if i have a whitelist, do i still need AV?

Discussion in 'other anti-malware software' started by ronjor, Jul 14, 2008.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,052
    Location:
    Texas
    Kurt Wismer
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    yes i think you do,cause white list only includes good programs and what about any new unknown viruses?so i think you still to scan viruses for any black list malware.i think:D
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    You (a generic term, does not mean ME or YOU) don't need one even if you do not use a whitelist, so ...
    Mrk
     
  4. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Maybe you mean a Blacklist?

    If you have a whitelist, YES, you still need an AV.
    But if you use virtualization/imaging software, AVs are almost completely useless.
    You can use an on-demand AV scanner if you wish, such as ClamWin or BitDefender Free.
     
  5. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    ClamWin is a terrible choice. I personally prefer AntiVir free with Guard turned off. There's also Norton security Scan from Google Pack, but that doesnt remove spyware. Then there's Cureit and AVP Tool, but to update you have to download the whole thing again.
     
  6. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    unless knowing that the malware you had leaked your passwords, credit card numbers, banking details, etc. is important to you...

    if you only care about what got in and not about what got out then yes, sandboxing/imaging makes av more or less obsolete... most people should also be concerned about what got out, however...
     
  7. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    My sandbox cover all the things you just mentioned, Kurt. Passwords leaking, credit cards data and online banking details hijack- all of them. And it's not a joke.
     
  8. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    a) i don't consider your software (as you've described it to me in the past) to be a sandbox...
    b) anyone can devise a security solution so clever that they can't figure out a way to bypass it, but that doesn't mean it can't be bypassed...
    c) in the previous post i was referring to diagnosis, not prevention or detection of preventative failure... unless your software has can tell the user what a piece of malware is capable of (not just what you detected it doing) or give them enough information to find out elsewhere, it does not provide a diagnosis...
     
  9. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Hi There folks,

    I believe whitelisting is the way forward in the PC security field. I noticed this topic on whitelisting and though i would put my two pennies in!

    I have started a topic on DriveSentry as i work for the company. DriveSentry is a security application which combines one of the largest blacklists of known viruses with an ever growing whitelist of trusted programs and statistics from the DriveSentry Advisor community.

    DriveSentry uses the following method - whitelisted programs are auto-allowed, blacklisted (known malware) programs and files are auto denied and anything that is unknown is queried by DriveSentry.

    With a growing white and blacklist and increased user statistics arising from increasing DriveSentry user base, the grey area of unknown programs is becoming smaller and smaller.

    if you have any questions please dont hesitate to contact me.

    Interesting topic to say the least, look forward to people's thoughts on DriveSentry.

    Kind regards,

    Kate.;)
     
  10. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    If by "having a whitelist" you mean that your system's setup allows only the programs "known to be good" in that whitelist to run, there's no reason at all for running an Anti-virus.
    Actually, using an AV if you really have full control on the list of programs which are allowed to run, can do more harm than good.
     
  11. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    more harm than good? you've seriously misinterpreted nruns' findings (not to mention put too much credence in what a security vendor says about other vendors' products)...
     
  12. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    You're ignoring the condition I prepended to my statement: "if if you really have full control on the list of programs which are allowed to run".
    It's just a logic conclusion (not based on any "credence") drawn by the facts:
    1. Supposing that the whitelist-enforcing technology is bullet proof, which is far easier to achieve (especially when "good" SW is digitally signed) than flawless scanning of all the unknown files, only whitelisted processes will run
    2. Given (1), the only chance for malware to run is being embedded "in-process" with a whitelisted executable, i.e. exploiting a vulnerability in a "good" executable and not launching a separate one, which would not be allowed by whitelist enforcement
    3. Given (2), the shorter the whitelist the safer the system
    4. Given (1), (2) and (3), why would you pollute your whitelist adding a blacklist-based Anti-virus, which is not only redundant (why scanning files which won't run anyway?) but also belongs to the class of software (together with web browsers, email client and firewalls) which is most exposed "by design" to malicious data from the internet and therefore more vulnerable to remote exploitation of parsing flaws?
    Oh, I almost forgot another meaning for "harmful" :)
     
  13. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    i ignore that because i know that no whitelist in the world is capable of giving you that control... there's more to controlling programs than just controlling exe's and com files... determining what is and isn't a program is an undecidable problem, and the list of all existing program types is unbounded...



    1. this is the first problem with your logic - bulletproof whitelisting is impossible because identifying all programs is undecidable...

      this is the second problem - vulnerabilities are not the only way to execute within the context of another executable... consider how poorly the software industry has followed the principle of separating data and code...

      does not follow - i just have to whitelist ms office and i'm wide open to attack by even the lowest class of malware purveyors in existence...

      because you can't know it won't run...

      again, putting credence in one vendor's marketing FUD...

      the fact that you had to lump it in with browsers and email clients should have been a clue that you cannot criticize this level of exposure without criticizing the very act of sharing data itself... there's always something that gets exposed to everything you share, and since anything you share could be dangerous, in order to try to protect yourself from such threats your protection will necessarily be exposed to those threats...
     
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Malware is digitally signed nowadays too.
     
  15. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    So your argument is just that "whitelisting is impossible".
    My logic is unattackable, if you accept the premise of this whole thread: if you're using a whitelist.
    If you say you can't use a whitelist, all the rest of this discussion is moot.
    If we accept whitelisting works (or could be make working, in a world promoting clear separation of executables and data), all the rest follows and anti-virus are useless.

    On a side note, "identifying all programs is undecidable" is one strong reason why anti-virus as we know them are a weak technology, independently from the whitelisting discussion, and "bullet-proof blacklisting is impossible" is a much easier to prove statement, valid for ever.
     
  16. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    I did not say that the whitelist should automatically include every signed executable, but that the job of the whitelist (identifying the process about to run) is much simpler for signed code, because it cannot be tampered with.
     
  17. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    no, it's not... you change the entire meaning when you remove the "bulletproof" qualifier... please go back and re-read what i said...

    a world that forces (promoting isn't enough as people could still violate what is promoted) the separation of data and code is one that is outside the scope of general purpose computers... in such a world whitelisting isn't necessary - special purpose computers cannot have arbitrary new programs added to them so there is no need to add them to a whitelist...

    so long as we enjoy the burden of the generality of interpretation, determining what is a program and therefore by extension what is a trusted program is going to be an imperfect process at best...

    i have never claimed bulletproof blacklisting is anything other than impossible... one of the oldest things known about computer viruses is that identifying all possible viral programs is undecidable... the difference between the two statements is trivial so one is not really that much easier to prove than the other, and both are valid forever...

    and since neither are by themselves bulletproof, both can benefit from the presence of the other...
     
  18. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Hi,

    to answer the topic.
    I have a whitelist with my HIPS and PFW. And yes, even so I feel the need for an AV.

    The reason is simply that I neither trust global whitelists completely nor do I trust global blacklists completely.
    Both global lists share the same Problem, they will always be incomplete and outdated on release.

    The best whitelist in my opinion would be a custom-built one, only for the unique PC, like EQSecure offers.
    But then there is a lot of work to do, to allow every single program to run, to start another program, to install a driver etc.
    But even this whitelist should be generated on a clean PC, but how should I know that it's clean... :doubt:

    There is no conviction of salvation in whitelisting or blacklisting security programs.
    Therefore I add a sandboxing and a virtualization program to my setup.
    The more the better. :ninja:

    Cheers
     
  19. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    In theory, running an AV with a whitelist is a good idea. However, with new AV and browser releases, compatibility is becoming a major problem. Especially for a program that hooks itself into a system like Faronics AE. I would be interested in anyone who successfully runs an AV with any version of Faronics AE and Firefox 3.
    This is why an all in one product, AV - whitelist approach makes a lot of sense.
     
    Last edited: Jul 16, 2008
  20. Tidyup

    Tidyup Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    101
    Hi all.

    Just thought I'd contribute to this discussion.

    Whitelisting is an excellent approach to dealing with the unknown, by only allowing the known good to run. Blacklisting (AV) is still the best way of dealing with the known bad.

    The best all round approach is still to combine a whitelist solution with an antivirus product. I disagree with the idea that a single multi-purpose client is the way forward, because you are limiting your defences to a single point of vulnerability.

    Whitelisting however can be very expensive in terms of management, and depending on how content is identified, can be weaker than antivirus.

    For example, you may spend a month creating a whitelist for your desktops, and just as you roll it out, patch tuesday turns up, or an update for a piece of software. Suddenly your whitelist is out of date and you have to start all over again. In this case, you are fighting the same battle that AV vendors are, and that is trying to stay up to date with the latest definitions.

    And, as has been mentioned already in this thread, if the whitelist is only filtering file names, file types or locations, the chances are it is going to miss something.

    So if you decide that whitelisting is for you, look for a product that gives you out-of-the-box functionality, and minimal overheads, or you will spend most of your time updating it. And as I mentioned earlier, a combined approach with AV is best.

    Cheers.

    Kris.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    There are as many approaches to WhiteListing as there are people writing about it. For the home user, a White List might be employed as subset describes

    In fact I created a test and compiled a list of solutions (including EQS) that alert to the attempt to run any executable program not already installed on the computer:

    http://www.urs2.net/rsj/computing/tests/srp1

    This takes care of any attempt to sneak in a malware executable by remote code execution. No AV necessary.

    But what about situations where you choose to install new software/plugins/codecs, etc? How do you know they are "clean?" jmonge makes this observation:

    Some people quote the phrase, "Trust, but verify." But I often scan malware that I find, and am quite startled at the many times that results show 3/32 or maybe 6/32 scanners have flagged the binary in the early days of the exploit. Rather unimpressive "verification."

    Another solution is to trust your source for the software.

    A user may choose one or both; neither is completely foolproof. Ultimately, she/he wants a feeling of security.

    --
     
  22. wat0114

    wat0114 Guest

    This approach has always worked for me. Never failed me once. Now here is an example of a source, posted no less here at Wilders, that I would not trust. It has "dubious" written all over it. Maybe it's perfectly okay, but the picture just don't look right to me :p
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hmmm... it,s second time I read some thing like that. Can u explain it please? How is malware digitally signed? who n why some body is signing it?
     
  24. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Oh, it's quite simple procedure. You just need send to root-support organization (VeriSign, Thawte, Comodo,...) some data (passport or driver license scan in case of need of first-lastname digital signature and copies of incorporation data in case of corporate digital signature) and get the signature. Signature is made in order to verify module's developer, not if it is malicious or not.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    That,s a pitty indeed. Thanks for explaining. I will never trust on signatures now.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.