To detect 100 percent of malware, try whitelisting 'lite'

Few want to live with whitelisting's overhead and restrictions -- so run it in audit mode to detect all malware coming your way

Every antimalware scanner claims to catch 99 to 100 percent of malware. But how can that be true? If it were, our computers wouldn't get infected nearly as much as they do, and the antimalware industry would have roundly defeated its malicious foes by now.

Tests against real-world malware show that, over time, even the best scanners miss a significant portion of the total. That's understandable. There are nearly 180 million malware programs, and more than 200,000 new malicious programs are produced every day, according to AV-Test. Plus, malware writers usually test their creations using aggregated virus testing services, such as VirusTotal, which throws malware at dozens of antivirus engines at once. Many malware writers even sell their programs with money-back guarantees against detection.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

Let's be generous and accept that an antimalware product's claim that it can stop 99.9 percent of malware is accurate. That's still 200 malware programs per day that aren't being detected.

How do you stop malware when so much of it is seemingly undetectable? Two words: Use whitelisting.

The 100 percent solution

I've long been a fan of whitelisting (aka application control) programs. My somewhat ancient review of whitelisting products remains a popular article, despite the fact that most organizations don't or can't activate whitelisting for political reasons.

Nonetheless, I believe whitelisting can be used by any organization to detect previously undetectable malware threats. Simply install a good whitelisting program and run it in audit-only mode.

First, have the whitelisting program take a snapshot of what the currently monitored computer looks like. This creates all the application control rules needed to allow all the currently installed programs to run. Next, find out what alerting events are created when the application control program detects something new running or being installed. Forward those events to a centralized repository database, then run reports detailing and summarizing the new activity.

In the Windows world, this process can be accomplished for almost nothing. Windows has had built-in application control functionality since Windows XP and Windows Server 2003, so you can forward select application control events using built-in functionality (this is significantly easier in Windows Vista/Server 2008 and later). Any one of the more functional third-party commercial offerings (some of which I covered in the 2009 review) can accomplish the same things even easier and always have great enterprise reporting. For enterprise reporting with the free, built-in Windows options, you must either own a Microsoft reporting product (such as SCOM) or collect all the events into a SQL database instance, against which you write custom queries.

I'm a big fan of starting with computers and servers that shouldn't change a lot over time, such as infrastructure servers: DNSes, domain controllers, and so on. Today's application control programs are great about accounting for previously accepted installation routines (such as self-updating browsers and patches), without firing off warnings.

Snapshot valid images that represent the environment best. Then collect exceptions. If you can, forward any exceptions to their owners or shareholders to see if they can explain why a new executable suddenly started running. If they can't -- often the case -- forward them to someone who can investigate more. Fine-tune detections as needed.

Can this be done in the real world?

Yes, it's already being done in thousands of companies large and small. In particular I've recently had experience with a large company that has more than 400,000 computers, and none of the users even realizes it's been enabled. In this company, the security operations center reviews the reports each morning, looking for new executables that have:

  • Been installed in sensitive protected areas (such as System32)
  • Cropped up in rash of new, unexpected installs
  • Surfaced in unexpected installs on critical systems
  • Strange execution times (such as after everyone has gone home)

The reports take some getting used to, as no one knows what to expect before the report is generated for the first time. No one really understands what their system's legitimate baseline is, and perhaps that's one of the best side benefits. Often, before setting up this type of auditing program, no one really has a good idea of what's running or being newly installed. Whitelist auditing provides that in spades.

This story, "To detect 100 percent of malware, try whitelisting 'lite'," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies