A SearchMidmarketSecurity.com reader asks our resident security expert Tom Chmielarski, "How effective is whitelisting
applications compared to other antimalware defenses, and what are the most efficient ways to implement it?"
Whitelisting applications -- or only permitting explicitly allowed applications to execute and denying all others, typically based on the MD5 or SHA1 hash of the executable -- works very well provided you have the resources to maintain the list of allowed software. Prohibited applications will be automatically blocked, including those that are inadvertently placed on the user's computer when he or she visits a malicious website with an insecure browser. The ability to limit what software can execute is powerful and can dramatically improve the security of a workstation. Whitelisting is not a panacea, though, so I'll focus on the limitations of this technique.
The amount of time required to create and maintain the list of approved software, obviously, depends upon the variety of software running and how frequently it changes. In my experience, this technique works well in highly controlled environments where the software is standardized, applications are fairly limited in quantity, and users do not make changes. Examples of this sort of environment include operational equipment in a factory, special purpose systems (such as a picture processing station at your local store), or dedicated function systems in a warehouse (like data entry) or library (Internet).
Anecdotally, I remember an incident a few years ago where I tracked a worm infection down to a lab system that was an oscilloscope, which was running Windows. This system was never patched because the users didn't think of it as a computer and it never fell within IT's control; this system was a perfect candidate for application whitelisting which would have prevented the infection.
Many environments are highly dynamic with dozens, if not hundreds, of applications. Creating an inventory of all of that software is a daunting task, particularly when that list is specific to each version of the executables within each application. Increasingly, software will update itself, many times without user prompting. This is great from a security and features perspective, but increases the difficulty of explicitly allowing each version of each approved application.
There are many products available to facilitate whitelisting, and these offer varied levels of assistance in creating that list. With Windows Software Restriction Policies (SRP), you need to create and maintain that list yourself. Other vendors, such as Bit9 Inc. or CoreTrace Corp., have comprehensive libraries of software hashes to facilitate your whitelist.
Blacklisting -- which calls out specific executables that cannot run -- is a great alternative for an environment that cannot use whitelisting. There are too many instances of malware to ever include them all, but you can block applications you wouldn't want to run (perhaps file-sharing software or hacking tools). By monitoring the logs of any other antivirus product you have in place, you can use blacklists to limit the impact of any malware that begins to establish itself in your environment. If you see a few infections of a specific malware, you can add that malware's signature to your blacklist.
Approved software, including the frequently targeted Internet Explorer, can still be hijacked, so whitelisting applications is not a comprehensive solution even when the list is completely accurate. An often overlooked shortcoming of whitelisting is that it does not remove malware. Rather obvious, I know, but the ramification might not be. If one of your users has malware -- say on a USB drive -- that user will be immune to the malware since it won't execute on his or her computer. This user, however, can still infect other systems that are outside of the scope of the application whitelists (such has a customer or client) by inadvertently transmitting that file.
Of course, application whitelisting has limitations as does every other type of malware protection. For example, host IDS products that limit which applications can access the network can be bypassed by anything that uses a known executable, such as Internet Explorer. Signature-based antivirus products can't keep up with the various versions of malware and frequently don't properly stop malware they do detect. Ultimately, it comes down to the level of and type of security that you need and whether you have the resources to maintain the whitelists.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.