Norton 2009 tackles whitelisting

Symantec has adopted whitelising techniques in an effort to dramatically improve the performance of its upcoming Norton 2009 security suite, according to the company's vice president of consumer engineering, Rowan Trollope.

Whitelists tackle Norton performace

Symantec has adopted whitelising techniques in an effort to dramatically improve the performance of its upcoming Norton 2009 security suite, according to the company's vice president of consumer engineering, Rowan Trollope.

Trollope admitted that poor performance was the main reason Norton Internet Security customers abandoned previous versions of the product. In the next version, he explained, a "whitelisting approach" significantly reduced the amount of time scanning files that are known to be safe.

"It does use whitelisting as an approach, but it really focuses on the performance gains we can get by not having to scan things on the whitelist," he said.

The concept of using whitelisting in security is nothing new. Whitelists, for example, are used by airlines to determine whether a passenger can board. If you have a boarding pass, you're allowed to take a seat but if you don't, you're not. A blacklist, commonly used in signature-based antivirus, works the opposite way by creating a list of unwanted files, such as known malware, to prevent entry.

Cisco's chief security officer John Stewart earlier this year complained that antivirus "doesn't work", and called for whitelists to become more common. McAfee's CEO Dave De Walt a few weeks later claimed that malware volumes had pushed blacklisting to its architectural limits and suggested that whitelists held "very strong" promise in meeting this challenge.

While enterprises sometimes use whitelisting technologies, such as hosted intrusion prevention systems (HIPS), to combat zero-day threats, whitelists are yet to find a place in consumer security. However, Trollope pointed out that Symantec is using the whitelist to improve performance, not to prevent malware being installed on a PC.

"We are looking at all of our 55 million customers' systems ... and base the whitelist on which applications are very common," he said.

"We know that an application installed on less than 10 systems is most likely malicious. Unless you're a software engineer ... it's unlikely that anyone has a piece of software that runs only on 10 systems," Trollope told ZDNet.com.au.

"Legitimate application writers are looking to get large distribution of their software; malware writers are looking to limit it so they can stay under the radar of signature-based malware vendors," he added.