NOTA BENE

Notes, comment and buzz from Eugene Kaspersky – Official Blog

December 8, 2011

Features You’d Normally Never Hear About – Part Three.

And so I continue with series on some of the lesser-known, fruitiest features to be found in our products. This time I’ll be concentrating on whitelisting – a completely different approach to malware protection, which at the moment is included in KIS, PURE, and the new generation of our corporate products.

So why did I choose this seemingly techie term that could frighten off a respectable non-overly-techie reader from the very beginning?

The answer is quite simple:  in a way whitelisting is pretty much revolutionary for the industry – based on a totally new paradigm, which goes far beyond traditional pattern-based technology. As a result this a great opportunity for the anti-malware industry to be one step ahead in the battle with cyber-criminals, and for you – to be better protected against unknown threats. And in fact whitelisting is not that techie – see for yourself below!

So, what is whitelisting?

A list written in correction fluid? Such a thing may exist, erm, I guess. But no, KL’s whitelisting is something a little different.

The idea itself is actually not all that new, so I don’t know why Wikipedia refers to it as “emerging”. However, it is true that most anti-malware vendors have for some reason still not managed to implement it in their products. Oh well – live and let live; it’s up to them how good the protection they provide is, I guess. But I personally firmly believe that the industry should be more innovative to cope with the constantly increasing malicious activity. And whitelisting is something that really spearheads the battle against malware.

Anyway, the idea goes something like this.

Unlike with the traditional pattern method, which tries to find the bad things on your computer, whitelisting isn’t bothered about baddies at all; all it wants to do is to get to know and become friends with the goodies, i.e., safe files.

How can we be sure files are safe? Well, we test them all in our whitelist program and give them our seal of approval. And we’ve been pretty busy – there are presently in the database more than 300 million tested files.

Depending on the settings, files that are not present in the whitelist directory can be automatically blocked (a very useful feature for the corporate environment), or flagged as suspicious and sent for additional checks by anti-virus components. Even if a check doesn’t return a positive result the files can be launched in the Safe Run isolated environment to provide extra protection against unknown malware. Alternatively you can right-click a file to get info on its reputation in our cloud-based KSN service (video, details); and this service is used quite a lot – it receives 400,000 file-checking requests per second!

Kaspersky Lab Whitelist

So what’s all this for, you might ask, and why is it better than the traditional approach?

Well, protection of a computer with the pattern method means that we need to know about all the baddies. But these days we detect around 70,000 malware samples every day, and what it’s going to be like in years to come is anyone’s guess; but one thing’s for sure – it’s not going to get better. Besides, every instance of malware needs to be analyzed and entered into a database.

Of course, we’ve made great strides in terms of reaction times: thanks to KSN and the automation of the “conveyer” the average time between learning about new malware and releasing an update is just 40 seconds. But this is still 40 seconds too long; ok, maybe 39 seconds too long if I’m more realistic. Indeed, it represents a small but unpleasant nuance we are trying to improve.

Anyway – back to whitelisting: as mentioned, it couldn’t care less what the baddies look like. It just knows what is guaranteed to be clean. The baddies for once – at least with this particular feature – are given an easy time.

So whitelisting doesn’t really participate in the ongoing ‘arms race’ with malware. Instead, it kind of runs alongside doing its own thing. With cyber criminals releasing new malware all the time, users have at hand a file reputation service, which reliably informs what can be run with no worries, and what it might be better not to run.

And there’s another bonus from having this tag-along-er: whitelisting increases the performance of the anti-virus, since it doesn’t need to check files that are on the whitelist – they’ve already been checked. Among IT security professionals this approach is called “Default Deny” – first prohibit everything, then allow only the safe stuff. Very simple and it works perfectly!

Kaspersky Lab Cloud Security

We recently did some research and found that among home users whitelisting, alas, is not much known about. But it’s still early days yet. However, in large organizations whitelisting will very soon become one of the main supporting buttresses of corporate security policy.

For companies it’s simpler and safer to standardize the selection of software used, and for the rest to be either prohibited or to be flexibly controllable. An example would be to allow public instant messengers to be used only by senior managers, with the rest having to make do with just strictly business applications – not that I’d allow such bourgeois tendencies to creep in myself! After all, I find Skype a great way of communicating with colleagues – faster and more convenient than a phone call, so everyone in the company will benefit from instant messaging in their work too.

In the recently released Endpoint Protection 8 and Security Center 9 all the advantages of whitelisting and centralized management, categorization, rules, group policies, and, of course, control over application usage, is featured. You may then wonder why we need malware patterns at all – why not move over completely to whitelisting and be better off for it? This is a very good question. But to cut a long story short…

First, the whitelist doesn’t cover the full diversity of software. And sometimes we all need the flexibility to be able to run something unknown (incidentally, users can maintain their custom whitelists by adding specific software to the list of trusted applications). However, in these cases it’s a good idea to scan files with other technologies, and, just to be on the safe side, to have a look at how they behave with System Watcher. Second, to delete malware we still rely on good old patterns. Third, concerning protection, one should never rely on just one technology – that would be like a one-handed boxer.

As I’ve said many times before:

Protection needs to be multi-layered, and every layer needs to supplement and secure the others, providing maximum protection, productivity and convenience, regardless of the environment.

Put another way, you shouldn’t put all your eggs into one basket.

And finally, here’s a video with a popular explanation of the advantages of whitelisting:

More details about whitelisting you can find here.

comments 1 Leave a note

Mário Madrigrano Jaber

Comment on the technological advances of Kaspersky becomes a matter of satisfaction and certainty of “real protection” for all its users.
The true cause of the success of this prestigious company, more than the talent of all employees is the spirit of its creator, Mathematical Scientist Eugene Kaspersky.
Eugene Kaspersky, more than a brilliant computer scientist, is an example of an entrepreneur, citizen and person of great character and human sensitivity.
Not reach the peak achieved had it not in itself all these great personal qualities.
In addition to the excellent relationship with your company and its employees, Eugene Kaspersky is an excellent analyst of global political and economic issues when adopting postures more just and wise legislators before the executioners of the laws of the market.
Eugene Kasperky’s company its indispensable to the whole world is the example that hard work and having the right people doing exactly what is right results in the surefire formula for success scientific enterprise.
Excuse me sir Eugene Kasperky, I cannot comment on its brilliant Protection System Data and Hardware here without expressing my admiration and gratitude for the Lord, his work and his company, Kasperky Laboratories, which could even turn into a “Institute of Technological Studies”, I think it would be the first and only scientific school of the segment.
I close my remarks by saying that innovations in the application shown here are still very few compared to what is yet to come.
Kaspersky Labs excels every day and surprises everyone with more technological innovations in the worldwide protection of data and hardware.
Again, thank you for the opportunity.
Greetings.

0
Reply to conversation
Trackbacks 10

Halt! Who Goes There? Or Remedy #3. | Nota Bene

The Dangers of Exploits and Zero-Days, and Their Prevention. | Nota Bene

Doing The Homework. | Nota Bene

Les dangers des “exploits” et des “zero-day”, et comment les prévenir. | Nota Bene

I Pericoli degli Exploits e degli Zero-Days, e la loro prevenzione | Nota Bene

Os perigos dos exploits e dias zero e como preveni-los | Nota Bene

In Denial about Deny All? | Nota Bene

Device control, application control and dynamic whitelisting | Kaspersky Business

Device control, application control and dynamic whitelisting | Kaspersky Business US

アンチウイルスの魔法の方程式 | Nota Bene | Eugene Kaspersky Official Blog in Japanese

Leave a note
August 4, 2015

Off-piste and off-the-ground in Iceland.

Herewith, the penultimate installment on the enchanting island of Iceland; namely, on traveling off the beaten track on the ground, and up off the ground too – in a helicopter. In just four days we covered more than a thousand kilometers of Iceland, but these were anything but boring kilometers. From one place of – […]

August 4, 2015

Have an Ice day!

All right folks, now for glacial Iceland… Now, Iceland’s glaciers aren’t the biggest in the world, but all the same, the grand glacial vistas, the glacial lakes with icebergs, and the phenomenon of natural might… in sum it’s all fairly spellbinding. We checked out two glaciers while on the island. First up: Langjökull (here). It was here […]

July 31, 2015

Icelandic Waterfallism.

Iceland‘s a very wet country in the cool time of year, and very snowy in winter. (There isn’t a warm season here to speak of – unless you submerge yourself in hot springs for three months.) So, in terms of H2O here – there’s plenty. And since there are a great many volcanoes in the […]

July 29, 2015

Icelandic tectonic.

Everyone’s got a basic idea of how this planet of ours is constructed, even primary school kids. It goes something like this: in the middle of the planet is the core – the nucleus; then there’s the mantle, and on the outside there’s the hard crust, upon which you’re reading this blog. But the earth’s […]

July 28, 2015

Iceland: Niceland.

I’d long dreamed of one day getting to the very volcanic island of Iceland for a spot of sightseeing, trekking and leisurely driving. I’d heard great things from friends and colleagues, seen some awesome pics of the scenery there, and heard some of the island’s music, but only recently did I finally find myself spending […]

July 24, 2015

Your car controlled remotely by hackers: it’s arrived.

Every now and again (once every several years or so), a high-profile unpleasantness occurs in the cyberworld – some unexpected new maliciousness that fairly bowls the world over. For most ‘civilians’ it’s just the latest in a constant stream of seemingly inevitable troublesome cyber-surprises. As for my colleagues and me, we normally nod, wink, grimace, […]

More