Get Smart about Business Spending
White lists will be on every desktop within the next five years, according to Patrick Morley, CEO of Massachusetts-based Bit9. Morley was in town to address the Dow Jones VentureWire Technology Showcase in Redwood City, Calif., on Tuesday. He stopped by CNET News afterward to discuss why he believes white listing will be important in the next few years.
The basic idea behind "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.
Patrick Morley, CEO of Bit9, believes white listing will be important in the next few years.
(Credit: Bit9)Of the more than 1 million viruses detected by antivirus vendors last year, more than two-thirds were new. Loading 1 million antivirus signatures (or even a percentage of that if generic signatures are used) is a pretty serious undertaking. The idea with white listing is to identify the applications and files we know to be good, which, in theory, should be considerably less than a million.
Over the years Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings, ranging from Fortune 100 companies to retail companies like Marks & Spencer, 7-Eleven, and Ritz Camera.
Morley told me his company will continue to concentrate on enterprise solutions, but it is open to licensing agreements with consumer security companies. Already one agreement is public: Kaspersky is using a limited subset of the Bit9 GSR in its Kaspersky Anti-Virus 2009 and Kaspersky Internet Security 2009 product.
The challenge with commercial applications, Morley said, is not to turn the end user into a system administrator. In this case, Kaspersky made policy decisions for the end user and further allows the more advanced end user to customize the settings based on overall comfort level, not individual files.
During our talk, Morley took issue with antivirus vendors who are saying they too have white listing within their products. He said most have lists of good and bad software, but that they stop monitoring the applications after checking it once.
And many of the antivirus products are using community feedback to determine reputation. So if 1,500 users are showing this file on their PC, then Symantec, for example, is going to be more inclined to say that file probably should be on a person's desktop. Symantec says community feedback is just one of the criteria; there are researchers who will be confirming the reputation of a file as well.
"We look at the executable," Morley said. This gives Bit9 the ability to block an application even after it has launched, and then pass that knowledge to all its customers so everyone is protected.
Since its introduction in 2006, Microsoft's Windows Live OneCare has altered the antivirus landscape. With Tuesday's announcement that Microsoft will no longer be selling the product in retail outlets but offering a new free version, code-named Morro, starting in the second half of 2009, it's sure to change the field once again.
Since Microsoft bought Romania-based antivirus firm GeCad five years ago, there has been fear among the commercial antivirus vendors that the software giant would simply bundle its malware protection within the next version of Windows. While that didn't happen--and it's unlikely to happen--Microsoft's addition to the market has forced its competitors to make some changes even though Microsoft hasn't become the huge player once feared.
Even before the first beta in 2005, McAfee and Symantec were talking about plans to go head to head with the software giant. McAfee announced plans around Project Falcon, and Symantec launched Project Genesis.
Microsoft OneCare entered the market in May 2006 as a "desktop IT department" and inspired a new breed of "omni security suites" that went beyond the traditional Internet security suite. I wasn't impressed. Although OneCare offers the revamped GeCad antivirus engine, Microsoft Windows Defender antispyware protection, and the Windows Firewall, along with system diagnostic tools, backup capabilities, and a way to monitor home networking, I think that the interface is clunky and that the tools aren't necessarily top of the line. And, I'm on record as calling OneCare SopranoCare since it seems wrong to me to have to pay the company that broke your operating system to fix it.
But at its introduction, Microsoft did shake up the antivirus landscape. OneCare was priced at an absurdly low $49.95, and it protected up to three PCs. At the time, Symantec's Norton Internet Security and McAfee's Internet Security were both priced at over $100 for their three-user packages. Today, three-user packages well under $100 are common.
Symantec responded in 2007 with its Project Genesis-produced Norton 360, a unified product that took Norton Internet Security and added online backup. But Symantec didn't just add to its existing product, it reinvented the product, producing a new one with a fully integrated interface marketed for the average home user. And at around $70, it could be used on up to three PCs.
McAfee also responded with its Project Falcon-produced McAfee Total Protection, also priced around $70 for up to three PCs. It too offers home network monitoring and premium or enhanced versions of the McAfee Internet Suite.
But McAfee and Symantec both had something Microsoft did not: effectiveness.
Almost two years ago, independent antivirus-testing organizations faulted OneCare for missing known malware. Andreas Clementi of AV-Comparatives.org wrote in his February 2007 report (PDF) that OneCare did not meet the minimum requirements for participation. "Due (to) that, its inclusion in future tests of this year (will) have to be re-evaluated."
Microsoft began hiring longtime antivirus experts from competitors, and it appears to have paid off. A few years ago, Vincent Gullotto came over from McAfee to head Microsoft's Security Research and Response team. Microsoft has since added experts from F-Secure, Sophos, and elsewhere to the team. And it shows. In the latest On Demand scanning test from AV-Comparatives.org, Microsoft OneCare 2.5 scored as well as McAfee VirusScan Plus 2008.
All is not perfect, however. In May, Microsoft mistook Skype for a piece of malware. And the Windows Firewall, while Microsoft insists otherwise, is not a truly two-way firewall; there are a great many outbound exceptions within the Microsoft version. A Microsoft representative said "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network." Given that other firewalls have outbound filtering, I still don't see why Microsoft can't.
The free version of Morro won't have all the current bells and whistles of OneCare; Microsoft says the diagnostic tools won't be included. Although the final feature set won't be known for a while, just having a free antivirus/antispyware/personal firewall product from Microsoft is bound to shake things up.
With traditional antivirus protection perhaps becoming obsolete, maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products--something that I've said for years.
On Thursday, security vendor SecureMac reported seeing new variants of AppleScript.THT Trojan horse in the wild affecting users of Mac OS X 10.4 and 10.5.
The new variations exploit a vulnerability within the Apple Remote Desktop Agent, and can avoid detection by opening ports in the firewall and turning off system logging. The new Trojans can log keystrokes, take screen shots, take pictures with the Apple iSight camera, and enable file sharing, according to SecureMac.
The Trojans are using an AppleScript called ASthtv05 and/or may be bundled as an application. You must download and execute the file for your Mac OS X system to become infected.
SecureMac makes the MacScan, antispyware security software for Mac OSX.
On Wednesday, Trend Micro CEO and co-founder Eva Chen unveiled a new vision for her company that includes "in-the-cloud" malware analysis.
Unlike the computer viruses of 20 years ago, which were slow to evolve and infected thousands of systems worldwide, malware today evolves rapidly and infects relatively few systems, creating thousands of new variants each day. Chen admits that traditional signature-based antivirus strategies may seem a bit outdated, but argues that pattern matching is still faster than running a full heuristic check of each new malware specimen. Her answer is to throw all the unknown samples up into the cloud for deeper and faster pattern recognition.
For the last few years, Trend Micro has been building robust servers around the world, enabling it to offer more and more software as a service (SaaS) solutions to its medium-size business customers. Now, Trend Micro is planning to include its "in-the-cloud" network service in two new suites for enterprises, and may in the future incorporate some of the technology in its home and small business offerings.
With faster Internet connections available worldwide, Chen argues it's faster to do a suspected malware lookup in the cloud than to initiate and execute a sandbox heuristic environment on the desktop. We're talking milliseconds vs. the 1 to 2 seconds for each sandbox inspection, and over several thousand samples, the time savings add up. Also, all unknown samples could be gathered from around the world, and new signatures could be sent out worldwide.
Chen envisions a 15-minute turnaround from discovery to mitigation of each new malware detected.
On Wednesday, Trend Micro announced two enterprise suites. A Threat Discovery Suite (due in Q3 2008) to find internal security threats on a network, and a Threat Mitigation Suite (due in Q4 2008) to provide analysis and policy review to protect against future threats.
A new contest to be held at this year's DefCon in Las Vegas in August hopes to prove that signature-based antivirus is dead, a move that one leading antivirus researcher says is "not a good idea."
The goal of the Race to Zero is simple: obfuscate a malicious code so that it evades well-known antivirus engines.
Contestants will be given a sample set of viruses and malicious code that they must modify and then upload through the contest portal. Once accepted, the sample will be sent through a number of leading antivirus engines (perhaps using VirusTotal.com to provide real time test results). The first team or individual who manages to evade all the antivirus engines wins that round. The organizers promise that each round will increase in complexity.
On the contest site, organizers list six reasons for hosting this event:
- Reverse engineering and code analysis is fun.
- Not all antivirus is equal and poorly performing antivirus vendors should be called out.
- Signature-based antivirus products can be easily circumvented.
- It's easier to modify malicious software than it is to write signature protection for it.
- Signature-based antivirus is dead.
- Antivirus is just part of the larger picture, you need patching, firewalling and sound security policies to remain virus free.
But Dave Marcus, security research and communications manager at McAfee Avert Labs, said: "Encouraging research that results in better evasion techniques for malware writers is not a good idea. How many identities will be lost and how much data will be stolen from users as a result of the new techniques and evasions that are created? Security research should center around bettering detection not evasion."
DefCon 16 will be held August 8-10 at the Riviera Hotel in Las Vegas.
Users of Microsoft Windows Live OneCare may have found their antivirus protection a little too proactive. Over the weekend, OneCare informed some Skype users that the popular voice-over-IP application was infected with the Trojan Win32/Vundo.gen!D.
Not true, says Skype, which noted that Microsoft has since repaired its overzealous signature file.
On Friday, OneCare subscribers started seeing their access to Skype blocked. Microsoft says it was trying to block a multiple-component family of programs that deliver "out of context" pop-up advertisements, and mistakenly included Skype.
On Tuesday, four days later, it sent out a revised signature file for Win32/Vundo.gen!D that did not include Skype.
Corrected at 6:50 a.m. PDT March 26: The last paragraph has been revised to correctly describe a second antivirus partnership.
The Anti-Malware Test Lab and AV-Comparatives.org announced on Tuesday an alliance designed to create one of the most respected sources of objective, independent information about antivirus products.
Together, the pair said, they intend by year's end to create a unique system of integrated tests for determining the effectiveness of commercial antivirus software.
Andrea Clementi, founder of AV-Comparatives, said in a statement that "the partnership with Anti-Malware Test Lab will allow us to evaluate more aspects of antivirus software and to offer users a more comprehensive independent view of various security products."
Clementi further hinted that if this alliance works out, there may be additional alliances of independent antivirus software-testing labs.
"I'm sure that our partnership will act as a driving force for the development of the industry as a whole," said Sergey Ilyin, founder of Anti-Malware Test Lab. Anti-Malware Test Lab is an independent Russian test laboratory, a subsidiary of Anti-Malware.ru. The laboratory is best known for testing active infection treatments, antivirus heuristics, and anti-rootkit protection.
This is the second partnership of antivirus-testing organizations in recent months.
In January, various antivirus vendors, independent testing labs, and media outlets gathered in Spain to work toward creating the Anti-Malware Testing Standards Organization (AMTSO). That group includes vendors F-Secure, Kaspersky Lab, McAfee, Panda Software, and Symantec, and independent testing labs AV-Test.org and AV-Comparatives. The alliance announced on Tuesday is different, said Clementi, because it allows Anti-Malware.ru to share AV-Comparatives' test results.
Seen more as a prank than an actual threat, a Trojan horse for the Apple iPhone, first reported on Saturday, has already come and gone. Still, users should be on the look out for a package called "iPhone firmware 1.1.3 prep," described as something you need to install before updating to the new 1.1.3 firmware. Billed as an "important system update," the code does little more than cause annoyance. According to various sources, once the Trojan is installed it simply displays the word "shoes."
However, the Trojan also overwrites several legitimate applications, including Erica's Utilities, Launcher, Doom, and OpenSSH, meaning that if you uninstall the Trojan, you will need to reinstall these applications later. This appears to be a consequence of poor programming.
The risk to iPhone users is now considered negligible since the host sites have all been taken down.
As antivirus vendor F-Secure concluded in its blog, "This time it was an 11-year-old kid playing with XML files who created the Trojan. Next time it might be someone else with more skills and with specific target."
- prev
- 1
- next
