White List Filtering

Printable View

March 28th, 2003, 05:44 PM
tonybradley

White List Filtering

It seems that there are always new file extensions being added to the blacklist on our antivirus software and email filtering programs. There is a running list of the standard "dangerous" file types- EXE, SCR, EML, BAT, PIF, etc., etc.

A few months back a virus was going around (Korvar or Winevar) which automatically added CEO as an executable file extension in the registry. Nothing much happened with that virus, but it led to the question of how many people may now be able to execute a CEO file and not even know it?

Sometime down the road a new virus could be written to take advantage of the fact that there are computers out there that will execute a CEO file and that most antivirus and email filters won't block a CEO file.

So, here is the question: instead of adding each new file type that becomes a threat to the blacklist, wouldn't it be easier to block email attachments by default and set up a white list of the 2 or 3 file types you feel are safe?

In my opinion it makes sense. From what I can see though the current email and antivirus software just isn't set up for that kind of system. They are set up to work on the blacklist system.
March 28th, 2003, 06:07 PM
Louie

The only problem with that is say that your trust Microsoft Word Documents. That still doesn't mean they are safe because you can have Macro Viruses. Or you will always have an idiot who unzips a zipfile and runs that ub3r k3wl screen saver someone wrote.

I think a white list is a good idea, but it still doesn't make up for basic user education when dealing with attachments, updated client side virus scanners, and other precautions.
March 29th, 2003, 12:08 AM
KissCool

I heard about the ViGuard AntiVirus using a white list instead of a black list in order to deal with viruses. They claim to have the best AntiVirus concept, but their soft is said to be plenty of bugs and the security depends of how lazy the user/administrator is (to set up the white list). It reminds me local IDSs, they have exactly the same major failure inherent to the concept of white lists: a too permissive config makes the system vulnerable, and a too strong makes it unusable for daily users.

KC
March 29th, 2003, 12:33 AM
Und3ertak3r

tonybradley,

Quote:

From what I can see though the current email and antivirus software just isn't set up for that kind of system. They are set up to work on the blacklist system.

I don't know where you get this idea from? I know M$ OLEXP with the current patched/patches has some pretty harsh security settings that basicly work the way you mention.. pitty it don't allow you to sett up a "Whitelist or a Blacklist" or allow files to be released..

you can reject all attachments, and only view your emails in text only mode..ie no html.. that is the safest way to prevent virii.. As Louie said.. Someone could send you an infected file in a "safe" format..
While file type is one way to guard against worm, trojans, and virii. It is only a Frontline approach for an observant user, Heuristics/patterns would be the more effective method currently in use.. I think used by about 100% of the AV companies (Some one correct me please)

So if you are super paranoid.. reject all attachments and use a text based email client.
otherwise use a Good Antivirus programm that scanns your incomming emails and attachments. The effectiveness of these varies from Company to company and version (ie home or corporate), how upto date the definitions are, the end user settings.. like exclusions or the killer "turned the av prog off to install something and forgotten to turn it back on.."

Cheers