It took a long time to make an impact, but eventually we managed it. Myself and others who have long taken the view that AntiVirus technology is a poor and inadequate defense against malware have finally had an impact on the buyers and users of IT Security software. Finally, AntiVirus is in retreat.

The Gradual Growth of Whitelisting

The truth is that we were never fighting against the advocates of AntiVirus Software – the AntiVirus vendors themselves and their supporters. Such people never even dared to engage in debate. After I first posted Come In AntiVirus Your Time Is Up, no AV company ever engaged me in debate – with the pleasant exception of CA, who did have a dialogue with me, but at the time they were already moving to a whitelisting capability, which is now part of CA’s HIPS offering. Other AV vendors gradually followed their lead – notably Symantec and Kaspersky, which forged an alliance with Bit9.

What we were clearly fighting was the inertia of the IT security buyers who are, for understandable reasons, are very conservative. Even the pioneers amongst them who dared to purchase whitelisting technology usually continued to deploy antivirus for a year until they had gained sufficient confidence in whitelisting to abandon the defunct AV software. This became a drag on the growth of whitelisting technology, as few companies were willing to spend twice for protection.

Eventually, however, the whitelisting success stories began to emerge and in the mean time, AV products continued to fail. There were two particular areas of concern for security conscious organizations:

1. Zero day threats
2. Root kits

AV technology has a terrible record against zero day threats for the laughingly obvious reason that the bad guys buy the AV software and test their malware against it, before they let it loose on the unprepared. AV technology was always about slamming the stable door after the horse had bolted, and zero day threats proved it time and again. When we began to witness the emergence of root kits, then IT security folk who understood the nature of the threat started to become very nervous.

A root kit, if you didn’t know, is malware that buries itself in an untraceable way into a system. It is very difficult to spot and AV technology is powerless against it. It is not a virus payload, it’s the kind of software a  hacker installs if a virus gets in. So the possibility was that hackers were unleashing malware and using the window that created to install root kits. Some whitelisting technology has been proven to prevent root kits – and the fact that it could gave it another market to go after.

The Zoomerang Survey

So recently, a survey conducted by Zoomerang showed a dramatic shift in attitudes to AV technology. It was sponsored (anonymously) by Core Trace (a whitelisting vendor), carried out in August 2009 and completed by 226 IT professionals.

Here are the “headline” results:

• 80% of respondents were of the opinion that the threat from malware is increasing
• 74% expressed a lack of confidence in blacklisting anti-malware products (Hurrah! At last!) while only 4% had complete confidence in such products
• 66% believe that blacklisting products are ineffective on “day-zero” of new attacks
• 50% were concerned about the performance impact of blacklisting scans
• 39% are not aware of options to blacklisting approaches

OK. So there’s work still to be done in educating the IT world about whitelisting and how it stops viruses stone dead and we still need to bang the gong a little to reinforce that as far as blacklisting is concerned:

It’s all pain and no gain.

or to put it another way

It’s hurting, but it ain’t working.

So I’m considering going into business selling T-Shirts that say:

Friends don’t let friends use blacklisting technology

If you want to read the full survey click here.

One final point. The rash of cybercrime, which still continues to grow, owes its existence to viruses. It’s viruses that enable the assembling of thousands of zombie PCs. If we stop that we’ll reduce cyber crime considerably. The key to doing that is to get the world to adopt whitelisting.