If you were to go out shopping for a new burglar alarm today, would you purchase one that triggers only when it detects a known burglar or felon in your house? I mean, that would be ridiculous, wouldn't it? It is only logical that a burglar alarm would trigger when it detects anyone other than known persons moving about - and not the other way round. Yet, this is the exact scenario when it comes to security software, or to be exact: antivirus software. Traditional antivirus software takes up position at key locations in your computer, where it continuously scans for known malware. This is done by comparing the characteristics of all software against a database of known viruses, also known as a definition database. These databases are maintained by antivirus vendors, and customers pay for subscriptions, which fund the vendors' efforts to analyze and identify new viruses. All this information is used to update the definition database - which is in turn pushed back to the customers.
Why am I talking about this today? For one, to bring your attention to whitelisting. Implementation details vary, but in a nutshell, whitelisting works in reverse from antivirus software by creating a list of known "good" files in a computer. Executable files not found within the database are flagged as potential threats or even stopped from executing.
Compared with large organizations, the more manageable size of SMBs means they are in a unique position to swiftly and pervasively implement whitelisting. If you would like to check them out, a couple of vendors that you might want to start from include CoreTrace and Savant Protection. As usual, this does not in any way constitute a recommendation of any sort.
Some will argue that whitelisting is a cumbersome solution, as users cannot download and install applications with impunity. On this front, consider that it is up to CIOs and managers to decide if users should be allowed to practice such unsafe practices on corporate assets in the first place. You might also want to take into consideration actions like the recent ban by the U.S. military of USB flash drives as well as storage devices as the organization grapples with the proliferation of malware.
At the end of the day, whitelisting is simply another tool that, if implemented properly, has a much better chance of stopping unknown threats than definition-based antivirus software.