White listing Is Not The Holy Grail:
I have to disagree with some in the security community that search out white listing as the Holy Grail in cyber security. The hard critics of Antivirus have many valid concerns. Repackaging and obfuscation are only the start of the problems. The definition updates leaving the window of opportunity for the malware to run may always exist.
Having the malware take advantage of that opportunity and interfering with the antivirus definition updates in order not to be detected is also a continuing problem. Later Windows User Account Controls have helped somewhat.
One Achilles heel with white listing is very similar. White listing in general will only allow certain programs to run, which is great in a production lab environment. The white listing program keeps track of what is authorized through some type of database. A program already authorized to run by the white listing service may still be vulnerable to a 0-day or another unpatched vulnerability. So taking advantage of the 0-day in the vulnerable program, such as a
Metasploit, can execute malicious code on the system running the white listing service. This single risk can create a cascade of issues. Once the code in this example can run freely on the host, it can download a payload, add that payload to the white list database. A new program, service, running freely on the host that the white list service is actively protecting.
So although antivirus may not be the toughest tool in the arsenal. White listing is not the Holy Grail that will do away with the other tools. But must work in concert with the other tools and form the layers of security needed.
