8, 8 days until Disney! Ah ha ha!

Anti Virus - white lists

So why *dont* any antivirus packages use whitelists?  you could pretty much nail the virui to the wall if you just stopped any process that was not specifically allowed to run from running.

even given the users penchant for clicking 'yes' to any given question you would *still* monumentally slow down the spread.

any thoughts?
Permalink Send private email FullNameRequired 
January 30th, 2006 5:33pm
Don't viruses already latch into other processes to do their dirty work?

Might help a bit with spyware and trojens...
Permalink Send private email Almost H. Anonymous 
January 30th, 2006 5:34pm
right...anythign that spread only by code injection would not be stopped, but anythign that depended on running its own process at any point would be stopped in its tracks....at least until the user gave explicit permission for it to continue :)
Permalink Send private email FullNameRequired 
January 30th, 2006 5:36pm
I might be pulling this out of my ass, but I think most virsus go through several stages.
Code injection for penetration, to download and install a executable or service which then proceeds to scan for other vulnerable hosts.
Permalink Eric Debois 
January 30th, 2006 5:42pm
right, thats my impression as well.  which means that a whitelist would have a pretty decent impact.

<g> or at least change the common strategies.
Permalink Send private email FullNameRequired 
January 30th, 2006 5:44pm
> which means that a whitelist would have a pretty decent impact

Not really. The injected code could just add the name of the to-be-created virus process to the whitelist. I suppose you could encrypt your list meaning only the av software could write to it (theoretically) and add a "slow down" feature to the "Add to Whitelist?" dialog, similar to that which happens in some password auth screens, which means rogue code couldn't ask the av to add something without you seeing it (theoretically).

I think the idea has some merit, but it certainly isn't anywhere near foolproof (and it is the fools who cause everyone else problems - I run without av software, yet every time I do use an av scanner and run it no virus is detected. Why? Because I'm not a complete eedgit, that's why.)
Permalink  
January 31st, 2006 6:21am

This topic is archived. No further replies will be accepted.

Other topics: January, 2006 Other topics: January, 2006 Recent topics Recent topics