Whitelists Killed AV?

c|Net writer Robert Vamosi posted some pretty fascinating insights into the future of the AV industry on his “Defense in Depth” column. He begins with some alarming-sounding criticism of the products: “I’ve been hearing some well-regarded security people tell me they are considering ditching their antivirus protection all together.”
But this grumbling from the security community always has been present. In part, it seems to be jealousy at the financial success of the top players in this security industry, and partly it seems to be insightful and constructive criticism towards the level of effectiveness and the level of insecurity that dependence on these applications brings. “Right click on signature updates” does not mean one’s computer is secure.

The blog that you are reading is full of screenshots and messages regarding AV scanner misses (false negatives). Often, these misses are just plain shameful. There are AV scanners that even have failed the most minimal testing when they miss samples from the WildList (the WildList is not Dead!). And often, at a practical level, some of the misses are understandable, and somewhat expected.

However, this information does not mean that AV scanners will disappear altogether. But it’s interesting to read about how much spin some of the players are putting on whitelisting, which already is something that is performed on a selective basis in a number of products. Users just never read much about it because it was seen as a weakness in scanning products. In a meeting once, an employee of one of the large vendors exclaimed “our scanner is like a laser! It’s precise, like a laser!” Which in fact, wasn’t really true at the time, but that’s beside the point. The point is that scanners were expected to exploit their strength, which was to identify file content precisely with an extremely low incidence of false positives.
So to deal with that stigma but still make progress with improving their products, it seems that the largest vendors are embracing just the thing that they have fought against in the past — the impression that they need to rely on whitelisting:
“That’s why vendors are talking to me about newer strategies for 2009 (and beyond). Among these is the exact opposite of signature file databases–something called whitelisting.”
(Btw, this statement doesn’t seem to make sense. Whitelisting is in fact a signature file database. It is simply a database of non-malicious files, however the vendor wants to store or distribute it.)

Nonetheless, to me, and Vamosi’s article, all this whitelist talk doesn’t mean the end of AV. It means that the vendors are publicly embracing what was once seen as a weakness. It seems to me that no matter how talked up whitelisting is at this point, AV scanners will not be uninstalled. Rather, they will be a less costly layer in any security solution, alongside more exposed whitelisting components.
So, will you be ditching your antivirus application anytime soon? Perhaps you’ll ditch a standalone product, but you most likely will be installing the same technology in a different package over the next couple of years.

This entry was posted in Online Fraud. Bookmark the permalink.

2 Responses to Whitelists Killed AV?

  1. spywarebox says:

    Does ThreatFire use White listing at all?

  2. ThreatFire Blogger says:


    Thanks for the post.

    To answer your question, yes. Where necessary, to reduce the chances of false positives for our users, some amount of whitelisting is included in TF.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>