CYBEREYE

Whitelisting stopped Flame, but don't bury antivirus just yet

The whitelisting company Bit9 recently scored a coup by blocking repeated attempts to install the stealthy Flame spyware on a customer’s system several months before the persistent threat had been identified. The company rightly claimed that this was something impossible for traditional antivirus programs, because they can only stop what they already know.

Also recently, a research project headed by Cambridge University for the U.K. Ministry of Defence concluded that “we should spend less in anticipation of cyber crime (on antivirus, firewalls, etc.).” 

All of which seems to be giving old-fashioned, signature-based antivirus software a bad name. But antivirus should not be killed off yet.


Related coverage:

Flame reportedly set up Stuxnet attack, was under human control

Study: Spend less on antivirus, more on catching cyber crooks


For all of its limitations, it remains an effective way of dealing with an awful lot of the threats in cyberspace. Antivirus is not a cure-all, of course; whitelisting, intrusion detection and other monitoring tools all fill necessary roles.

The great advantage of whitelisting is that it does not need to know its adversary to block it. But that also is its blind spot. Bit9 discovered that its customer was under attack months after the fact, when logs were examined and the regular attempts to install W32.Flamer (aka Flame and sKyWIper), were found.

Bit9 Chief Technology Officer Harry Sverdlove did not identify his Middle East customer but said it is located in a geographical area in which other attacks had been identified. Flame, now revealed to be a part of a U.S. cyber espionage operation that includes Stuxnet, is believed to have targeted Iran.

Whitelisting enforces policies that allow only specified activities — a white list — on a computer. If the user, action or file is not authorized, it is not given access, executed or loaded, so you do not have to know what you are looking for to stop the bad guys.

Spokesmen for the company point out that the fact that Bit9 did not identify the Flame attack earlier is not a failure of the tool, because its job is to stop unauthorized actions, not to identify malicious ones. They say it is unfair to criticize a whitelisting tool for not being an antivirus tool, and they are right.

But had Bit9 been able to notice and flag the periodic attempts to load unauthorized software, the attempts could have been analyzed and Flame might have been discovered months sooner. Would this discovery have made a difference in the grand scheme of things? That is impossible to say. But it is safe to say that it is better to discover malware earlier rather than later.

This is not a criticism of Bit9. Its product did what it was supposed to do, and no one expected it to provide alerts and analysis.

Security vendors, being in the business of selling products, often present things in black and white, aiming to gain competitive advantage by comparing themselves favorably with other technology. Whitelist vendors say they are better than antivirus because antivirus works only against known attacks.

But security is not black and white. It is a gray-tone landscape. Whitelisting is not always practical, and despite frequent criticisms, an updated antivirus tool is an effective way to block large numbers of active attacks. There is a gray area between the two techniques that should be occupied with intrusion detection, behavior analysis and other monitoring and blocking technologies.

Don’t expect any one tool to do the whole job.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Jul 3, 2012 JC

What is the cost of whitelisting, $, ram space, etc. and why can't it be sold with anti virus software? Anti virus is sold to millions of people with most thinking that they do not have to worry about threats. This a gross misconception that the anti virus companies have propagated and should be corrected by them. If whitelisting can keep your computer safer it should be included in anti virus protection packages.

Thu, Jun 28, 2012 EricE

"despite frequent criticisms, an updated antivirus tool is an effective way to block large numbers of active attacks." Yeah, all known ones! For new ones the vendor has never seen before it's a case of too little, too late. "There is a gray area between the two techniques that should be occupied with intrusion detection, behavior analysis and other monitoring and blocking technologies." Really? What exactly are those grey areas. It seems to me that whitelisting is 100% effective. If it's not known or authorized, it doesn't run! Why do you think Apple is building it in at a foundational level in Mac OSX?

"Don’t expect any one tool to do the whole job."

Always sage advice. But even better advice is don't believe marketing hype and pick better tools and strategies than relying on outdated methodologies such as AV scanning "because it's what we have always done".

Thu, Jun 28, 2012

"The great advantage of whitelisting is that it does not need to know its adversary to block it. But that also is its blind spot. Bit9 discovered that its customer was under attack months after the fact" and "But had Bit9 been able to notice and flag the periodic attempts to load unauthorized software" Uh, why was it Bit9's (the company) job to notice? Their software did notice and did flag. Actually, more importantly, it stopped the software from executing. Even better! I think the more pressing question is, where the heck were the admins for the organization that had deployed Bit9's software? What good is deploying a security tool if there is no one there monitoring it? And how exactly would Antivirus have helped in this situation? Detected it months later once AV vendors finally got around to having signatures for it? I think I would rather block it and be ignorant as to exactly what it is. I mean, who cares what it is I didn't want it in the first place! Antivirus is the biggest "protection" racket in all of IT. That we have been collectively brainwashed that AV is "essential" is a bigger marketing success than conning people into paying serious money for bottled water :p

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above