The AntiVirus industry is gradually evolving into a white-listing industry – due to the fact that AV technology simply doesn’t cut the mustard (for more information visit or revisit and of the AVID -AntiVirus Is Dead postings). This has its consequences.

Aside from my incessant campaign to point out that AV technology is flawed, the AV vendors eventually ran into volume problems which further strained their credibility. The number of viruses grew so large that the idea of tracking them by signature became more absurd by the month. Kaspersky, for example, reported discovering over 2 million new viruses last year. The whitelist idea of just tracking the 6,000 or so valid executables that run on a typical PC is far more practical as well as being far more secure.

However, there is always the issue of vetting the programs that you don’t know and this is an issue whether you use a white list or a black list.

NovaShield, a fairly recent start-up, briefed me last week on its approach to this problem. The technical obstacles to behavior tracking vary according to the OS, and the only OS that really matters at the moment is Windows, because that’s where nearly all the malware lives. So that’s where NovaShield has focused its attention.

The problem of tracking behavior is neatly illustrated by the above graphic, the right hand side of which provides an illustration of all the low level events that occur in Windows in respect of the single high level event of displaying a web page. It’s three day old spaghetti.

Most behavior recognition software tries to trap “bad behavior” at the low level – which is difficult. What NovaShield has that makes a difference is a mapping of low-level events to specific high-level events. Using this is can set rules on what high level behaviors to report (keyboard logging, network connections, opening up ports, etc.) and then monitor the low level events in order to recognize the high level events.

Doing this NoavShield claims to be ahead of competitive behavioral recognition products in its ability to detect backdoors, keyloggers, rootkits, spam engines, trojans and worms (more than twice as effective in some cases). Note though that behavioral tracking still doesn’t catch everything. Ultimately, it never can, because some benign software is identical in behavior to some malevolent software. Consider, for example, remote control software; it’s only benign if its context of use is benign.

Products like NovaShield are usually deployed as embedded components of other AV or whitelisting products. Because of its efficacy, it’s likely that NovaShield will attract OEM deals with other vendors.

I’m hoping that behavioral tracking will continue to improve. Whitelisting is highly effective in business environments but is likely to prove too complex for the average home PC user to employ effectively. Highly effective behavioral recognition may be what makes the difference.