The End of Signature-Based Antivirus Software?

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "

Switch A/V S/W from a blacklists to whitelists?

Wouldn't it be safer to switch from blacklists to whitelists? i.e. Only known safe applications are permitted to run. If some shiny-new-app isn't added to your current A/V whitelist for 48 hours, all that means is you can't run the program for a while. That's an inconvenience. If shiny-new-malware isn't added to an A/V blacklist for 48 hours, major damage can ensue. I'd prefer the former, personally.

Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.

When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.

It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs /every/ piece of software; so the whitelist for the stuff that one particular person uses should be of a manageable size, shouldn't it?

If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.

Is this feasible? Where's the downside?