Whitelisting... again

I recently read an article about two conflicting points of view regarding the validity of the current antivirus software... the old "antivirus is dead" tune. The negative side of the article talked about the great idea of "whitelisting"... again.

The proponents of whitelisting say that it would be easier to control what we want to run in our PCs (the good programs) rather than detect what we don't want (viruses and other bad stuff). I see the logic and it all sounds good until you go down to the details: you cannot realistically say "allow all Microsoft programs" based on what the tag in each program says because viruses can also tag themselves as being from Microsoft (yes, they are that smart).

Whitelisting technologies instead base their identification on the characteristics of each one of the protected programs. It's just as antivirus but in the reverse: they identify goodware, not malware. The problem they are facing at the moment is the staggering amount of legitimate programs being released every day. Just to keep up with every program in the Windows operating system is shockingly complicated.

If you consider how many applications are contained within a normal Windows installation plus the amount of different languages Microsoft supports, that's already quite a lot of work. Now, keeping up to date with all the service packs and patches being released monthly, there's not a chance a company can be 100% successful at it. Imagine adding your "calc.exe" in Korean to the white list after it changed in the last security patch. Not that the Windows calculator changes much or gets many patches but you get the idea.

If you add to the mix all the rest of vendors: ranging from Adobe (and their Flash, Reader, Photoshop in all languages, versions and respective patches) to all device driver vendors, I don't think it's doable at all. So I side in with Schneier on this one: you do need antivirus although it's not the security panacea and it won't solve all your problems. I still think regular antivirus is better than nothing or even better than any current whitelisting solution. There, I said it.