A SearchMidmarketSecurity.com reader asks our resident security expert Tom Chmielarski, "How effective is whitelisting applications compared to other antimalware defenses, and what are the most efficient ways to implement it?"
Anecdotally, I remember an incident a few years ago where I tracked a worm infection down to a lab system that was an oscilloscope, which was running Windows. This system was never patched because the users didn't think of it as a computer and it never fell within IT's control; this system was a perfect candidate for application whitelisting which would have prevented the infection.
Many environments are highly dynamic with dozens, if not hundreds, of applications. Creating an inventory of all of that software is a daunting task, particularly when that list is specific to each version of the executables within each application. Increasingly, software will update itself, many times without user prompting. This is great from a security and features perspective, but increases the difficulty of explicitly allowing each version of each approved application.
There are many products available to facilitate whitelisting, and these offer varied levels of assistance in creating that list. With Windows Software Restriction Policies (SRP), you need to create and maintain that list yourself. Other vendors, such as Bit9 Inc. or CoreTrace Corp., have comprehensive libraries of software hashes to facilitate your whitelist.
Blacklisting -- which calls out specific executables that cannot run -- is a great alternative for an environment that cannot use whitelisting. There are too many instances of malware to ever include them all, but you can block applications you wouldn't want to run (perhaps file-sharing software or hacking tools). By monitoring the logs of any other antivirus product you have in place, you can use blacklists to limit the impact of any malware that begins to establish itself in your environment. If you see a few infections of a specific malware, you can add that malware's signature to your blacklist.
Of course, application whitelisting has limitations as does every other type of malware protection. For example, host IDS products that limit which applications can access the network can be bypassed by anything that uses a known executable, such as Internet Explorer. Signature-based antivirus products can't keep up with the various versions of malware and frequently don't properly stop malware they do detect. Ultimately, it comes down to the level of and type of security that you need and whether you have the resources to maintain the whitelists.Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.
This was first published in June 2010