Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code. We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).
There is an Austin based company called CoreTrace that features the whitelisting approach. When we asked, they were kind enough to provide us access to one of their subject matter experts.
We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.
Pertinent portions of that conversation follow:
ATLB: CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?
Greg: CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco
ATLB: You used the term “whitelisting”. What does that mean?
Greg: At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.
ATLB: So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?
Greg: That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).
ATLB: Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?
Greg: The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.
ATLB: How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?
Greg: Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.
ATLB: How often is your software updated?
Greg: Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.
ATLB: Is there a version for single workstations or computers?
Answer: Not yet. Right now, our program is only deployed on an enterprise basis.
and control of electric power plants;
eports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.