Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:

Implicit whitelisting blocks malware instead of productivity

IT Best Practices Alert By Linda Musthaler, Network World
March 05, 2010 10:55 AM ET
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

  • Share/Email
  • Tweet This
  • Comment
  • Print

Amit Yoran, security consultant and former director of the U.S. Department of Homeland Security's National Cyber Security Division, says that tools like antivirus software are effective for 25% to 40% of cyber threats. "It's necessary but inadequate," according to Yoran. A more effective approach to cyber security is to layer multiple complementary tools and solutions.

One of the layers you might be interested in implementing is application whitelisting. This is the process of specifying which applications are the only applications that are permitted to run on a computer or network. Whitelisting is very effective at blocking out undesirable programs such as viruses, malware and peer-to-peer file sharing. Unfortunately, it's also very effective at blocking genuine productivity applications that have not been explicitly added to the "approved" list. Many users find whitelisting too disruptive to their work productivity when they have to contact someone to approve an application and add it to the list.

10 security companies to watch

Savant Protection offers a different slant on application whitelisting. Savant's solution automatically creates a unique whitelist for each individual device, and that list becomes the ultimate authority of what is permitted to run on that specific device. This eliminates the need for complex policies and a centralized whitelist database.

You start by installing a Savant client on each computer you want to protect. The client scans the system drives to identify the existing executables and other files that access the CPU. For each file it identifies, Savant generates a unique key that it permanently assigns to that file on that specific device. The keys are encrypted and stored locally. From that point on, any new executable that does not have a key assigned to it cannot run. So, for example, if malware code does make its way onto the device, it simply dies on the vine because it doesn't have a key to run.

Of course, there are times when you want to install new software or updates to existing software. In this case, Savant allows a trusted agent that you specify to automatically install and whitelist trusted applications. Examples of trusted agents include Windows Updates, antivirus agents and desktop configuration agents. This allows you to keep the computers current with all patches and updates without having to intervene to add the new executables to the whitelist.

The next obvious question is, what if you automatically whitelist something bad when you first install the client software? For example, what if a PC has botnet malware installed on it and you don't know about it? The Savant client will whitelist that malware and give it a key to run on that specific machine. However, the malware can't move to other devices on your network and continue to run because the key assigned to it is unique to only one device. The effect is a fully contained piece of malware.

To prevent the malware from ever being whitelisted in the first place, Savant Protection recommends you run your antivirus software, conduct system scans and clean up your devices as much as possible before installing the Savant client software. While it's possible that malware and other undesired applications can get whitelisted, at least they are contained and can't replicate to other devices. As Mr. Spock once famously said, “The needs of the many outweigh the needs of the one.”

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

  • Share/Email
  • Tweet This
  • Comment
  • Print
Our Commenting Policies
Latest News
rssRss Feed
View more Latest News