Whitelisting: Is It Good Enough To Replace Anti-Virus?

Anti-virus vendors have been talking up the usefulness of application whitelisting in the last year or so, but can the technology actually replace anti-virus?

Whitelisting allows a list of approved files to be used on a particular machine, so rogue or suspicious applications will be automatically blocked. The concept is not new, but has attracted more attention recently from vendors such as Symantec and McAfee as the amount of rogue applications being created continues to surge.

Pure-play whitelisting vendors such as Bit9 and CoreTrace have taken the attention as market validation. But while many say a hybrid blacklist/whitelist approach is needed, some are going further. Now, according to Wes Miller, director of product management at CoreTrace, whitelisting is more than just a compliment to anti-virus – it is the solution to thwarting malware attacks.

To back up his claim, he points to the upcoming version of CoreTrace’s Bouncer product, which works to protect memory in two ways. First it prevents a non-whitelisted dll placed in memory from infecting a whitelisted process. In addition, it offers kernel memory write protection designed to prevent a buffer overflow from tampering with the Windows kernel and starting an illegitimate process. The two features work together to improve protection versus traditional payload-only whitelisting, Miller said.

“Whitelisting isn’t just an important component, it’s the key,” he said. “Using application whitelisting as the primary enforcement mechanism, all threats are proactively stopped, and blacklisting can be used in a manner that is more fitting of a reactive solution. In short, yes, we believe whitelisting can stand alone, as many of our customers actually do just that.”

Still, whitelists have to deal with all the unknown apps out there, of which there is no shortage. Many of these are legitimate applications that are specific to certain markets or geographies, or custom applications developed for use within a company, 451 Group analyst Paul Roberts said. While whitelisting may be effective for ATMs, point-of-sale (POS) terminals and other single-purpose devices that shouldn’t run anything other than the software that allows them to perform their function, it may not translate as well for other machines, he said.

“It’s not a model that works easily with the typical enterprise laptop/desktop, where users want the freedom to add new tools or software they need to do their job,” Roberts said. “Whitelisting is still a tough sell for many enterprises that are worried about the support hit they’ll take, about hampering productivity or, even worse, pissing off C-level folks. The frustration with existing, signature based detection is making it more attractive, but I’d say its appeal is still primarily with POS and other kinds of focused deployments.”

Page: 1 2

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

View Comments

  • A full blown solution such as from CoreTrace is very powerful. And this vendor has done much to make it easier for an enterprise than its competitors.

    My firm offers a solution for the enterprise that cannot afford to enumerate all of the allowed binaries. Its a mini-white list feature from either our AppGuard or EdgeGuard security software products. They prevent unauthorized writes into Program Files and Windows directories. And, they snuff out executable launches from user-space, unless they are "guarded". User-space is where the vast majority of the baddies are because executables can be written there whether the end-user is logged in with or without local admin rights.

    BTW, user-space is desktop, My Documents, extra hard drives, etc. 'Guarded' refers to an executable that is allowed to run but prevented from writing into the common target areas of malware attacks.

    So, snuffing-out all unguarded executable launches amounts to having a mini-white list: 'what may run in user-space'. A legit example common in the enterprise is gotomeeting.exe. An il-legit one is limewire.exe.

    A full-blown white list solution, using SHA1 hash checksums, represents extremely robust protection and control. It also requires some effort to deploy and maintain. AppGuard and EdgeGuard can be fully deployed in minutes, providing protection from the vast majority of what threatens an enterprise. Thus, if you prioritize, and focus on probabilities more so than possibilities, AppGuard or EdgeGuard represent practical, effective protection. There are solutions out there that stop a higher percentage of attack vector types. However, the reality of using those alternatives is that they their complexity results in under-utilization, particularly with host intrusion prevention system (HIPS) products.

    That said, if I were going full white list, I'd go with CoreTrace. McAfee purchasing SolidCore fills me with grave doubts about McAfee's judgement.

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago