Re: Texas Bank Dumps Antivirus for Whitelisting

["Alex Eckelberry" <AlexE () sunbelt-software com>]

Didn't you release a whitelisting product for DOS/Win 3.1 back in the
day?

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Drsolly
Sent: Wednesday, July 16, 2008 4:42 AM
To: Nick FitzGerald
Cc: 'funsec'
Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting

On Wed, 16 Jul 2008, Nick FitzGerald wrote:

> Richard M. Smith to DrSolly (tho I didn't see Alan's response on the
> list):
>
> > > Another one who hasn't heard of Word acro viruses and similar.
> >
> > You're showing your age. ;-)  Word macro viruses haven't been much 
> > of a problem for 6 or 7 years ever since Microsoft went to signed 
> > VBA code in Office.
>
> That's Alan's standard, ill-considered, response to any suggestion of 
> using whitelisting (or various other integrity management-oriented
> products) over blacklisting (aka "conventional known virus detection 
> enhanced, or not, with heuristics, behaviour analysis, etc, etc") 
> since a few days after his (former) conventional AV product included 
> proper handling of Word format files.
>
> It totally ignores that "proper" whitelisting implementations, _just 
> like_ proper blacklisting implementations, have to know how to locate 
> and indentify all kinds of code in all the kinds of files likely to be

> encountered by the system one is trying to protect.
 
> _IF_ it is a carte blanche argument against whitelisting, as Alan's 
> common use of it tends to suggest, then it is an equally damning 
> argument against blacklisting.
>
> Assuming that we think either (or both) types of "listing" may 
> reasonably survive despite Alan's reputedly telling blow, then 
> whitelisting certainly faces by far the less complex _technical_ 
> problem.  Breaking down the hoary old mindset that has allowed the 
> patently stupid blacklisting approach to initially thrive, then 
> survive for so long, will be whitelisting's biggest challenge to 
> broader acceptability (and likely prevent it ever becoming widely used

> in the least IT-literate parts of the market such as the SOHO and
individual user segment).

Nick's theory is that the reason why whitelisting isn't adopted
universally, is that everyone is so stupid that they can't see what a
good idea it is.

My theory is that, although blacklisting isn't perfect (or, in some
cases, really quite poor), it gets closer to solving the *real* problem
that whiltelisting.

The *real* problem is to minimise the cost of using computers in a world
that includes viruses. The problem with whitelisting is only partly that
"executables" are a lot more diverse than just exe files and word docs. 
The main problem with whitelisting, is the high cost of maintenance.

Of course, a better solution is grannix :-)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.