Peter Christy

At the Trend Micro analyst meeting Eva Chen was very honest and straightforward about the fact that traditional A/V protection works because someone "dies" (gets infected) so the rest of the tribe can "live" (be protected). For attacks that hit large populations the statistics work out reasonably for this approach but as the attacks get more targeting things look worse. If a malware is specifically designed to get you personally ("SpearPhishing") then the fact that someone has to die doesn't work at all. White listing of files (having repositories of software that is known to be safe) and refusing to execute anything but white listed files is one solution approach. There are major pump priming problems with the approach (not workable until the white lists are comprehensive) but we already know two white list service vendors (SignaCert and Bit9) and various tools to catalog and categorize executables within an enterprise. When questioned Eva thought the approach had merit over time but wouldn't work now. In a recent briefing Kaspersky Labs had more or less the same answer. Let me give you another way to think about the problem. Given the smarmy network we all use, it seems unlikely to be that we can find protection that works transparently and perfectly. A scheme like white listing only works if both software providers and users are motivated to make it work. Think of it like joining a subset of the network that value trust enough to put some effort in. Will there be problems? Will you sometimes be frustrated because software you trust and want to use won't be on the white list? Absolutely! But is that frustration justified by being able to live in a cleaner and safer network (albeit not perfect)? I for one would certainly like to experiment with the concept (trusted email is an analogous idea that we've never been able to collectively reach critical mass).