The Powerful Idea that Stops Malware Dead



The Powerful Idea that Stops Malware Dead

Whitepaper: Whitelisting Without The Complexity

By Stu Sjouwerman, for KnowBe4.com Security Awareness Training

In the 10-year time frame from 2002 to 2012, the volume of ‘known-good’ executable code has roughly doubled from 17 Million to 40 Million. During that same period, the amount of ‘known-bad’ malware has skyrocketed 40 times from 2 million to over 80 million. In 2002, keeping out the bad guys with antivirus was a correct and rational decision. Now, in 2012 that is no longer the case. The more rational decision is to continue using traditional (blacklist) antivirus but combined with gray- and whitelisting and only allow ‘known-good’ to run. It’s a simple, powerful idea that stops malware dead in its tracks. It allows you to run your network with an iron fist in a velvet glove.

Essentially, it’s time to put your endpoint security on its head. This whitepaper tells you why.

Introduction

Malware has skyrocketed in volume in the last decade, and at the same time has ‘gone pro’. Malware has become highly sophisticated; the Zeus trojan is a good example. Traditional antivirus has trouble keeping up, as cybercrime generates 100,000 new malware executables per day. Antivirus companies have struggled trying to improve their product and added lots of new features, without being able to change their blacklisting model to what by now really is required: whitelisting. The result is antivirus bloatware, with a significant performance impact on workstations, and ineffective protection against malware. C-level executives frown as they see the yearly Total Cost of Ownership per workstation rising, while at the same time security effectiveness going down. IT is being asked to do more with less budget and a lower headcount. It’s time to put endpoint security on its head. We are not advocating throwing your existing antivirus out the window. Antivirus has its place, and should be kept, but it only provides half the functionality it needs to. Whitelisting, also sometimes known as Application Control, can stop malware dead in its tracks and actively lowers the cost of maintaining systems across your network. The smart approach is to add whitelisting as an additional layer to your defense-in-depth strategy. Next, use intelligent graylisting to decide about the code that falls in between the white- and black lists. The most successful strategy for the next decade is a combination of white-, gray- and blacklists which requires an absolute minimum of admin time. This combination will dramatically reduce malware infection rates and improve network security without end-user productivity problems.

Block Zero-Day Attacks
Small, but very high risks are zero-day exploits. No known security tool except whitelisting has a guaranteed defense against zero-day attacks. Being able to block any unknown process to run protects your network against all malware, zero-day and targeted attacks.

Whitepaper continued here

This whitepaper is excerpted with permission from knowbe4.com.

(Visited 11 times, 1 visits today)

24 thoughts on “The Powerful Idea that Stops Malware Dead

  1. Solution – download: Avast, MaywareBytes, SpywareBlaster, CCCleaner (use reg defrag only) and AdvancedSystemCare. Microsift Essentials – run and update it once a week, however, make sure that it is off so as not to clash with the above installed programs)

  2. My experience with whitelisting is that it requires a lot of effort in compliance enforcement, and that co-workers are constantly complaining about not being able to do their job right… 🙁

  3. Anti-virus / malware programs will NEVER be able to stop everything!

    A large part of the problem lies with the computer user. I repair a lot of computers, and for the most part, the users have no idea what they have installed, said yes to, etc.

    So you end up with browsers with 20 toolbars and a tiny window to view the internet, and tons of BrowserHelperObjects, Malware, etc.

    Users have to start paying attention to pop up messages instead of just clicking OK & YES every time something pops up instead of reading what the pop up is asking.

    Golden rule – if you didn’t specifically go to a site to download something, then the answer is NO for popups that want to suddenly install something that you need to (insert one here) view the video, view the webpage, see the animation, try out this software, clean a virus that your browser has JUST detected, etc.

    Until users understand that you can’t install every piece of software offered on every trip to cyberspace, malware and virus problems will continue.

  4. did windows 2000 come with whitelisting? If so why would microsofts developers remove it? This
    article drives a point to purchase a users book to learn how to add a whitelist/gray/black list into our computor programs (which I am thinking was once FREE) Oh well, SOS whatever program/book is being referred to.

  5. I don’t know if packets of data are checked like they used to be back in the old days (the 80’s) but it used to be that packets had a checksum calculated and affixed to be subsequently checked before being accepted. What we didn’t have back than were security programs such as PGP which could encrypt a key to unlock the checksum. If at installation of an OS a key were created it could be used to lock checksums created by a random algorithm to sign executable files and librarys such that the files could only be executed if it passed backwards through the tunnel of the process which created the related checksum. On installation of the OS and subsequent installed files a database of encrypted checksums would be created and sorted to be checked against the checksums tagged to the loaded files. Only the checksums would need to be checked not recalculated so the time spent would be negligible during normal computer use. Saving a new or updated file from a program might take a bit longer but the files could be flagged for later processing by the security manager, a task running in a low priority which could be calculating and sorting keyed checksums for new files, comparing keyed checksums with new files and sending an alarm if an executable about to be run hasn’t been checked. This should be the task of the Operating System. It can be done easily, and wouldn’t require noticeable processing time compared to internet speeds, hddisk speeds, even memory speeds compared to processing speeds from cache memory would be like getting up and going across the room to the pop machine for a drink compared to just grabbing the damned can a foot away.. We all know how fast indexed searching is, Goggle can have answers for you before you are finished typing. Your loading executables can be checked against a database of allowed files and that database can be checked and updated and re-sorted very quickly with a background task. (Even Microsoft Windows 7 can find stuff faasst!) So, what is the virus problem? The answer is the OS is the problem and if that isn’t something fixed by the developers of the OS than it is a market for so called Virus Checkers, and if that isn’t enough than stop using computers connected to the real world and take responsibility for clicking on that video button called “Install” or “display” or “open with” till you get a key from the creator that they will accept legal responsibility for damages. Hmmm, oh yes, the 80’s stuff used to be able to run 16 users in 32KB of memory on 8MB hddisks nothing fancy but compared to current day video card speeds, it was phenomenal. As soon as I can get my workbench cleaned up I’m going to pull out my old 1MHz 6502 Rockwell AIM65, connect it to a 1.2GHz Athlon as a TTY terminal for it and get back to having some fun. No virus problem there. For fun I’ll run Google’s Sketchup, create items and print them on my 3D printer and build stuff. Sure wish I had secure checkums tagged to my files so that if they were monkeyed with Windows would say “Hey Rick (aslhjgn438hv49949jgfnqw49.DLL has been changed by a program downloaded from xxxwatchthis.com, do you want to (1) restore the original aslhjgn438hv49949jgfnqw49.DLL (2)cancel what you are doing and get rid of the change or (3)do you want to keep the change and integrate it into your system?)

    AArgh!

  6. Bottom line: How do we individuals implement this mode of protection, given that it is both critical to do so and so effective?

    • @Clarke Waldron:
      This is going to sound amazing to most of you, by I assure you that it is the absolute truth. I have run my home computer with NO anti-virus software of any kind for around seven years. Until roughly 2008, it/them (upgraded hardware, etc.) used WinME (with the fatal flaws: PC Health, etc. removed) and Firefox browser exclusively. The only add-on I have used is NoScript. I am careful about what I ‘allow’ via the NoScript, and I have gone almost everywhere on the net over this period. I upgraded to WinXP after ME, using the same, upgraded browser with the same add-on, and still experienced NO problems with malware, viruses, etc. during this entire time. I did not download any of Windows critical updates on either operating system, save for SP2 on XP.
      I have my important info backed up elsewhere, of course, and I do expect that I will have an issue at some point. Until this happens, I will continue to do things as usual. Mt experience has made me believe that virus/malware problems, etc. are entirely the fault of clueless users and webpage attachments that can’t be stopped (to my knowledge) using Internet Explorer. With the NoScript add-on, I ‘see’ everything that is trying to load with each page; and you would not believe how many things some pages try to load. Sometimes, DOZENS of different ‘younameit.com’s are attached to ONE webpage.
      Dead serious truth, above. It has worked for me.

      • @Jimbeau: @Clarke Waldron:
        This is going to sound amazing to most of you, by I assure you that it is the absolute truth. I have run my home computer with NO anti-virus software of any kind for around seven years. Until roughly 2008, it/them (upgraded hardware, etc.) used WinME (with the fatal flaws: PC Health, etc. removed) and Firefox browser exclusively. The only add-on I have used is NoScript. I am careful about what I ‘allow’ via the NoScript, and I have gone almost everywhere on the net over this period. I upgraded to WinXP after ME, using the same, upgraded browser with the same add-on, and still experienced NO problems with malware, viruses, etc. during this entire time. I did not download any of Windows critical updates on either operating system, save for SP2 on XP.
        I have my important info backed up elsewhere, of course, and I do expect that I will have an issue at some point. Until this happens, I will continue to do things as usual. Mt experience has made me believe that virus/malware problems, etc. are entirely the fault of clueless users and webpage attachments that can’t be stopped (to my knowledge) using Internet Explorer. With the NoScript add-on, I ‘see’ everything that is trying to load with each page; and you would not believe how many things some pages try to load. Sometimes, DOZENS of different ‘younameit.com’s are attached to ONE webpage.
        Dead serious truth, above. It has worked for me.

  7. Why don't the anti-virus company's do a proper combined malware & anti-virus that actually works? What would happen if they had to give us money back every time they failed and let something in?
    I repair 4 to 5 laptops per day and about 95% have been infected with some sort of malware and about 20% will have a virus and 9 out of 10 these laptops will have some kind of anti-virus installed, all the anti-virus companies seem to miss something, mainly malware.
    Over the past 6 years I have used them all and not found a perfect one yet. I now use eset smart security or endpoint security alongside malwarebytes pro and set my router DNS to opendns servers and have had no problems for the last 2 years. But I have been surprised how many website pages that I get stopped from visiting (nearly every day) I have then gone to some of the stopped website pages on another pc and it is usually scareware of some kind, fake antivirus, and fake police alerts, basically all asking for money. The real problem is that some will lock you out of your pc.
    But if people go to dodgy websites you will be more prone to some kind of malware/virus attack.

    • @Scott S. Powell:Follow the money to the antivirus/antimalware companies because they have the most to gain by selling their product. Who says they don’t have a few staff whose job it is to write malware?

  8. Frustrating. As has been already alluded to, there seems to be no solution offered, just a sales pitch that never closes the prospect.

    I was sold half way through the article and hoped I could afford it, and that there was a way for a single user to have a copy, but the link provided has no mention of whitelisting, and only a way to maybe get a quote for some other things, and seems to be geared to IT departments only.

  9. How nice. Blacklisting every executable and then whitelisting the applications we want to run will reduce infections. Great idea, in theory, although how one manages all the Windows executables as well as the 3rd party applications we want sounds like a nightmare.

    More importantly, this article praises the concept without actually giving one lick of usable information. It says nothing at all abut how one goes about the process, and that makes it a waste of time.

    Paul VdB is incorrect, though. AV companies do not release viruses. They don't need to. There are hundreds of thousands of dishonest people in the world who are eager do that job for them. Tap your finger at a map of the world. If the place it touches has people in it, then you can bet there are criminals there who think of the Internet as an easy way to steal money, and if it lands on eastern Europe or the former Soviet Union, chances are there are crime cartels involved.

  10. I have been an avid follower of PC Pitstop for years. What I do find disturbing is that, unless one wishes to join Facebook (which I don’t), then my/our comments on your featured articles are apparently unwanted.
    Maybe PC Pitstop doesn’t want my business either (?) Thank you.

  11. I’ve always intuitively known that Norton and mcafee, etc….PAY the virus jerks to write more and better meaner viruses. THAT is only logical. The only reward it gets is the NORTON/MCafee/etc PAYCHECK to write the virus. THAT is the only reward….except the hacker who steals information on credit card information within computers (spreadsheet) to steal your money.

  12. So, what are you saying? Keep our antivirus programs and just deal with it? I don’t see you giving us a solution. I think Paul Vdb is correct. You can’t sell a product to any one unless they have a reason to buy it. No virus, no anti virus protection needed.

  13. Still, I can’t get the idea out of my head that all? many? some? virusses are sent into the world by companies who make antivirus programs…
    Who has benefits from virusses?
    Those who want to hijack your computer, and those who make/sell “anti” programs…
    Suppose one day there aren’t any virusses anymore, then companies like Norton and the like won’t sell any of their progs anymore… So if they want to keep selling, there’s got to be virusses…
    I know, it might sound silly, but like I said :I can’t get this out of my mind …

Leave a Reply

Your email address will not be published. Required fields are marked *