Executable White-listingIt is one of the fundamental rules that, if you want a really secure system, you start by switching everything off and then just enable what you need. This goes for firewalls and accounts for why many that come pre-configured in routers are not very good because they have to let so much through to enable all potential customers to operate; and why ZoneAlarm (the basic version only) is so good because it asks you before enabling anything.
Based on this, the principle behind all Antivirus software is flawed from the start. It is trying to detect what is bad by various means and then blocking it. You can never win at this game; you are always trying to catch up with the perpetrators which is why we now have to accept daily updates and I have seen some offering them hourly. It is also why they can justify a subscription pricing model rather than a one off cost.
But you can go some way towards this goal very easily; just don’t run your day-to-day activities from an administrator account. Administrator accounts should be for administration—that is installing software, taking backups and doing system updates. What you need to do is create another account and using the facility provided in Windows XP, mark it as LUA, a “Limited User Account”. 95% of software works perfectly well in this mode. If you use some very old programs that you have to run then you may have some problems but they can usually be circumvented. However I will (and you should) complain like mad if a new program does not work when run in this way; it is just negligent of the author. The big advantage of the limited user account is that when you are browsing and reading mail and something nasty does get in, then it no longer has access to the heart of the machine and the damage it can do is limited. Most bad-ware will try and install itself in system folders and the machine registry and that is just not possible in this mode. Think of it as running a power tool with the guards in place. You do need to lift the guards sometimes, but not with the power on and only to change the blade.
This article by Marcus Ranum (beware, some strong language) takes this concept a stage further. Here he describes how he has fought to get the complete control he wanted so that only the programs he specified would run. First he tried to use Windows Execution Control. I don’t know the facility nor if this is a fair evaluation of the mechanism but it failed miserably for him. Subsequently he tried using a product called PrevX. The main problem here was that they annoyed him with their marketing techniques but it did look doubtful that it was really doing what it said it did. [I could ask here how someone apparently so experienced in security matters could possibly get infected so often but I suppose that, during research, he may be deliberately working on the margins of safety].
Finally (so far) he found a free-ware product called Exe Lockdown from Horizon DataSys. I tried for quite a while to locate the download as it doesn’t seem to be linked anywhere but eventually found it here. If it does what it says on the box then it should work in a very similar way to ZoneAlarm i.e. maintain a table of permitted programs to execute and if you try to run one not in the list, come up with an “Allow or Deny” prompt. It adds one extra detail which may be of use for those controlling systems used, for example, by children; it asks for the Administrator password before permitting the change. Otherwise it all looks very straight forward.
It works because viruses and other bad-ware need to execute to do anything to your system. If they are not known then they will have to ask and there is a reasonable chance that you may notice at this point and deny them. It is not foolproof though; it will not catch macro viruses such as those embedded in documents or script codes such as Java-script in web pages but it will stop many so it is very valuable and the others will be partially controlled by your LUA.
[Update: Well it was a good idea. First the version I found was only a limited function demo. The link to buy the real thing went nowhere and I couldn’t get it to work anyway. If anyone knows of a program with a similar function then I would be very glad to hear of it.]
Webmaster
Useful additional commentary on this technique can be found at Observations of a digitally enlightened mind, (Amrit Williams, CTO of BigFix – a company that I hadn’t realised was still running!). He argues that Anti-Virus is dead but doesn’t follow through with the conclusion of white-listing. Another commentator, Robin Bloor, together with claiming credit for the idea, talks about the general concept, but in this Register article he also takes the idea a lot further and seems to favour a DRM type system where programs have to be centrally authorised as being legally owned and licensed before allowing them to run. This, I feel, is a step too far, as it disenfranchises the independent and hobbyist software writers.