Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: To detect 100 percent of malware, try whitelisting 'lite'

Roger A. Grimes | Jan. 2, 2014
Few want to live with whitelisting's overhead and restrictions -- so run it in audit mode to detect all malware coming your way.

Every antimalware scanner claims to catch 99 to 100 percent of malware. But how can that be true? If it were, our computers wouldn't get infected nearly as much as they do, and the antimalware industry would have roundly defeated its malicious foes by now.

Tests against real-world malware show that, over time, even the best scanners miss a significant portion of the total. That's understandable. There are nearly 180 million malware programs, and more than 200,000 new malicious programs are produced every day, according to AV-Test. Plus, malware writers usually test their creations using aggregated virus testing services, such as VirusTotal, which throws malware at dozens of antivirus engines at once. Many malware writers even sell their programs with money-back guarantees against detection.

Let's be generous and accept that an antimalware product's claim that it can stop 99.9 percent of malware is accurate. That's still 200 malware programs per day that aren't being detected.

How do you stop malware when so much of it is seemingly undetectable? Two words: Use whitelisting.

The 100 percent solution
I've long been a fan of whitelisting (aka application control) programs. My somewhat ancient review of whitelisting products remains a popular article, despite the fact that most organizations don't or can't activate whitelisting for political reasons.

Nonetheless, I believe whitelisting can be used by any organization to detect previously undetectable malware threats. Simply install a good whitelisting program and run it in audit-only mode.

First, have the whitelisting program take a snapshot of what the currently monitored computer looks like. This creates all the application control rules needed to allow all the currently installed programs to run. Next, find out what alerting events are created when the application control program detects something new running or being installed. Forward those events to a centralized repository database, then run reports detailing and summarizing the new activity.

In the Windows world, this process can be accomplished for almost nothing. Windows has had built-in application control functionality since Windows XP and Windows Server 2003, so you can forward select application control events using built-in functionality (this is significantly easier in Windows Vista/Server 2008 and later). Any one of the more functional third-party commercial offerings (some of which I covered in the 2009 review) can accomplish the same things even easier and always have great enterprise reporting. For enterprise reporting with the free, built-in Windows options, you must either own a Microsoft reporting product (such as SCOM) or collect all the events into a SQL database instance, against which you write custom queries.

I'm a big fan of starting with computers and servers that shouldn't change a lot over time, such as infrastructure servers: DNSes, domain controllers, and so on. Today's application control programs are great about accounting for previously accepted installation routines (such as self-updating browsers and patches), without firing off warnings.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.