In response to my argument about why anti-malware vendors should form a consortium that builds a centralized database of legitimate applications and why the database that Uniblue has come up with as a part of its WinTasksPro product would be a good starting point, not only did Zone Labs CEO Gregor Freund have something to say, but so too did the folks at an outfit called answersthatwork.com. Maurice McElroy, from the company, wrote to me saying:
We found your 'missing glue' article fascinating. However we felt there was an element missing...us. We have been running a free Tasks List on our website for years and we're adding to it all the time. We also make a point of using plain language so that any end user can make an informed choice about switching tasks off.
So, I checked out answersthatwork.com and, staying true to its name, the database delivers answers that attempt to explain what certain software does in plain english. Although it makes a better attempt at explaining things in layman's terms than other software does, I still found it to be lacking in certain areas. For example, if I enter "LSASS.EXE" into answersthatwork.com's search box, it just takes me to the page of "L's" and I still had to scroll through the whole page to find LSASS. Then, when I got there, there were two entries for LSASS.EXE instead of one -- one of which was was a virus. The site didn't do a good enough job of flagging that LSASS.EXE could be virus. You have to read the fine print on the second entry after noticing that there was more than one entry (which you might not notice).
Also, for these sorts of databases to really work in the context of malware, they need to do a better job of describing the behavior in terms that users of anti-malware understand. For example, when my personal firewall tries to stop LSASS from contacting some other machine on the network (and all I have is that other machine's IP address), it would be great if the description in answersthatwork.com's database said "This windows component normally attempts to make contact with your local area network's Windows Domain Controller or Active Directory Server. If your firewall is trying to block it, verify with your IT support staff that the IP address of the machine that LSASS is trying to reach matches the IP address of the Domain Controller or Active Directory server. If it doesn't, it could be malware." Bear in mind, I'm just making this up as an example. I'm not exactly sure what server LSASS should be connecting to. That's the problem! Also, it should explain the consequences if users block the communication. For example, will the system not be able to get onto the network and use shared resources? Will it only inhibit someone from using the printer that's connected to my computer? Could the system crash? Or maybe it just renders NETBIOS applications inoperable. Who knows?
You get the drift. Does anybody have the vision to build this? I'll bet if you do, you could license it to all the anti-malware vendors and make a killing.