White lists will be on every desktop within the next five years, according to Patrick Morley, CEO of Massachusetts-based Bit9. Morley was in town to address the Dow Jones VentureWire Technology Showcase in Redwood City, Calif., on Tuesday. He stopped by CNET News afterward to discuss why he believes white listing will be important in the next few years.
The basic idea behind "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.
Patrick Morley, CEO of Bit9, believes white listing will be important in the next few years.
(Credit: Bit9)Of the more than 1 million viruses detected by antivirus vendors last year, more than two-thirds were new. Loading 1 million antivirus signatures (or even a percentage of that if generic signatures are used) is a pretty serious undertaking. The idea with white listing is to identify the applications and files we know to be good, which, in theory, should be considerably less than a million.
Over the years Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings, ranging from Fortune 100 companies to retail companies like Marks & Spencer, 7-Eleven, and Ritz Camera.
Morley told me his company will continue to concentrate on enterprise solutions, but it is open to licensing agreements with consumer security companies. Already one agreement is public: Kaspersky is using a limited subset of the Bit9 GSR in its Kaspersky Anti-Virus 2009 and Kaspersky Internet Security 2009 product.
The challenge with commercial applications, Morley said, is not to turn the end user into a system administrator. In this case, Kaspersky made policy decisions for the end user and further allows the more advanced end user to customize the settings based on overall comfort level, not individual files.
During our talk, Morley took issue with antivirus vendors who are saying they too have white listing within their products. He said most have lists of good and bad software, but that they stop monitoring the applications after checking it once.
And many of the antivirus products are using community feedback to determine reputation. So if 1,500 users are showing this file on their PC, then Symantec, for example, is going to be more inclined to say that file probably should be on a person's desktop. Symantec says community feedback is just one of the criteria; there are researchers who will be confirming the reputation of a file as well.
"We look at the executable," Morley said. This gives Bit9 the ability to block an application even after it has launched, and then pass that knowledge to all its customers so everyone is protected.
Since its introduction in 2006, Microsoft's Windows Live OneCare has altered the antivirus landscape. With Tuesday's announcement that Microsoft will no longer be selling the product in retail outlets but offering a new free version, code-named Morro, starting in the second half of 2009, it's sure to change the field once again.
Since Microsoft bought Romania-based antivirus firm GeCad five years ago, there has been fear among the commercial antivirus vendors that the software giant would simply bundle its malware protection within the next version of Windows. While that didn't happen--and it's unlikely to happen--Microsoft's addition to the market has forced its competitors to make some changes even though Microsoft hasn't become the huge player once feared.
Even before the first beta in 2005, McAfee and Symantec were talking about plans to go head to head with the software giant. McAfee announced plans around Project Falcon, and Symantec launched Project Genesis.
Microsoft OneCare entered the market in May 2006 as a "desktop IT department" and inspired a new breed of "omni security suites" that went beyond the traditional Internet security suite. I wasn't impressed. Although OneCare offers the revamped GeCad antivirus engine, Microsoft Windows Defender antispyware protection, and the Windows Firewall, along with system diagnostic tools, backup capabilities, and a way to monitor home networking, I think that the interface is clunky and that the tools aren't necessarily top of the line. And, I'm on record as calling OneCare SopranoCare since it seems wrong to me to have to pay the company that broke your operating system to fix it.
But at its introduction, Microsoft did shake up the antivirus landscape. OneCare was priced at an absurdly low $49.95, and it protected up to three PCs. At the time, Symantec's Norton Internet Security and McAfee's Internet Security were both priced at over $100 for their three-user packages. Today, three-user packages well under $100 are common.
Symantec responded in 2007 with its Project Genesis-produced Norton 360, a unified product that took Norton Internet Security and added online backup. But Symantec didn't just add to its existing product, it reinvented the product, producing a new one with a fully integrated interface marketed for the average home user. And at around $70, it could be used on up to three PCs.
McAfee also responded with its Project Falcon-produced McAfee Total Protection, also priced around $70 for up to three PCs. It too offers home network monitoring and premium or enhanced versions of the McAfee Internet Suite.
But McAfee and Symantec both had something Microsoft did not: effectiveness.
Almost two years ago, independent antivirus-testing organizations faulted OneCare for missing known malware. Andreas Clementi of AV-Comparatives.org wrote in his February 2007 report (PDF) that OneCare did not meet the minimum requirements for participation. "Due (to) that, its inclusion in future tests of this year (will) have to be re-evaluated."
Microsoft began hiring longtime antivirus experts from competitors, and it appears to have paid off. A few years ago, Vincent Gullotto came over from McAfee to head Microsoft's Security Research and Response team. Microsoft has since added experts from F-Secure, Sophos, and elsewhere to the team. And it shows. In the latest On Demand scanning test from AV-Comparatives.org, Microsoft OneCare 2.5 scored as well as McAfee VirusScan Plus 2008.
All is not perfect, however. In May, Microsoft mistook Skype for a piece of malware. And the Windows Firewall, while Microsoft insists otherwise, is not a truly two-way firewall; there are a great many outbound exceptions within the Microsoft version. A Microsoft representative said "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network." Given that other firewalls have outbound filtering, I still don't see why Microsoft can't.
The free version of Morro won't have all the current bells and whistles of OneCare; Microsoft says the diagnostic tools won't be included. Although the final feature set won't be known for a while, just having a free antivirus/antispyware/personal firewall product from Microsoft is bound to shake things up.
With traditional antivirus protection perhaps becoming obsolete, maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products--something that I've said for years.
For the last few months, I've been hearing some well-regarded security people tell me they are considering ditching their antivirus protection all together. They haven't done it, but these individuals feel the days of having a special application scan to remove malware on your desktop are numbered. Malware has changed, but the applications to ferret them out have not.
Antivirus programs, as we know them today, are based on 20-year-old technology of pattern matching. Pattern matching may have worked in the days of the Micheangelo virus and even as recently as Netsky, but methodically matching each and every file on a computer against a list of known malware is getting tedious, if not archaic. In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million signatures, or even a percentage of that if generic signatures are used, is a pretty serious undertaking.
That's why vendors are talking to me about newer strategies for 2009 (and beyond). Among these is the exact opposite of signature file databases--something called whitelisting. If pattern matching is just another way of saying certain bad files have been blacklisted, whitelisting goes to the other extreme: it only allows certain trusted files to run on your machine.
That's more or less what Symantec CEO John Thompson called for at this year's RSA: "If the growth of malicious software continues to outpace the growth of legitimate software, techniques like whitelisting--where we identify and allow only the good stuff to come in--will become critical." He actually didn't say much more about whitelisting, yet everyone talks about this speech as though Thompson had provided clear guidance the year of whitelisting.
So how viable is whitelisting? Turns out we've been using it to defend against spam for years.
To see how whitelisting works on an enterprise level, I spoke with Tom Murphy, chief strategy officer for Bit9, a Massachusetts-based company that has been quietly leading the way in whitelist technology.
For several years Bit9 has been building what it calls a Global Software Registry or GSR (formerly called Bit9 Knowledgebase), cataloging "known good" and "known bad" applications and files. Murphy said Bit9 uses three methods--MD5, SHA1 and OMAC--to create a unique hash of the file and ensure that the file is what it says it is. For the moment, the catalog is used for Bit9's enterprise products. But they've entered into an agreement with Kaspersky, who will be using the registry for its 2009 desktop security products.
Bit9 is not alone. SecureWave's Sanctuary, Savant Protection, and DriveSentry have also been creating whitelisting technology for the enterprise. What's interesting is that the big guys Google (Green Border Technologies), Microsoft (Winternals Software's Protection Manager, and now Symantec have started paying attention to whitelisting.
Which gets us back to antivirus software.
If hosting a million antivirus signature files is daunting, how many "clean" files might there be? Think about all the versions of software that exist, not to mention the files those products create.
The downside of whitelisting, indeed the main argument, is that all those clean files outnumber the bad guys by a considerable margin. Right now, maintaining a whitelist file is impractical for the desktop.
Trend Micro (if it wants to get into the whitelist space) thinks it has the answer. For the last few years, Trend Micro has been building servers around the world to provide continuous service to its Software-as-a-service enterprise systems. Last month, Trend Micro CEO Eva Chen told me it's time to bring that SaaS service down to the desktop. Instead of having all the signature files on the desktop, the desktop app would instead ping "the cloud" and get results from the much larger database of known malware stored there.
Make no mistake, Trend Micro is still using antivirus signature databases. Chen said even after 20 years, there are still advantages to pattern-matching antivirus signature files. For one thing, she says it's faster than firing up a heuristic sandbox and testing each individual piece of malware. True, although we're talking about shaving nanoseconds between the two processes. Still, with several thousand files, those saved nanoseconds do add up. So instead of running the operation on the PC, the PC sends all its unknowns to a server in the cloud and gets the results back lickety-split. An added benefit, says Chen, is that new samples are submitted in real time and evaluated quickly. In her estimate, Trend Micro can have a new signature file for an unknown threat ready within 15 minutes.
Fifteen minutes is also the new mantra over at Symantec. For its 2009 Norton products, Tom Powledge, vice president of consumer product management at Symantec, told me the new products are lighter and faster in part because they've jettisoned the multiple copies of the signature database found in previous versions. They're also not scanning each and every file. Instead, the 2009 products will be building a trust index--that is, the app will declaring certain files (say photos or MP3s) clean and then not scan them again unless the files change. He showed me a graphic where roughly 70 percent of a given machine is trusted, and only that last 30 percent is actively scanned.
Like Trend, Norton is experimenting with faster new malware turnaround. Powledge says Norton should be updating not every 15 minutes, but every couple of minutes. This is a vast improvement from hourly or even daily updates by some antivirus vendors.
Given the improvements to the traditional antivirus programs proposed by Trend Micro and Symantec, are the days of antivirus applications numbered?
Yes.
I asked Murphy if white lists worked well enough to replace traditional antivirus protection at some companies. He answered, very diplomatically, "if (a customer) feel(s) that they have a control over the environment, some customers have removed antivirus off their machines."
I'm still not convinced that white listing is the way to go, but I do know that security solutions in the enterprise space have a way of trickling down to the desktop.
Taking a cue from Morgan Spurlock who lived on fast food for 30 days in the Super Size Me documentary, McAfee gathered volunteers from around the world who would, for one hour a day, surf the Internet, signing up for various newsletters, filling in various forms. As they did so, the participants were asked to blog about their experiences.
On Tuesday, McAfee released the results of the experiment it called S.P.A.M., or Spammed Persistently All Month.
Over the course of the month, McAfee's test subjects accumulated 104,000 spam messages, or roughly 70 per day per recipient. Put another way, 87 percent of all the e-mail captured on the test laptops was considered to be spam. That isn't too surprising.
What is surprising, according to Dave Marcus, director of security research and communications for McAfee Avert Labs, is the amount of foreign language spam, with Germany and France having the highest percentage of local language spam.
Other findings include:
Men received more spam than women (76.6 per day vs. 60.6 per day).
The United States received more total spam, followed by Brazil and Italy.
Nigerian scam e-mails are more popular in the United Kingdom than in the United States.
What's also interesting, at least to me, is that the McAfee results were similar to results released by Symantec. McAfee used about 50 real-world participants while Symantec used its DeepThreat Network of thousands of computers worldwide.
You can hear more of Dave Marcus' observations on the McAfee results in this week's Security Bite's podcast.
Update 11:10 a.m. May 30: Despite earlier reports, version 9.0.124.0 of Adobe Flash Player has no new bugs. For the latest news, click here.
Legitimate Web sites hosting Adobe Flash Player content may be compromised to embed JavaScript that redirects users to a Chinese malware server, says Symantec. Affected versions of Adobe Flash Player include 9.0.124 .0 (latest version) and 9.0.115.0.
Symantec says that under certain conditions embedded JavaScript within the player will redirect users to dota11.cn. In an alert on Tuesday, Symantec said specific details about the vulnerability exploited were unknown, and initial testing of the in-the-wild exploit showed it to be unreliable. Nonetheless, Symantec said it had identified at least one commercial site, www.bridgettwalther.com, which is a horoscope Web site, but that the embedded malicious code has since been removed.
More details available here.
Symantec recommends that users use script-disabling plug-ins such as NoScript for Firefox to prevent embedded Flash scripts from being loaded.
After year's of prodding from pesky security software reviewers like myself, Symantec has finally created a user forum for its Norton products. Although still officially in beta, the forum is has been operating in-house for a few months and thus has been generating some useful how-to information.
Moderator Dave Cole sums up the project in a welcome note:
We've been working on re-launching our product forums for several months now and are happy to finally officially open the door on the beta. We kicked off this project with the intent of creating a place where Norton customers, employees and other people interested in dialogue could meet online to discuss our products and related topics, from system tune-up to scrubbing malware from PCs. Whether it's an idea for a new feature, a feature you love, or something that simply doesn't work for you, go ahead and register as a user and let us know what's on your mind.
So far only Norton Internet Security has its own support thread. Under "Other Products," however, you will find separate discussions of Norton 360, Ghost, and Norton Antivirus. No word yet when the project will be out of beta.
Predicting the future for technology and business is never easy, yet Symantec CEO John Thompson ventured into that Tuesday morning in his keynote speech at RSA 2008.
On the future, Thompson predicted three things: that malicious software will outnumber legitimate software, increasing the need for so-called white listing; that identity management will grow beyond the enterprise and start to include every customer in the world; and digital rights management will be become a reality for all content, not just music and video.
Symantec CEO John Thompson takes the stage at RSA 2008.
(Credit: Corinne Schulze/CNET Networks)He said businesses need to start thinking about these things now. "I believe this starts with a fundamental shift toward an information-centric view of security," he said. He described this information-centric view of security as taking a risk-based approach to protecting confidential information. Instead of securing all the data, secure only the most important data, he said, adding, "Once you gain insight into how your information is being used, you can begin to set policies that help you mitigate your risks."
Thompson mentioned the growth of mobile devices and stressed the need to become content aware, that just guarding the corporate perimeter isn't enough anymore.
"Ultimately," Thompson concluded, "the work of protecting business information is everybody's job--not just IT's. It's a challenge all of us must tackle in order for our businesses to thrive--to become more agile and high-performing--and to realize the full promise of the connected world."
In a statement issued Tuesday, Macintosh security company Intego accused Symantec of infringing on its copyright. At issue is the new box copy for Norton Antivirus for Macintosh. In the upper right corner, Symantec has prominently placed the words "Dual Protection," a reference to the product's use on both the Mac OS X and Windows operating systems when using Apple Boot Camp.
The Austin, Texas-based Intego said in a press release, "Intego is the owner of a trademark registration for the mark DP DUAL PROTECTION in France (registered on January 17, 2007) and an international trademark registration for that mark (registered on July 2, 2007) in the United States, the European Community (27 countries), Switzerland, Monaco, Australia, and Japan. In the United States, Intego has applied to the Patent and Trademark Office to register the DP DUAL PROTECTION mark; Intego claims rights to this mark in the United States. Intego also owns the domain name dualprotection.com, which it registered on January 15, 2007."
A Symantec spokesperson said the company is aware of the issue and is looking into the matter, adding, "We have no further information to share at this time."
Update 11:45 a.m. PST: This blog incorrectly described part of what the link downloads. It downloads a Trojan horse. The link does not take viewers to a video.
Moving beyond Valentine's Day as a social-engineering theme, online criminals have started sending out e-mail with a supposed link to a recent interview with Sen. Hillary Clinton. Instead of a video, the link downloads a Trojan horse onto the viewer's computer. Security experts predict 2008 presidential election e-mails and phishing sites will continue throughout the year.
On Thursday in Symantec blog, researcher Kelly Conley writes that the e-mail arrives with the subject line: Hillary Clinton Full Video !!! The body text reads, in part: "Hillary Clinton visited her Virginia campaign headquarters and did satellite interviews, looking beyond Tuesday's trio of contests..."
Often the malicious software is not within a video, but within the download link, as is the case here. Symantec says the link embedded within the e-mail downloads a suspect file, "mpg.exe," which is a Trojan downloader. This downloader then downloads inst241.exe, a file that Symantec detects as Trojan.Srizbi.
Spam now accounts for 78.5 percent of all e-mail traffic, according to a new report from Symantec. That's up from previous months. And Europe, not the United States, can now claim to be the source of most spam.
Other notable points culled from the "State of Spam" report for February 2008 (PDF) include:
- There was an appreciable decline of image spam during January 2008.
- The overall file size of spam messages has also decreased.
- Product spam, the largest category, makes up 28 percent of all spam.
- Internet Web hosting and Web design spam makes up 23 percent.
- Financial spam is in third place at 12 percent.
- However, health-related spam (those Viagra e-mails) only make up a mere 6 percent.
