The White Knight of Anti-Virus

Living in this information age has greatly expanded the reach of communication and ease of collaboration between a broad and eclectic global population of computer users. The power to learn and solve the problems that we face every day has been dramatically increased by this global information explosion. As never before, we have within our power now the ability to bring together the resources and talents of myriad individuals and groups to increase the quality of life for all people on God’s green Earth.

Ironically, in this moment of empowerment, we face the deeply disturbing and frustrating obstacle created by a small minority of people who with twisted minds and too much time on their hands are flooding the world wide information systems with malicious code designed to impede the flow of data and deny services to those seeking to find answers to their problems.

Fortunately, to combat these miscreants a growing number of privately held companies have developed software applications that are commonly called Anti-Virus solutions. Anti-Virus (AV) software is designed to run in the background on workstations and servers in order to provide protection against the malicious code that seeks to impede and even disable normal computer operations.

Free enterprise being what it is, we now have a plethora of companies who are offering these AV solutions. The major players are Symantec (maker of Norton Antivirus software), McAfee and Trend Micro. Finding a good balance of protection versus utilization of system resources is the key to good AV protection. Some AV programs will give you excellent protection but they will bog your system down so much that they begin to take on the effect of being malicious themselves.

If you are working in a small office or home based business then putting client software on the computers you are using is the best way to go. In larger organizations server based solutions are more common. In this environment AV programs and updates are centrally administered, deployed and updated from a powerful computer called a server which is accessible on the local network.

Typically AV software works by blacklisting known malicious code and/or looking for suspicious behavior that is known to be associated with viruses. This can be a time and resource consuming process when the AV program scans the computer, which has to be done regularly for it to be effective. Keeping updated “blacklist” tables, otherwise known as “anti-virus definition tables” is also crucial to good operation.

Lately AV has been morphing into something more powerful and less resource hungry. This new dynamic in AV is based on white-listing as opposed to the traditional blacklisting. With the white-list approach a computer is configured, scanned and approved as a clean and healthy system. Then the white-list AV program makes a record of all the information on the computer and authorizes the operation of existing programs and data. Anything new that tries to run on the system is categorically denied execution. Thus malicious code is rendered powerless.

When a change or addition is needed, the administrator of the computer can open a window of access to the system to make authorized changes and then clamp it back down again, thus securing the system from any additional unauthorized changes.

I’ve seen this method in use on single laptop systems right on up to large commercial networks with thousands of hosts. It is extremely effective and stable, while also keeping the system resource utilization to a bare minimum. As of now there are just two major contenders in this arena – Solidcore (recently acquired by McAfee) and Tripwire. I expect to see this cutting edge technology become much more widely used in the future. However, currently this new face of AV protection is quite pricey.