Whitelisting: Is It Good Enough To Replace Anti-Virus?
An approved list of apps, or whitelist, is flavour of the month in security. But vendors and alanlysts question whether it can be a panacea
Anti-virus vendors have been talking up the usefulness of application whitelisting in the last year or so, but can the technology actually replace anti-virus?
Whitelisting allows a list of approved files to be used on a particular machine, so rogue or suspicious applications will be automatically blocked. The concept is not new, but has attracted more attention recently from vendors such as Symantec and McAfee as the amount of rogue applications being created continues to surge.
Pure-play whitelisting vendors such as Bit9 and CoreTrace have taken the attention as market validation. But while many say a hybrid blacklist/whitelist approach is needed, some are going further. Now, according to Wes Miller, director of product management at CoreTrace, whitelisting is more than just a compliment to anti-virus – it is the solution to thwarting malware attacks.
To back up his claim, he points to the upcoming version of CoreTrace’s Bouncer product, which works to protect memory in two ways. First it prevents a non-whitelisted dll placed in memory from infecting a whitelisted process. In addition, it offers kernel memory write protection designed to prevent a buffer overflow from tampering with the Windows kernel and starting an illegitimate process. The two features work together to improve protection versus traditional payload-only whitelisting, Miller said.
“Whitelisting isn’t just an important component, it’s the key,” he said. “Using application whitelisting as the primary enforcement mechanism, all threats are proactively stopped, and blacklisting can be used in a manner that is more fitting of a reactive solution. In short, yes, we believe whitelisting can stand alone, as many of our customers actually do just that.”
Still, whitelists have to deal with all the unknown apps out there, of which there is no shortage. Many of these are legitimate applications that are specific to certain markets or geographies, or custom applications developed for use within a company, 451 Group analyst Paul Roberts said. While whitelisting may be effective for ATMs, point-of-sale (POS) terminals and other single-purpose devices that shouldn’t run anything other than the software that allows them to perform their function, it may not translate as well for other machines, he said.
“It’s not a model that works easily with the typical enterprise laptop/desktop, where users want the freedom to add new tools or software they need to do their job,” Roberts said. “Whitelisting is still a tough sell for many enterprises that are worried about the support hit they’ll take, about hampering productivity or, even worse, pissing off C-level folks. The frustration with existing, signature based detection is making it more attractive, but I’d say its appeal is still primarily with POS and other kinds of focused deployments.”