Skip Links

Application whitelisting is a viable option when you can leverage software signing

By Jamie Bodley-Scott, account director, systems integrators, Cryptzone, special to Network World
October 12, 2012 03:48 PM ET

Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Thirty years ago IBM launched the XT5160 -- the first hard drive DOS-based PC. But the computer virus, nowadays so seemingly tied to the PC, actually appeared almost a decade earlier. It took until 1986 for these two threads to come together and the first PC virus, Brain, was born. By 2000, networks we spreading and so were worms like ILOVEYOU, which was considered one of the most damaging.

Today we still fight viruses and worms, but the scale of the problem has changed (some efforts are backed by nation-states) and many attacks are now targeted at specific companies, machines, types of infrastructure or geography. Luckily application whitelisting tools that leverage software signing can help contend with the evolved threat.

MORE: Whitelisting pushing out antivirus at some security-minded retailers

ROUNDTABLE DISCUSSION: See it, protect it, control it

While virtually all companies today use antivirus programs, these tools rely on a snapshot of the signatures of the bad stuff, so they don't know what they don't know. When there is a new threat with no known signature, it will be allowed to run. This is why some targeted attacks are so successful.

Application whitelisting tools, on the other hand, have two parts. Firstly a snapshot of the computer is made which will contain signatures for all the programs, operating system elements, drivers, etc. Second, an agent is installed which checks everything just before it runs to make sure it was in the original snapshot. Even though this technique still uses signatures, it has the major advantage of being able to block unknown code and prevent what is now know as "zero-day threats."

Application whitelisting

So why so we still have to put up with antivirus tools when we have application whitelisting? Both techniques use signatures (in part) and signatures need to be generated and managed, a fact that has gotten increasingly onerous.

The amount of bad stuff grows daily, and some antivirus signature files today contain in the region of 20 million signatures. And when it comes to taking a snapshot of a PC for whitelisting, a signature file for a standard operating system such as Windows XP Professional will contain something like 50,000 signatures.

By solving the problem of signature management, so that systems can be controlled by an organization's own signature files and those of trusted third parties, much of the administrative overhead is removed and we solve the problem of why application whitelisting is not as widely adopted as logic would suggest it should be.

Most companies hope they never see any bad stuff and have no expertise in the dark science of understanding them. So it is sensible that both the generation and updating of antivirus signatures be "outsourced" to the experts, and that is how the industry has developed.

Application whitelisting appears to require the opposite approach. Because PCs are unique to every organization, then the organization itself would be required to both generate and update the signatures of the good stuff. This might take quite a lot of time and effort -- and appears counter to the current trend of increasing amounts of IT outsourcing. There is also the issue of diversity to handle as well. With antivirus the same signature file can be applied to every machine, but with application whitelisting the worst-case scenario might be that the signature file of every PC is different.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News