l +1 262-553-6510

Why Is Detection Doomed?

1/23/2008 - Author: Felicia

This article is part 2 of the January 2008 article on antivirus and antimalware software. Last month we covered which antivirus/antimalware tool is right for you and why.



What is detection?

Detection is essentially blacklisting. It’s where software has a picture of what a duck looks like and when it sees something that walks, quacks and looks like a duck, it assumes it’s a duck. This is what virus definition lists are. They are all dictionary lists of what malware looks like, smells like, and walks like.

Detection is doomed because there are thousands of new malware created each day and the anti-malware software vendors like McAfee, Symantec, and Trend have hordes of people finding these things and writing anti-malware definitions for their software daily. This is why it really bugs me when people complain about $40/year for their antivirus/antispyware software subscription renewals. I would gladly pay $100 for this service where I can have much safer computing because I’m leveraging the efforts of hundreds of people working to protect my systems.

Antimalware software that uses detection technology compares incoming items against the detection database (virus definitions). The critical flaw in this technique is that it’s a constant catch-up game. Several days pass between when a virus is found on the Internet and when your software has a definition to detect and remove it. Therefore, if your computer gets this virus in that window of a few days between the release of the virus and when your computer can recognize that it is something evil, then your computer is compromised.


This brings us to whitelisting technologies. Whitelisting is a list of all the programs and files that are authorized by you. And only those items are allowed. However, this means that you have to make educated decisions about what is allowed and what is not. Each time your computer sees something new, it may prompt you to authorize it. Clearly, you need to know what you are doing in order to answer the questions properly.

This may not be as bothersome as you suspect. Envision a scenario where an antimalware software vendor has a sufficiently large software database that it knows about the majority of programs and files that should be authorized on your computer. So it doesn’t really prompt you much because it’s pretty smart to begin with. However, this does not mean you get to abstain from your duty to answer the occasional question properly.

You will notice that a whitelisting tool prompts you most often when software updates or new software is being installed. This is because new files are being placed on the computer, and the software must determine if they are supposed to be there or not.

Whitelisting technology is actually the most effective because it doesn’t fall prey to the critical flaw in detection-based (blacklisting) technologies. This sort of technology where only what we trust is allowed is the future of security. Due to the mass volume of evilware created daily, it’s impossible to keep up with it.

Currently Comodo is the only antimalware vendor using whitelisting technology.

I still recommend Trend over Comodo in most circumstances because the average human has not caused me to have much confidence in their ability to answer the authorization questions properly. Someday that will change. For now, it’s best to use tools that don’t give you the opportunity to answer the question incorrectly. This way your computer is the safest.

So how do we have security?

Security is pretty easy if you have proper training and sufficient discipline. Having a secure computer really can be created by two major factors:

· Significant training

  This is defense-in-depth strategies as well as backups and imaging for disaster recovery.

· Knowledge of how to avoid social engineering traps

I cannot overstate the importance of the two factors above. You can have the best alarm system, video surveillance, and attack dog system in the world. But if you open the door to the man with the hatchet, you might just end up dead. Seriously, it’s that simple. Defense in depth, multiple layers of security is intended to weed out the bad guys before they get to you. But if one makes it to your door, bangs on it and convinces you to open the door, it’s all over.

This is why we will continue to have security problems in computers until all humans that use computers are sufficiently trained. And this is actually the most cost-effective thing you can do for yourself. Get training. Now you are wondering where in the world you can find the training you need.

There are a lot of great resources for narrow-focus, application-specific training out there. For instance, you can find a wealth of free training on However, if you are looking for the more general, conceptual training you need in order to keep your computer happy and keep it free of malware, there really are no good sources currently. I put together a class a few years ago that was very well received, but it turned out to not be very cost-effective for me to do the class. That class really taught folks everything they needed to know in order to be successful with their computer. You can see the syllabus in the courses section.