stance
that looking for signatures of known bad software is fast becoming
infeasible.
Whitelisting and similar strategies bypasses the entire problem.
Rather than try to identify software you don't want (which is
potentially infinite), you identify software you do want. I like
ASB's analogy by firewall policy: "Deny by default, allow known good"
has long been the accepted best practice. It makes sense to do the
same for software.
LUA ("Limited User Access", Microsoft's term for least privilege,
i.e., running without admin rights) is already a big step in this
direction. We don't let users modify C:\WINDOWS or "C:\Program
Files", because that's where the software lives. From there, the
obvious next step is to deny execution from "C:\Documents and
Settings".
There's the usual heavy sprinkling of compatibility headaches --
it's amazing how much software expects to execute things from %TEMP%
or "All Users\Application Data" -- but much like LUA, while initial
implementation can be a hassle, I think it will pay off big in the
long run.
Done right, this could vastly reduce or even eliminate the
traditional anti-virus role.
(For well-managed environments. Clueless home users are still
screwed. :-( )
I do agree with the premise that AV software should not have
security vulnerabilities. I just think that the problems are bigger
than that, and the apparent way forward may make the smaller issue of
AV software vulnerabilities moot, by making traditional
signature-based AV software obsolete.
> But, if your AV was any good, it would detect the problem "on access"
At this point I don't expect signature scanning to stop anything.
Malware evolves too quickly to keep up. We have traditional AV
software, we use it, we even depend on it more than I would like, but
I don't expect it to keep up with the morphed-threat-of-the-minute
whack-a-mole problem.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
