Norton 2009 and Whitelists

Over the last couple of months our friends at Symantec have readied and released Norton 2009. We hope that the engineering team is taking a long rest after the significant effort to bring this new offering to the market!

Norton 2009 is touting the use of “whitelists” as a part of the offering. See:

From the article:

Symantec has adopted whitelising techniques in an effort to dramatically improve the performance of its upcoming Norton 2009 security suite, according to the company’s vice president of consumer engineering, Rowan Trollope.

Trollope admitted that poor performance was the main reason Norton Internet Security customers abandoned previous versions of the product. In the next version, he explained, a “whitelisting approach” significantly reduced the amount of time scanning files that are known to be safe.

It is very interesting to see another use case and value definition for whitelisting. Not that we agree, mind you. It is just interesting.

All of the AV vendors are seeking ways to deal with “Blacklist bloat and overhead”. The use of “smart whitelisting” in an AV product is an interesting way to address this need. Essentially what the Symantec team realized is that there is no need to constantly scan and rescan good code. Bravo.

But what they missed is that this is not the real and valuable use case for code whitelisting in the longer term.

As discussed before in this blog, whitelisting is not a direct replacement for blacklisting. Blacklisting, in its pure form, is about discovery and hopefully the blocking/immunization of “malicious code” – code intentionally built and distributed to damage compute platforms and increasingly used to steal private information.

Whitelisting, in its pure form (admittedly by our definition) is about making sure that the “good and desired code set” remains in a good and desired integrity and configuration state over the entire usage life cycle of the software stack (physical or virtual).

In order to make this work in practice, one needs to redefine the architecture of computer security and systems management from end-to-end. Simply tacking whitelist onto an existing blacklist solution does not yield the real benefits that can be achieved with true whitelisting.

The test of true whitelisting is really driven by more fundamental benefits like improved computer stability, security and compliance – leading to higher availability (increased MTTF and reduced MTTR). Importantly these benefits should be delivered with LOWER operational costs than we have now. This means that we need to lower the people costs associated with delivering computer availability and capacity. This means we need to increase our visibility to ALL of the risks to computer stability, including malicious code. This also means that we need to instrument and automate IT best practices.

Positive IT Controls are the answer. We are making steady progress in “flipping the model” from blacklist to whitelist – but don’t be fooled. Norton 2009 is not really a “whitelist solution”. Real whitelist solutions will be very common as a true and vendor agnostic, high-provenance whitelist eco-system evolves. And as the endpoint wars begin to settle down in 2009.

Keep your eyes on these pages for more on this.


8 Responses to Norton 2009 and Whitelists

  1. Thanks Wyatt.

    We didn’t miss the longer term value of whitelisting. We chose to implement the performance enhancements you mentioned as the priority.

    Our system is actually both a white a black list in one, and we call this “file reputation”. We are using it in 2009 to provide the aforementioned performance benefits and we also use it to attenuate false positives from our heuristics, which has allowed us to crank up the agressiveness of these engines. This has shown terrific results in both AVTEST.ORG’s tests as well as Andreas Clementi’s recent test results, both of which put us into the #1 detection position.

    We are working very hard on the next step with our very promising file-based reputation system, and are quite excited about the potential.

    Rowan Trollope

    Senior Vice President
    Symantec Corp

  2. Wyatt says:

    Thanks the comment.

    Great to see (and hear) about the “file reputation” aspect of you product and plans. We agree with the notion of understanding file and data element reputation, a key element of which is “provenance”. Reputation is a key metric to set and affirm IT device “trust”.

    True whitelist methods (including schema, content, and configuration/image management) must (IMHO) anticipate the notion of file reputation as a key factor in measuring and asserting IT real device trust. And shouldn’t IT device trust be a key notion in effective business process management and information exchange? One can only keep information safe and secure if the devices handling that information can demonstrate their trust.

    And it sounds like your roadmap is also heading toward the notion of extending whitelist for the purposes of Positive IT Control purposes. Or, as your CEO John Thomson has stated publicly “Making sure the known and good code stays in a known and good state” (to paraphrase him a bit perhaps).

    We are at a key paradigm shift point in IT systems management and security – and whitelisting for the purposes of establishing and maintaining a “known and trusted state” over the IT device usage cycle – is critical. Done well this enables high-resolution change detection for pinpoint remediation.

    If we can drive UP MTTF and drive DOWN MTTR, we add “nines” to our customer availability. If we can do that with more transparent methods, and automate those methods (”controls”), we can reduce our customers cost for delivering those “nines”.

    We look forward to the further developments from Symantec, and from the industry at large, as we all continue to our efforts to make like easier for all of users of information technology systems.

    Best regards,

    Wyatt Starnes.

  3. Mike says:

    Just passing by.Btw, your website have great content!

    Making Money $150 An Hour

  4. Wyatt says:

    Thanks Mike!


  5. Everyone loves folks that blog, it is really challenging to acquire all method of comprehension almost any means. Incredible work.

  6. НЕО-Майнкрафт…

    […]Norton 2009 and Whitelists « IT in Transition[…]…

  7. НЭО says:


    […]Norton 2009 and Whitelists « IT in Transition[…]…

  8. Hey! Quick question that’s entirely off topic. Do you know how to make your site mobile friendly? My blog looks weird when viewing from my iphone4. I’m trying to find a template or plugin that might be able to fix
    this issue. If you have any recommendations, please share.

    Many thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: