White listing or black listing?

[Guest]

[solcroft]

What I meant was - the vendor, remotely creates the "master" whitelist DB. When the application that's going to utilise this DB is installed, part of the installation process is to determine what apps are already on the PC. This "apps list" is then processed against the remote vendors master whitelist DB. The resulting matches then form the local whitelist DB which is what is downloaded to the local PC. As new apps are installed or executed, they are again compared to the remote master whitelist and subsequent matches are pushed back to the local PC to be incorporated into the local whitelist DB.

The problem is how vendors are going to build that master whitelist in the first place, when they're, according to the rhetorical claims, already struggling to keep themselves up to date on the much, much smaller blacklist. Your proposal doesn't solve that problem as far as I can see.

Case in point: I uploaded the Sandboxie executables for verification some time ago. CAVS' execution control module was still flagging them as unknown four months later. Comodo has displayed overwhelming incompetence in keeping up with just a blacklist, and I don't expect them to be able to build a comprehensive whitelist anytime soon.

Debates and discussions are encouraged on these forums, but disparaging, derogatory or personal remarks are not.

I made a general statement without naming anyone in particular. I do take heart in the fact, however, that the idiots who do need to feel offended by my remark are still intelligent enough to know as much. There's hope for them yet.

[panic]

That will be the telling thing, won't it. If they have increased resources and can maintain the master whitelist adequately, and there is sufficient infrastructure behind it all, it shows a great deal of promise. If, OTH, they haven't, we may be forced to agree. 

We can both take heart from both of our generalised statements. Probably for the same reasons. 

[LeoniAquila]

We already have threads for discussing pros & cons for black/white listing technology, but since we're here, let me throw in my 2 cents.

I'm not in a position of really judging which one is the best. But, for me, white listing has shown to be superior. Ever since CFP 3 was released last year I even gave up antivirus, and my machine has worked flawlessly since then.

Black listing seem to be a never ending chase. Yesterday they even said at the daily news (which is not often) how the number of internet threats has increased. Symantec (one-sided, I know, but still...) said that three years ago, about 50,000 new malware was created in half a year. The last half year of 2007 - 500,000 new malware!

Maybe AV vendors can catch up with that, I don't know, but I feel more safe with white listing / HIPS (which of course doesn't have to exclude traditional black listing).

Now where are those screen shots for CAVS 3?

LA

[Melih]

in a world where blacklisting : baddies, hides themselves, test their product against all the known AVs make sure none of them catch it and then release it...(bang.. we have a day zero attack and then everyone is running around like a headless chicken trying to create a sig and then update all the millions of people out there... we do the same and and expanding of course..)

compared to whitelisting: where these publishers do not hide themselves and want to be known....

I would say: doing whitelisting is much easier and safer than blacklisting! the publishers of whitelisted products are not hiding themselves and the time it takes to add someone to whitelist is NOT a security risk like NOT adding some malware for a period of time!

Also: As Ewen pointed out: local whitelisting: well Clean PC mode is a version of that.. that is why you see no material impact on system performance.


Your name is not in the list, you are not coming in!!! its as simple as that...
alternative..

Sure everyone come on in.... then send the search party to figure out who inside is a baddy and you only have a limited vision!!!

Its plain commonsense if you ask me..

Melih

[Dennis2]

Debates and discussions are encouraged on these forums, but disparaging, derogatory or personal remarks are not.

All users are supposed to treat all other users with the same respect and courtesy they expect to be shown to themselves. Please, everyone, every now and again, re-read the forum policies.

Ewen :-)

To Ewen
It would be nice if you posted the above in some of he threads which are active at the moment.
The only problem is you would have to post it in big red letters so that they would notice it 
Dennis

[axl]

What if the local whitelist database, rather than containing every whitelisted app known to man (and would indeed be a thousand times larger), only contained the known whitelisted apps that pre-existed on that particular PC? Then, as new apps got added to that PC, there was a lookup which cold add that app to the local whitelist DB. This would constrain the local DB down to the minimum size required to service the apps on that PC.

What think?
Ewen :-)

The database concept is what I originally stated was flawed, as in the local database.
If I only have 30 applications on my computer, why do I need a program checking them every second against a database of 2 million bad applications, or why would I need a database on my pc with the details of 30,000 good applications?

Microsoft has the concept of signed drivers: there is no database on my machine of either bad drivers, or good drivers; the information about the legitimacy of the driver is contained within the driver itself.
This was my original point, about databases in general, which some tried to obfuscate with a debate about the exact definition of the term whitelist.

In hindsight I fear I may not have responded to your suggestion adequately, and so I will I try to do so now:
Yes, panic, your idea is better than any current blacklist or whitelist database implementation, but IMO, some sort of signed application mechanism would be preferable.

I am sure there are some just chomping at bit, ready to shoot down the idea as delusional; I won't deprive them of satisfying their desires.

Regards,
alex

[axl]

panic, how about something like a "safety installer".
When I want to install a program, instead of launching the program's installer directly, I launch it indirectly thru the safety installer.
The safety installer then goes online and submits the program's signature and some entity responds letting me know if the program is trusted or not.
This way I don't have any database on my pc, I don't have some program running in the background all the time, and I don't need to check for any updates if I haven't changed anything on my machine.

So panic, what do YOU think?
 

[MJ1988]

G'day solcroft,

Glad to see you stick your head round the door again.

Gotta agree - the detection rate of CAVS2 Beta has never been the best. I can't see it getting any better than it curently is as the primary develoment focus is now on CAVS3.

Just in case you were just about to say "LOL. Couldn't finish V3 and have started on V3" or similar, Comodo realised, after the release of CFP V3, that they needed to re-architect the CAVS product line to be able to co-operate with the new architecture used in CFP V3. As a consequence, the CAVS V3 development team has been greatly expanded and development work on CAVS V2 pretty much ground to a halt.

CAVS V3 is slated for a public beta towards the end of this month or early next month and should be worth at least a closer look.

[tongue in cheek mode on]
I'll get someone who's allowed to register at Wilders to let you know when it's out. (Only kidding, every attempt I've ever made to register at Wilders has failed for one reason ro another. Now, I just don't bother, but I do read there a lot.)
[/tongue in cheek mode off]

cheers,
Ewen :-)

I really hope that its finally scheduled late this, or early next month. I'm eager to finally test it out. I also like to have all Comodo security products on my computer.

Cool beans.

[panic]

panic, how about something like a "safety installer".
When I want to install a program, instead of launching the program's installer directly, I launch it indirectly thru the safety installer.
The safety installer then goes online and submits the program's signature and some entity responds letting me know if the program is trusted or not.
This way I don't have any database on my pc, I don't have some program running in the background all the time, and I don't need to check for any updates if I haven't changed anything on my machine.

So panic, what do YOU think?
 

Hey axl,

Imagine we use this "safety installer" to install a product and the other entity says it's OK so it runs and installs the app. When we then run the installed app our firewall will pop-up, as it is, to the firewall, an aunknown app attempting outbound access. We create a rule.

This rules is stored where? 

Possibly in a local DB for future reference? 

Possible the the AV and the firewall will have the smarts to co-operate and share resources? 

Stay tuned.

I don't know this will appear in CAVS3. Just conjecture on my behalf. I could be wrong. I hope I'm not.

Cheers,
Ewen :-)

[solcroft]

in a world where blacklisting : baddies, hides themselves, test their product against all the known AVs make sure none of them catch it and then release it...(bang.. we have a day zero attack and then everyone is running around like a headless chicken trying to create a sig and then update all the millions of people out there... we do the same and and expanding of course..)

Melih, it never fails to amaze me that, as a CEO of a company, you would openly resort to weak rhetoric. There are inherent flaws in blacklisting technology, granted. So how does that mean that whitelisting, with its own massive set of problems as well, is the answer?

For all its flaws, antivirus companies have learned to adapt over time with different approaches and technologies to blacklisting. I ask you to tell me when was it that the world saw a widespread malware outbreak. At the same time, please tell me which company so far has managed to make whitelisting a major success. (Some intelligent answers, please; I'm not one of those syncophantic Comodo worshippers that you're used to addressing.) As far as I can see, your company is trying to present itself has having designed a new-generation, cutting-edge solution to an age-old problem. I can assure you that that is most definitely not happening.

Your name is not in the list, you are not coming in!!! its as simple as that...
alternative..

Sure everyone come on in.... then send the search party to figure out who inside is a baddy and you only have a limited vision!!!

Melih, if people were smart enough to tell by themselves which files are safe and which aren't, then they don't need your product which would be nothing but a redundant piece of junk. I don't see the point of a product that needs me to tell it which files and safe and which ones are malware.

Its plain commonsense if you ask me..

[LeoniAquila]

I ask you to tell me when was it that the world saw a widespread malware outbreak.

I don't think we need a "widespread malware outbreak" to come to the conclusion that many people get infected. Partly because they are incautious, partly because their black listing software misses the malware.

At the same time, please tell me which company so far has managed to make whitelisting a major success.

This hasn't happened yet (which is the answer you want, right?) if you ask me. But more importantly, does that automatically mean that white listing is no good? Just because Symantec and McAfee grew large thanks to black listing, that's the way to go? Your question indicates that you want to come to that conclusion...

No matter how unique Comodo's white listing technology is, I believe it's the way forward (not necessarily Comodo's technology, but white listing technology).

Melih, if people were smart enough to tell by themselves which files are safe and which aren't, then they don't need your product which would be nothing but a redundant piece of junk.

Yes, IF they were that smart. But they aren't.

I don't see the point of a product that needs me to tell it which files and safe and which ones are malware.

So you need no black listing, no white listing? That's good for you, but 99% of all computer users do need that.

LA

[solcroft]

I don't think we need a "widespread malware outbreak" to come to the conclusion that many people get infected. Partly because they are incautious, partly because their black listing software misses the malware.

Of course they do. But many others stay clean as well, and I daresay a very very large majority of them aren't users of Comodo's revolutionary whitelisting-technology products either.

This hasn't happened yet (which is the answer you want, right?) if you ask me. But more importantly, does that automatically mean that white listing is no good? Just because Symantec and McAfee grew large thanks to black listing, that's the way to go? Your question indicates that you want to come to that conclusion...

The market and evolution of technology always has a strange tendency to favor the solutions that work best. All I did was to point out some simple facts that some may have missed. I don't think that qualifies as bias; do you?

Yes, IF they were that smart. But they aren't.

And if they aren't, then that technology is useless to them. Sounds like a pretty catch 22 to me. Here we have a product that asks the user which files are clean and which ones should be blocked, when the user ostensibly installed the software so that it could tell him/her that.

So you need no black listing, no white listing? That's good for you, but 99% of all computer users do need that.

No, you're misintepreting my words completely. What I don't need is a security product that pretends it's providing any security by asking my opinion on anything and everything. When I install a security product, I don't expect the product to hand all responsibility of security back to me.

[panic]

The market and evolution of technology always has a strange tendency to favor the solutions that work best.

And how does that explain Windows? 

In reality, the evolution and marketing of technology are inextricably entwined, rather than a quest for the best possible soluton.

IBM's MicroChannel architecture was/is a technical masterpiece.
OS/2 Warp was amazing.
Ditto the Amiga hardware / Operating System combination.
The Pick database system.
The C/TOS operating system and hardware.

Where are they now? Snuggled up comfortably as a footnote in the annals of computing history.

Market acceptance does not always equate to technical superiority. The reverse is equally true (just ask the *nix guys).

Ewen :-)

[solcroft]

Market acceptance does not always equate to technical superiority. The reverse is equally true (just ask the *nix guys).

You need to remember that the best solution is not determined by technical superiority alone. A technically superior product may be hindered by a variety of other factors that make it not the best suited for its purpose. Take antivirus software for example, since we're on the topic. WebWasher is the ultimate scanner in terms of detection rate, yet I don't think many people have even heard of it, much less used it before. Can you guess why?

The same goes for whitelisting. It's all good and well to espouse the virtues of whitelisting (while conveniently forgetting to mention its drawbacks), until you consider the problem of who's going to create that whitelist and keep it updated. The user? The vendor?

And for the record, Windows (XP, at least) is a fine product. I just wished it looked as good as a Mac OS.

[Dennis2]

And for the record, Windows (XP, at least) is a fine product. I just wished it looked as good as a Mac OS.

Did I read this right? ? ? 
I might use XP but I certainly do not love it.
Dennis

[Tags:]