Monday, March 2, 2009

The Good, The Bad, and the Unknown

A lot of people ask me questions about the whitelist that is used in Online Armor. Why do we have one? What is it for? So, the main purpose of this post is really to talk about whitelists - and how we're using them in Online Armor.

A quick recap on classifying files

Online Armor in its out of the box setup will prompt you when programs it doesn't recognize try to run. The reason for this is straightforward - if a program doesn't run, it can't do your computer any harm. So, a key defensive strategy in Online Armor is to prevent dangerous programs from even starting.

Unforunately, it's extremely difficult to maintain a list of all of the dangerous programs in the world. The authors try hard to make them get past Antivirus vendors, and they certainly don't announce the release of them so that they can be included in a backlist.

Instead, they sneak them into circulation and try to get the spread to happen before the Antivirus vendors notice. To combat this, the AV Vendors added heuristic detection - which is basically checking "If it looks like a duck, quacks like a duck, call it a duck".

It's an interesting problem - Antivirus basically classifies files into a couple of groups:

Group 1: A solid detection - The Donald Ducks of the Antivirus world. A known virus.
Group 2: Heuristic Detection - it's quacking, and it has a beak... it's certainly ducklike.
Group 3: No ducklike behaviour reported.

The first two groups are are detected and either flagged, blocked, quarantined as bad, or dangerous files (or, in some cases, there's a "possibly unwanted" category). The third group is just allowed to run.

The Third Group is allowed to run. This is important. If the antivirus doesn't know(or suspect) that the file is bad, it allows it to run. If it *is* bad, well, oops, you just got infected.

Online Armor treats programs differently.

Group 1: A solid detection - This file is bad.
Group 2: A solid detection - This file is Safe.
Group 3: Not on the list - we haven't a clue.

So, group 1 files are either on Online Armor's blacklist, detected by Online Armor AV+'s embedded AV (soon to be the dual engine from Emsisoft/Ikarus). Group 2 files are files we know are safe, and therefore don't get a prompt.

Group 3 files - we don't know. In this case, we ask the user for a decision, which results in popup to ask them what to do.

In fact - inside Online Armor we technically have 4 states of file:

  • Blocked - just about what you'd expect
  • Unknown - no decision has yet been made
  • Allowed - the program is allowed to run, but you will be prompted for other actions
  • Trusted - the program is allowed to do whatever it wants.

Back on topic..

So - if you read the above, then it's pretty clear that the way Online Armor treats files is more secure - unknown programs are not blindly allowed to run - but this is at the expense of more work for the user. In the event we didn't have a whitelist at all, Online Armor would be constantly popping up for every program on your computer.

So, the whitelist is important to reduce popups. People who don't like the whitelists idea say that there is a key problem: It's impossible to whitelist all programs, there are just too many of them.

Of course, they're right - it *is* impossible to whitelist everything - but we don't have to. Each program that we whitelist is potentially one less popup not just for one user, but for millions of users - so cumulatively, our users get a benefit.

My second argument - suppose that we can reduce popups by 10%. Is it worth doing? What if we can reduce them by 12% or 15% or even 50% ? At what point does a whitelist start to make sense?

From my point of view, if we manage to whitelist the top 10% of programs then our users will get 10% less popups, and I think that's worth having. The bigger this number, the better.

There will always be programs that don't make the whitelist. Common programs, unusual programs. It doesn't matter. The goal is simply to get as many as we can.

When I install Online Armor on my computer, I get just a few entries to check in autoruns (some specialised software we wrote for a customer) and 10 or so entries in programs to check (same sort of thing). This is much better than what I had several months ago, where I had at least 40 or 50 items to check in programs... and even though I still have 10, it makes Online Armor much easier to use.

For our upcoming v3.5 release, we've spent a lot of time in the background reworking our OASIS infrastructure to faster process inbound data and classify files so we can improve our whitelist. We should see the results of this over the coming months.

We've also added a realtime lookup of newly created files - to try and get this data out to the user's computer as quickly as possible. It's going to be very interesting to see, once released, how low we can go with popups.

Add to Technorati Favorites

Add to Technorati Favorites