Whitelisting stopped Flame, but don't bury antivirus just yet
- By William Jackson
- Jun 22, 2012
The whitelisting company Bit9 recently scored a coup by blocking repeated attempts to install the stealthy Flame spyware on a customer’s system several months before the persistent threat had been identified. The company rightly claimed that this was something impossible for traditional antivirus programs, because they can only stop what they already know.
Also recently, a research project headed by Cambridge University for the U.K. Ministry of Defence concluded that “we should spend less in anticipation of cyber crime (on antivirus, firewalls, etc.).”
All of which seems to be giving old-fashioned, signature-based antivirus software a bad name. But antivirus should not be killed off yet.
Flame reportedly set up Stuxnet attack, was under human control
Study: Spend less on antivirus, more on catching cyber crooks
For all of its limitations, it remains an effective way of dealing with an awful lot of the threats in cyberspace. Antivirus is not a cure-all, of course; whitelisting, intrusion detection and other monitoring tools all fill necessary roles.
The great advantage of whitelisting is that it does not need to know its adversary to block it. But that also is its blind spot. Bit9 discovered that its customer was under attack months after the fact, when logs were examined and the regular attempts to install W32.Flamer (aka Flame and sKyWIper), were found.
Bit9 Chief Technology Officer Harry Sverdlove did not identify his Middle East customer but said it is located in a geographical area in which other attacks had been identified. Flame, now revealed to be a part of a U.S. cyber espionage operation that includes Stuxnet, is believed to have targeted Iran.
Whitelisting enforces policies that allow only specified activities — a white list — on a computer. If the user, action or file is not authorized, it is not given access, executed or loaded, so you do not have to know what you are looking for to stop the bad guys.
Spokesmen for the company point out that the fact that Bit9 did not identify the Flame attack earlier is not a failure of the tool, because its job is to stop unauthorized actions, not to identify malicious ones. They say it is unfair to criticize a whitelisting tool for not being an antivirus tool, and they are right.
But had Bit9 been able to notice and flag the periodic attempts to load unauthorized software, the attempts could have been analyzed and Flame might have been discovered months sooner. Would this discovery have made a difference in the grand scheme of things? That is impossible to say. But it is safe to say that it is better to discover malware earlier rather than later.
This is not a criticism of Bit9. Its product did what it was supposed to do, and no one expected it to provide alerts and analysis.
Security vendors, being in the business of selling products, often present things in black and white, aiming to gain competitive advantage by comparing themselves favorably with other technology. Whitelist vendors say they are better than antivirus because antivirus works only against known attacks.
But security is not black and white. It is a gray-tone landscape. Whitelisting is not always practical, and despite frequent criticisms, an updated antivirus tool is an effective way to block large numbers of active attacks. There is a gray area between the two techniques that should be occupied with intrusion detection, behavior analysis and other monitoring and blocking technologies.
Don’t expect any one tool to do the whole job.
William Jackson is freelance writer and the author of the CyberEye blog.