[funsec] Texas Bank Dumps Antivirus for Whitelisting
AlexE at sunbelt-software.com
Wed Jul 16 09:13:50 CDT 2008
Didn't you release a whitelisting product for DOS/Win 3.1 back in the
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org]
On Behalf Of Drsolly
Sent: Wednesday, July 16, 2008 4:42 AM
To: Nick FitzGerald
Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting
On Wed, 16 Jul 2008, Nick FitzGerald wrote:
> Richard M. Smith to DrSolly (tho I didn't see Alan's response on the
> > > Another one who hasn't heard of Word acro viruses and similar.
> > You're showing your age. ;-) Word macro viruses haven't been much
> > of a problem for 6 or 7 years ever since Microsoft went to signed
> > VBA code in Office.
> That's Alan's standard, ill-considered, response to any suggestion of
> using whitelisting (or various other integrity management-oriented
> products) over blacklisting (aka "conventional known virus detection
> enhanced, or not, with heuristics, behaviour analysis, etc, etc")
> since a few days after his (former) conventional AV product included
> proper handling of Word format files.
> It totally ignores that "proper" whitelisting implementations, _just
> like_ proper blacklisting implementations, have to know how to locate
> and indentify all kinds of code in all the kinds of files likely to be
> encountered by the system one is trying to protect.
> _IF_ it is a carte blanche argument against whitelisting, as Alan's
> common use of it tends to suggest, then it is an equally damning
> argument against blacklisting.
> Assuming that we think either (or both) types of "listing" may
> reasonably survive despite Alan's reputedly telling blow, then
> whitelisting certainly faces by far the less complex _technical_
> problem. Breaking down the hoary old mindset that has allowed the
> patently stupid blacklisting approach to initially thrive, then
> survive for so long, will be whitelisting's biggest challenge to
> broader acceptability (and likely prevent it ever becoming widely used
> in the least IT-literate parts of the market such as the SOHO and
individual user segment).
Nick's theory is that the reason why whitelisting isn't adopted
universally, is that everyone is so stupid that they can't see what a
good idea it is.
My theory is that, although blacklisting isn't perfect (or, in some
cases, really quite poor), it gets closer to solving the *real* problem
The *real* problem is to minimise the cost of using computers in a world
that includes viruses. The problem with whitelisting is only partly that
"executables" are a lot more diverse than just exe files and word docs.
The main problem with whitelisting, is the high cost of maintenance.
Of course, a better solution is grannix :-)
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.
More information about the funsec