For me, the most significant part of my recent visit to Moscow to meet with Kaspersky Labs was the news that Kaspersky (like both Symantec and CA) is embracing whitelisting as an anti-malware technique. This is good news for my AVID campaign as it now seems inevitable that the whole AV industry will move to whitelisting and, with any luck, in about a year or so, I’ll be able to stop ranting about whitelisting and find something else that is rant-worthy.

The Marriage of Whitelisting and Blacklisting

In Moscow, Eugene Kaspersky presented his view of how whitelisting and blacklisting (traditional AV) could work together. It looked quite like the above graphic (which I drew a few months ago for a paper I was writing). This shows an executable being examined before it can execute. If the executable is recognized as an approved executable (on the whitelist) it is run. If it is recognized as malware (on the blacklist) then it goes through malware processing – i.e. whatever local security policy dictates, when malware is discovered, which may be nothing more than recording the event and reporting it.

If it is simply an unknown executable then it goes into a HIPS routine (where HIPS stands for Host Intrusion Prevention System). This may involve a dialog with the user, whence, if the user has the authority and really wants to run unknown software, the unrecognized program will be run in a sandbox (i.e. a virtualized resource space) and it will be monitored for suspicious behavior. Ultimately the software will be authenticated or identified as malware. It will thus get into the software directory one way or another. The next time it appears it will be classified automatically.

This, in outline, is the way that the next version of Kaspersky’s AV products are likely to work (they are scheduled for release some time in summer of next year, so details are not yet finalized). It is also (in overview) the way that CA’s HIPS software works and Symantec’s End-point security software works. (Both CA and Symantec are de-emphasizing the term Anti-Virus, because they believe that is has negative connotations, from a marketing perspective).

False Positives

The news broke on December 21st, that Kaspersky’s AV software had quarantined Windows Explorer, falsely identifying it as malicious code. The glitch lasted for two hours before being fixed. All AV vendors experience such “false positive” events, and Kaspersky has a better record than most of its competitors in this regard. Nevertheless it would be remiss of me not to point out that this false alarm would not have occurred if Kaspsersky already had whitelisting technology embedded within its proucts.