What is Application Whitelisting?
Application white listing is the ability to guarantee that only safe, approved applications are allowed to execute. It is a practical and realistic approach to how files are controlled on a computer. It focuses on the files that are already present and verified.
Application Whitelisting aims to ensure that only specifically selected programs and software libraries (DLLs) are allowed to be executed, while all others are prevented from execution. This comprises the following steps :
- Identifying executables and software libraries which should be permitted to execute on a given system;
- Preventing any other executables and software libraries from running on that system;
- Preventing users from being able to change which files can be executed.
How is Application Whitelisting advantageous as compared to Anti-Virus solutions?
Antivirus programs rely on signatures of malware, so they can't stop a threat which is not known to them. This leaves a time gap between the detection of a new malware and the inclusion of its signature in the latest update from the anti-virus vendor. During this time gap, your system may be vulnerable to the new malicious code. Any new malware without known signatures will be allowed to run. This makes some targeted attacks so successful.
Application Whitelisting tools, on the other hand, work differently. First, a snapshot of the computer is made containing signatures for all the programs, OS, drivers, etc. Second, an agent is installed which checks everything just before it runs to make sure it was in the original snapshot. Although this technique still uses signatures, this has the major advantage of being able to block unknown code and prevent zero-day threats.
How is the white-list created and updated? How does it identify the application?
A white-list can be created by scanning folders or drives. When using this “scanning” function all the executable files in the folder or drive will be added to the white-list. Once set up, automated delivery mechanisms or specified users can add or update applications without requiring further IT approval. Once the white-list is completed, the system will enter into a protected state. Each executable is uniquely identified typically by file name, file size, file path, and hash.
How white-list prevents non-listed applications from executing?
When there is an attempt to execute a file, it is checked whether it was digitally signed or not. Accordingly, it is allowed to execute or blocked. Some solutions offer white-listing at kernel level service by an agent. This allows checking immediately to determine whether the application is on the white-list. If not, the agent prevents the execution of the binary. This validates of the executable before it loads; effectively preventing the damage if it would have checked during loading or immediately after that.
How does the white-list adjust itself for different requirements of each user?
You can maintain single white-list to control your whole company, or have a different one for every department, or have white-list for each computer. For the agent based solution, an administrator could install software from a CD and the white list would automatically be updated with all the executables.
What happens if an approved application is targeted by malware?
The approved application’s hash is stored along with the trust certificate. Any change on a file will imply a complete change to the file’s hash. This breaks the file’s digital signature, preventing it from being executed.
- Make sure the computer is clean before installing any solution. If malware is already present, the solution will readily white-list it and allows it to run.
- Routine maintenance of white-list needs to be done on priority.
- Make sure the solution covers both executables and software libraries. An omission of either can compromise white-listing security.
- White-listed executables must be identified by other means rather than merely filename or directory location. Henceforth, malware cannot trivially masquerade as legitimate software.
Bit9 Parity is a leading Application Whitelisting solution that ensures the integrity of endpoints and the technical infrastructure supporting the business.
Bit9 Parity features:
- Discovers all applications running on endpoints,
- Evaluates a trust factor and performance against security policy,
- Makes real-time allow/block decisions on running application programs based on the organization’s software policies.
- Uses the software registry, a locally installed management server and client to enforce software policies throughout the enterprise.
How can we help you?
Our team of experts guides you to choose the most appropriate solution that is able to provide proper security to your organization generating maximum ROI in the effect. We have partnered with Bit9 Parity; a leader in Application Whitelisting. Our solutions team is well versed in usage and deployment of Bit9 Parity and have successfully deployed for many of our clients with a high rate of satisfaction.