McAfee CEO: Adware is killing AV blacklisting

McAfee CEO: Adware is killing AV blacklisting

Summary: Traditional security products — which employ signature-based blacklisting technology — are no longer effective because of a massive increase in malware, according to the CEO of McAfee, Dave De Walt.

SHARE:
5

Traditional security products — which employ signature-based blacklisting technology — are no longer effective because of a massive increase in malware, according to the CEO of McAfee, Dave De Walt.

"We're processing gigabytes of malware daily," says Alex Eckelberry, Sunbelt Software. Source: Sunbelt Software

Blacklisting — where vendors compile lists of known malware — has become technically unfeasible, said De Walt.

"When you're doubling the amount of malware you're getting on a daily basis, eventually a blacklisting model ultimately could run out of architectural scalability," he said at a press briefing today.

In 2007, McAfee received 370 new malware samples per day, and according to De Walt, that figure is likely to reach 750 per day by end of this year. "The current trend six months into [2008] is we're seeing a doubling of the malware we receive into our labs," he said.

The gloomy predictions are consistent with other security vendors. Symantec this year said that 65 per cent of the 54,609 Windows-based applications that have been released to the public in the past six months were malicious.

Chia Wing Fei, a security response team manager at F-Secure, told ZDNnet.com.au that in 2007, the company detected more than 500,000 pieces of malware. He expects that figure to double this year — for the second year running.

Late last year, AV testing company, AV-Test produced statistics showing the staggering growth of malware in the past year.

"This is a good representation of the staggering load of malware that anti-malware folks are under," said Alex Eckelberry, a security researcher for security vendor, Sunbelt Software in response to the statistics. "Like most companies, we're processing gigabytes of malware daily."

McAfee's De Walt said he was shocked by the pace of growth.

"This was a shocker to me to see at McAfee just what we face in the world. In 2007, 40 per cent of all malware was written that year," he said.

However, De Walt blames online marketing companies for much of the escalation.

"A lot of it's coming from the growing adware market, which is a legitimate market... Literally billions of dollars are being put into figuring out ways to market more intelligently to you ... in a more personalised way. That's driven malware development.

"Marketing companies often contract companies to figure out ingenious ways to put a brand on your device, and that same ingenious way to put a brand on your device is what potentially the bad guys and gals can do to exploit your computer — either through data theft, data loss, identity theft or some sort of phishing attack," he said.

As blacklisting becomes increasingly difficult, De Walt said whitelisting technologies hold promise.

"Whitelisting looks like it has an architectural promise that could be very strong," he said.

Whitelisting was a dominant topic at this year's AusCERT conference. Cisco's chief security officer expressed frustration at blacklisting, and said he would like to see more whitelisting. "Antivirus should be an integral part of how you clean content, and keep it safe, however as a first line of defence, I just don't see it anymore," Stewart told ZDNet.com.au.

AusCERT general manager Graham Ingram backed Stewart up. "I think [whitelists] are a natural progression... I think the realisation [is] that blacklisting only had a limited life and we're getting towards the end of that," said Ingram.

However, De Walt has reservations about its adoption due to cultural factors.

"The cultural adoption of it has been the challenge. Because what is whitelisting? You can only use seven products on your machine, you're not allowed to use another product on your machine. I lock down your environment, according to a whitelist and I prevent software moving onto that computer, unless I grant that access to that application," he said.

"The cultural aspects are, I'd really like to use iTunes, or the latest peer to peer music sharing product. That prevents that. It also keeps it safe, but at the same time, it's culturally inhibiting in the way people like to work with their machines."

Topics: IBM, EMC, Malware, Security, Symantec

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • this will be a fun ride.

    I can imagine the fun with limewire(or insert your favorite adware bundled download program) not getting a onto the whitelist and the uproar from your average joe downloader going "omg why is my antivirus/malware program telling me limewire isn't on the whitelist". though, it will make it easier with a whitelist to tell someone, well you got a virus/malware because you ignored the whitelist warning. rather than try to explain how a drive by download works.
    anonymous
  • Limewire?

    Does this application still offer any content other than just malware?
    anonymous
  • Whitelisting influenced by user

    They are not just referring to whitelisting by the AV vendors. The AV vendors will create a template white list based on their recommendations but like the ZoneAlarm concept, it will ask if you would like this application to have access, it will do a similar thing, asking the user if an application can be whitelisted. So the legal liabilities are mitigated because its the user who decided to let crap like Limewire access to the internet and whole wrath of adware/malware that follows it.
    anonymous
  • whitelisting

    I've been using this method to screen my incoming email for spam for several years now.
    All incoming mail is checked against my whitelist of approved senders.
    Depending upon which account is involved any not on that list are either auto-deleted of left on the server & not downloaded.
    No more Spam.
    anonymous
  • Trend Micro May Be Right

    Evan Chen, Trend Micro CEO is stating that the model has to evolve in stopping more of the malware in the "cloud". Why wait until the endpoint???
    anonymous