[funsec] Texas Bank Dumps Antivirus for Whitelisting
nick at virus-l.demon.co.uk
Wed Jul 16 00:25:37 CDT 2008
Richard M. Smith to DrSolly (tho I didn't see Alan's response on the
> > Another one who hasn't heard of Word acro viruses and similar.
> You're showing your age. ;-) Word macro viruses haven't been much of a
> problem for 6 or 7 years ever since Microsoft went to signed VBA code in
That's Alan's standard, ill-considered, response to any suggestion of
using whitelisting (or various other integrity management-oriented
products) over blacklisting (aka "conventional known virus detection
enhanced, or not, with heuristics, behaviour analysis, etc, etc") since a
few days after his (former) conventional AV product included proper
handling of Word format files.
It totally ignores that "proper" whitelisting implementations, _just
like_ proper blacklisting implementations, have to know how to locate and
indentify all kinds of code in all the kinds of files likely to be
encountered by the system one is trying to protect.
_IF_ it is a carte blanche argument against whitelisting, as Alan's
common use of it tends to suggest, then it is an equally damning argument
Assuming that we think either (or both) types of "listing" may reasonably
survive despite Alan's reputedly telling blow, then whitelisting
certainly faces by far the less complex _technical_ problem. Breaking
down the hoary old mindset that has allowed the patently stupid
blacklisting approach to initially thrive, then survive for so long, will
be whitelisting's biggest challenge to broader acceptability (and likely
prevent it ever becoming widely used in the least IT-literate parts of
the market such as the SOHO and individual user segment).
> However similar problems do existing with scripting code run by the Windows
> Scripting Host. Perhaps WSH doesn't get whitelisted?
The biggest problem here, both for whitelisting and blacklisting, is the
gross stupidity of the designers of the WWW and their adoption of
embedded scripting combined with an object model that encourages (in
fact, almost requires) the widespread use (and thus client device support
for) the greatest of programming evils -- self-modifying code. Security
considerations were clearly not just far from, but utterly foreign to,
the minds of these folk.
In some senses we'd have been much better off if Harvard architecture,
rather than von Neumann architecture, had won out in the early days of
More information about the funsec