[funsec] Texas Bank Dumps Antivirus for Whitelisting

Nick FitzGerald nick at virus-l.demon.co.uk
Wed Jul 16 00:25:37 CDT 2008 

Richard M. Smith to DrSolly (tho I didn't see Alan's response on the 
list):

> > Another one who hasn't heard of Word acro viruses and similar.
> 
> You're showing your age. ;-)  Word macro viruses haven't been much of a
> problem for 6 or 7 years ever since Microsoft went to signed VBA code in
> Office.

That's Alan's standard, ill-considered, response to any suggestion of 
using whitelisting (or various other integrity management-oriented 
products) over blacklisting (aka "conventional known virus detection 
enhanced, or not, with heuristics, behaviour analysis, etc, etc") since a 
few days after his (former) conventional AV product included proper 
handling of Word format files.

It totally ignores that "proper" whitelisting implementations, _just 
like_ proper blacklisting implementations, have to know how to locate and 
indentify all kinds of code in all the kinds of files likely to be 
encountered by the system one is trying to protect.

_IF_ it is a carte blanche argument against whitelisting, as Alan's 
common use of it tends to suggest, then it is an equally damning argument 
against blacklisting.

Assuming that we think either (or both) types of "listing" may reasonably 
survive despite Alan's reputedly telling blow, then whitelisting 
certainly faces by far the less complex _technical_ problem.  Breaking 
down the hoary old mindset that has allowed the patently stupid 
blacklisting approach to initially thrive, then survive for so long, will 
be whitelisting's biggest challenge to broader acceptability (and likely 
prevent it ever becoming widely used in the least IT-literate parts of 
the market such as the SOHO and individual user segment).

> However similar problems do existing with scripting code run by the Windows
> Scripting Host.  Perhaps WSH doesn't get whitelisted?

The biggest problem here, both for whitelisting and blacklisting, is the 
gross stupidity of the designers of the WWW and their adoption of 
embedded scripting combined with an object model that encourages (in 
fact, almost requires) the widespread use (and thus client device support 
for) the greatest of programming evils -- self-modifying code.  Security 
considerations were clearly not just far from, but utterly foreign to,  
the minds of these folk.

In some senses we'd have been much better off if Harvard architecture, 
rather than von Neumann architecture, had won out in the early days of 
computing...


Regards,

Nick FitzGerald

More information about the funsec mailing list