Security

Commentary: Microsoft can help kill fake antivirus threat

"A MS-managed whitelist could also backfire and produce negative results for consumers - what if Microsoft go down this path, then charge an arm & a leg for the right to be "whitelisted" ? Or MS ..."

By kaneda

Brand power can fix rogue AV issue: Microsoft

Microsoft planning major security update

Facebook McAfee 'fans' to get free security suite

Symantec: Microsoft is putting customers at risk

Breaking Stories

Microsoft denies Windows 7 battery problems

Ex-Intel executive owns up to insider trading

Optus to boost HFC network up to 100 Mbps

Microsoft launches Surface, unveils partners and customers

Opinion: Webjet brings 'cloud' claims back down to earth

By Munir Kotadia

Oct 21, 2009 2:30 PM

Redmond should whitelist legitimate security firms.

Earlier this week, Symantec revealed that 42 million fake antivirus applications were downloaded last year.

It seems consumers are being duped into paying between $30 and $100 for software that basically hands full control of their computer over to cybercriminals.

The problem, according to Symantec, is that it's almost impossible for a consumer to tell the difference between a legitimate security application and a fake one. There is also no way of making a blacklist of fake apps because new ones are springing up on a regular basis.

"You really can't tell the difference anymore," said Rob Pregnall, a senior manager of Symantec's endpoint security. "They change all the time. If we could say, 'look for the one with the squiggly face in the top left corner,' it would be different by 11am - they would have changed it."

Below is a screenshot of one fake security warning that appeared on my laptop earlier this year. In this particular case it had virtually no chance of fooling me because it was displaying Windows dialogue boxes and fonts on my MacBook. But as you can see, it is pretty convincing.

Pregnall suggested that users rely on the same 'sixth sense' that helps them differentiate between legitimate emails and spam. Unfortunately, even savvy users are vulnerable to social engineering attacks - and these criminals spread their nets fairly wide so even if they only hook a few fish each time, they make a healthy profit.

Symantec's research claims 42 million fake AV apps were downloaded in 2008 and victims paid between US$30 and US$100 for each one. If we stick to the lowest price point, it means these apps made US$1.26bn!

According to Gartner figures, in terms of revenue alone, the fake antivirus product in 2008 generated more money than Trend Micro (US$938m) and almost as much as McAfee (US$1.47bn). Symantec still towers over the rest with 2008 revenues of almost US$3bn.

I can't help but be impressed by the fake AV makers for being so successful in a market so competitive it has already beaten off the likes of Microsoft, which recently launched a free antivirus application, Microsoft Security Essentials, to replace its unsuccessful OneCare Live product.

A solution

Ironically, I believe Microsoft could save the world from fake security applications by introducing a whitelist for apps from legitimate security firms.

This would mean that Symantec, Trend, AVG, Kaspersky and the rest would have to work with Microsoft to ensure their products were recognised as 'genuine' security applications.

Pregnall agrees whitelists are the future but is under no illusion that the problem will be easy to fix - especially if it means Symantec would have to start playing nice with Microsoft.

"I think the whitelisting argument is going to get considerable consideration in the future. There are obviously huge challenges in resourcing it and with different applications, files, patch updates etc - to keep away annoying alerts.

"However, reputation and whitelisting is definitely part of the way forward," he said.

I asked Microsoft about where it stands on the whitelisting front and about the potential obstacles to developing such a solution but as yet, Redmond has remained silent.

This might be understandable, as the company is preparing to launch Windows 7 tomorrow. I will keep asking them and try to report back to you next week.

In the meantime, I'd love to know what you think. Would whitelisting solve the issue? Is there a better way? How can you tell a fake security app from a real one? Do you care?

Comments: 5

Thoughts on this article? Add a comment below.

doctorcain Oct 21, 2009 4:44 PM	Fantastic idea. Unfortunately it sounds far too practical to be readily adopt by any big business ;) My only concern would be that a smaller outfit could have difficulty becoming certified or not wish to do so at all similar to WHQL driver certifications. The benefits in my mind outweigh the negatives but to be successful the system would have to be accessible and transparent.
tallguy Oct 21, 2009 6:38 PM	How would the whitelist work? To start with, you could not practically apply this policy to all types of applications without completely changing the ground rules of Windows (i.e. you can run anything). Therefore I guess it would have to be confined to just security apps. Either that or there would be a lot of legal action against MS... So, an app tries to install as a security app, isn't on the whitelist, and fails. Of course, the installer program could always just tell the user that it is a security app, but maybe forget to tell the OS and then avoid the whitelist altogeter.
Mordd Oct 21, 2009 8:13 PM	Hmm, i think tallguy is right, unless you applied this to all apps, how would the OS identify what type of app it was and wether to compare it against the whitelist or not, and theres bound to be false alerts and missed red flags of different legitimate and fake apps as a result. Its a fantastic idea in theory, but even if the OS could differentiate, then there is the problem that Mircosoft would want a certification process as stringest as WHQL which inevitiably lock out smaller vendors from being able to compete in that product market, although wether that would be overall a bad thing or not is another question in and of itself.....
Raven999 Oct 22, 2009 2:03 PM	How about a smaller version of system restore that simply restores all core dlls, and IE core files to it's orignal versions - along with a similar type restore for the registry. That way when a user is dumb enough to fall for a fake software they can go to Start -> All programs -> I got tricked option - which gives them to do a quick restore of the orignal files. While this may kill some installations of legit apps - it serves a greater purpose - and would be easier to implement; though still being a cure rather than prevention.
kaneda Oct 26, 2009 4:26 PM	A MS-managed whitelist could also backfire and produce negative results for consumers - what if Microsoft go down this path, then charge an arm & a leg for the right to be "whitelisted" ? Or MS decides they don't like you and prevents you from obtaining certification ? It could quite easily end up as another court action waiting to happen ...