Bit9

1. The McAfee debacle this week - yet again - reveals the problems with blacklisting. It is another story about a virus update that falsely identifies a good file as bad. It is not surprising - in fact it is perfectly predictable - that the damage caused by such mistakes is only getting worse, as blacklisting-based antivirus solutions are ubiquitous and there are increasing pressures for AV to push out signatures faster and faster to keep up with the pace of malware. There is pressure on the AV vendor's side to get the signatures out and also on the customer's side, who often do not test the signatures before making them live.

What happened: According to the news, McAfee pushed its daily updates to its corporate customers, which are always meant to detect and destroy threats. One of those threats was the "W32/wecorl.a" virus. Instead it  wrongly fingered the critical "svchost.exe" file in Windows XP Service Pack 3 (SP3) as malware, and then quarantined it by removing it from its normal location. In some cases, the update deleted the file. A lot of manual fixing was required by IT folks around the world to fix the machines and get them usable again.

2. On Bit9 technology: The Bit9 Global Software Registry (GSR) gathers and classifies trust on millions of known files and packages. The files in question here, svchost.exe, which was blacklisted by McAfee, was clearly whitelisted in GSR - with our highest trust ratings.

Bit9 works with antivirus vendors, providing them access to our GSR to eliminate false positives such as the one that crippled hundreds of thousands of systems the other day. Having the world's largest corpus of trusted files is a critical asset - not only to support application whitelisting and proactive security, but also to remediate the flaws in blacklisting and reactive security.

4. On Parity customers: Bit9 Parity customers have access to the Bit9 Global Software Registry through our Parity Knowledge service.  Essentially this is  a cloud-based "background check" on files that provides a bunch of meta data on the files, including a Trust Rating.  A number of our customers who run McAfee AntiVirus alongside Application Whitelisting  were hit by the flawed McAfee update, and were able to use our trust ratings to quickly rule out an actual attack and pinpoint the virus update as the cause of their problems. Parity's Live Inventory and live events tracking system gives our customers realtime visibility into the trust of every file in their enterprise and all executable file activity. We heard from a number of customers including a large hospital that used the live inventory to quickly identify the problem. Having the ability to monitor all software on endpoints - live -  gives IT and security managers the ability to quickly identify problems, even when they are caused by other security products running in the endpoints.