Kaspersky Lab allowlists technology approved by AV-Test

The technology of dynamic allowlists by Kaspersky Lab has been recognized by the independent institute AV-Test.org.

The technology of dynamic allowlists by Kaspersky Lab has been recognized and certified as approved by the independent institute AV-Test.org. During the rigorous testing by AV-TEST, Kaspersky Lab’s technology yielded more than impressive results in all categories.

AV-Test experts considered five parameters in testing the performance of our allowlists technology: the legitimate software database coverage, the overall quality, the performance speed, the number of false positives and the quality of Default Deny mode. The point of reference was AV-TEST’s own database of 20 million unique files. The Kaspersky Lab’s solution scored high in all tests. The audit showed successful detection of 97.5% of all software used in the corporate sector, and of 96% of domestic software, including all the important files for Windows 8, which means that the Default Deny mode is now supported on Windows 8 machines. No false positives were reported.

What are allowlists? Strictly speaking, there are two basic information security approaches. The first one is traditional; it suggests that in the information systems any applications are allowed to start by default, unless they are already blocked as malware. The second approach involves launching registered applications only that have been entitled on the allowlist. Everything other application is blocked by default. Use of denylists is a more traditional approach. Unfortunately, this Default Allow method is in fact a snowballing arms race with the authors of malware.

According to our estimates, more than 200,000 new malicious programs appear on the Internet daily. Antivirus software companies have to promptly analyze huge amounts of input information – terabytes of data, tens of millions of files a day. The software being assessed comprises three main categories: known malware, known secure software and unspecified software. Programs of the latter category sometimes appear to contain scarcely detectible malicious code, for virus writers keep honing their skills. Eventually, that unspecified software tends to be dangerous as well as known malware.

The traditional security approach involves blocking known threats, including well-known patterns of malicious behavior. However, the Default Allow method is only effective when a particular piece of malware has been detected, analyzed, rendered malicious and the relevant information about it has been added to antivirus databases. However, in case of a targeted attack malefactors are interested, among other things, in using a unique tool (i.e. the malicious code). Then it’s not in a denylist yet, the fact reducing the possibility of malware being detected by security products.

The cases of Stuxnet, Duqu and Flame demonstrate that traditional ways of protection are virtually ineffective against some of the new threats and targeted attacks. Consequently, the requirements to secure corporate networks increase on and on. In this situation antivirus software developers face the task of finding additional technologies that can significantly increase the level of protecting corporate networks. Allowlist security approach uses relies on a database of legitimate software. The method of forbidding everything but for what’s been allowed (Default Deny) is to block any application that is not on the list of “good” software.

Allowlists less popular than denylists for several reasons. Firstly, the Default Allow method is habitually traditional. Secondly, allowlists are notorious restrictions that are unpopular not only among end users, but sometimes in IT-departments, too. Thirdly, the Default Deny method is believed to be extremely difficult to implement. The Kaspersky Lab’s solution has been developed just to simplify the introduction of allowlists and make IT pros’ lives easier.

Among the problems that the allowlists solve are “non-productive” programs and services (communicators, P2P clients, games, where the internal corporate policy allows installing them), uncertified software and, finally, remote control utilities that give access to computers without the users knowing or confirming it. A corporate network may eventually collect a whole stock of software without a clear notion of who and when installed this or that program, which may never poise an explicit threat (from the point of view of antivirus at least), but is abstractly capable to serve as a medium for hostile elements to penetrate the corporate network. Our solutions allow to basically restore order with the help of banning any inappropriate application under centralized control.

The efficiency of the Default Deny approach is determined by a number of factors. In the first place, the “prohibitive” algorithm must recognize trustworthy files and produce minimum of false positives. There’s essentially the only way to provide it creating a massive and detailed database of legitimate software in worldwide use. Accordingly, the quality of solutions using allowlists directly depends on the size of authorized software database and its relevance. The effective solution of this kind must recognize as many unique files in popular (even not so) use as possible, and needs to be regularly updated.

Lots of new legitimate applications and upgrades of existing software are produced daily. Therefore, there have to be rapid and automatic updates of the software database from various sources in different regions of the world. This updates should run automatically, because these are huge amounts of information (as in the case of new malicious programs appearing every day). For these purposes dynamic allowlist database providers deploy mechanisms that monitor the development of software and load new applications and partners with key software developers around the world.

The database of our dynamic allowlist solution contains more than 700 million unique files; in addition, it is constantly updated by Kaspersky Lab and our three hundred partner vendors.

AV-Test was not the first to confirm the high quality of Kaspersky Lab’s dynamic allowlist database: in 2011 it was proven by independent testing in West Coast Labs. According to the test results our database recognized 94% of the net software available in the world at that time. The tests by AV-TEST appear to yield even better results now.