PC Advisor investigates the dangers of blocking all unknown applications.

As a vast flood of malware threatens to overwhelm antivirus software, security companies have begun changing the way their programs protect PCs. To avoid being regularly exposed by malware writers, the likes of Kaspersky and Symantec plan to turn the tables on them by allowing only known good programs to run.

The technique, known as whitelisting, could help protect your computer. But though some security applications already use this approach, it can also make using your PC a huge annoyance.

"Whitelisting is probably at the top of the list for what the industry needs to move towards," says Jeff Aliber, senior director of product marketing with antivirus maker Kaspersky Labs.

Keeping tabs

For Kaspersky and other antivirus companies, the ocean of malicious software in circulation today may mean that just tracking known good software will be easier than trying to keep tabs on all the bad stuff.

For example, Symantec, which has been pushing for an industry shift to whitelists since last year, anonymously tracks new applications that appear on PCs participating in its Norton Community Watch programme.

During one week last November, more than half of the 54,000 new executables reported by Community Watch were malicious, says Carey Nachenberg, a vice president and developer with Symantec Research Labs.

In the face of that sobering reality, Kaspersky is about to release its first consumer antivirus products that bring in whitelists. It will use lists from Bit9, a whitelisting company that maintains a 6.3 billion-strong list of known good applications. The new Kaspersky applications won't automatically block programs not on the Bit9 list, but instead will focus scanning resources on those programs that Bit9 doesn't recognise.

Theoretically, that could allow for more careful scrutiny of unknown files with less risk of false alerts.

But nobody has a full list of all good software, so you can't block everything not on a list without eventually blocking some great but relatively unknown programs. And displaying a pop-up that asks you to decide whether an unknown app is okay to run ensures that you'll eventually make the wrong call and break your software or even your system.

Most antivirus companies rightly make every effort to minimise the number of alerts that ask us to make a decision; an overreliance on whitelists could roll back those improvements.

NEXT PAGE: Community-based security > >

  1. Are whitelists friend or foe? Keeping tabs on malware
  2. Are whitelists friend or foe? Community-based security
  3. Are whitelists friend or foe? Free downloads
  4. Are whitelists friend or foe? Dedicated whitelisting services

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews

PC Advisor investigates the dangers of blocking all unknown applications.

Community-based security

Symantec says it's looking at one possible solution, which is to bring in its community, where it checks to see if other Norton users have a given program installed. The company reasons that if, say, a hundred thousand people are running a particular app, with no reports to Symantec that it's a threat, then it's likely safe.

Nachenberg says the company is experimenting with this kind of reputation-based system to add to its products over the next few years.

And then there's the big question: who maintains the list? If every antivirus company maintains its own, as Symantec says it wants to, small developers would have to submit their cool new downloads to at least five different organisations – and gain approval from all of them. But an alternative to that prospect is a central list available to everyone, maintained by the government or a neutral, open organisation.

"I think a centralised whitelist would be beneficial to everyone," says Kevin Beaver, an independent security consultant with Principle Logic who has written a number of books on computer safety.

"The problem is," he adds, "politics will likely get in the way of anything productive, especially when the big antimalware players want to maintain control. I think we'll see something like [a centralised whitelist] within the next few years, but this can't be pulled together overnight."

NEXT PAGE: Free downloads > >

  1. Are whitelists friend or foe? Keeping tabs on malware
  2. Are whitelists friend or foe? Community-based security
  3. Are whitelists friend or foe? Free downloads
  4. Are whitelists friend or foe? Dedicated whitelisting services

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews

PC Advisor investigates the dangers of blocking all unknown applications.

Free downloads

In the meantime, a number of free security tools already use a whitelist approach to protect PCs. However, in using them you'll typically get many pop-ups that may require a good deal of technical knowledge to interpret – a hassle that makes clear the challenge to the major antivirus companies. But if you're willing to deal with the interruptions, which can include reversing a mistaken decision, these downloads can bring strong protection against malware.

Comodo Firewall Pro Free offers full whitelist-style blocking in addition to its firewall; it works on Windows XP and Vista.

Once installed, the program displays an alert when an unknown program runs, and you'll have to choose to allow or deny the new app.

Comodo already knows about popular applications such as Firefox and won't display alerts for them, and also provides some good information in the pop-ups to help you decide whether to let a program take a particular action.

It also has a learning mode that automatically creates rules allowing everything on your system to run while it's enabled. This mode can help cut down on the pop-ups when you first install the program, but you should enable it only if you're sure your system is clean.

During installation, the free version prompts you to install a browser search toolbar and change your home page. You can opt out of the toolbar installation and browser changes, and can also choose to install only the capable firewall without the whitelisting protection.

Like Comodo Firewall Pro, Online Armor Free provides both a firewall and a whitelist approach to program security for Windows NT, 2000 and XP.

It doesn't show pop-ups for many known good programs, and it scans all your installed programs when it first runs so you can quickly tell it what to do with the applications that it doesn't know about.

When it does alert you to a new, unknown program, Online Armor's pop-ups are informative but generally harder to decipher than those from Comodo. However, Online Armor goes beyond Comodo with a 'Safer' mode that allows apps to run, but with stripped-down privileges.

Safer mode can work well for at-risk applications such as web browsers or email clients, as it pulls administrator rights from such applications and prevents them from making deep system changes.

Online Armor Free has a learning mode, but you'll have to manually check for program updates with the free version.

NEXT PAGE: Dedicated whitelisting services > >

  1. Are whitelists friend or foe? Keeping tabs on malware
  2. Are whitelists friend or foe? Community-based security
  3. Are whitelists friend or foe? Free downloads
  4. Are whitelists friend or foe? Dedicated whitelisting services

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews

PC Advisor investigates the dangers of blocking all unknown applications.

Dedicated whitelisting services

If you're happy with your firewall and just want a dedicated whitelisting security program, System Safety Monitor Free Edition makes for both a quick download and a quick installation under Windows XP, 2000, 98 and Me.

You can set an advanced level of rules for what any given program can or can't do on your system. On the downside, you'll get an alert for almost every program, including common web browsers, and novices may find the information in the pop-ups hard to decipher. It's easy to quickly change a mistaken decision, however.

Finally, if you want to access a whitelist with minimal impact, the Fileadvisor Explorer extension from Bit9 adds a right-click option to check any given file or program against the company's own online whitelist. You'll need to register with the site to get search results (which display in your browser), but since it doesn't block anything, you don't run any risk by using it.

For other free whitelist download recommendations, head to posts on the Wilders Security Forums and CastleCops, two excellent if technical security resources.

But be aware that whitelists are unlikely to offer you peace of mind or protection in all cases. Whitelists will never be a panacea for internet security, but as time goes by they will become an increasingly important part of your layered arsenal of protection tools.

  1. Are whitelists friend or foe? Keeping tabs on malware
  2. Are whitelists friend or foe? Community-based security
  3. Are whitelists friend or foe? Free downloads
  4. Are whitelists friend or foe? Dedicated whitelisting services

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews