Application whitelisting: The only solution?

Amid a massive tide of malware, application whitelisting vendors like Bit9 say, 'Allow only good executables rather than just trying to block the bad'

Of all the anxieties that gnaw at you, the thought that malware may have slipped under your antiviral radar and taken root in your system has to be one of the most galling. You simply don't know for sure. All you know is that the risk of infection increases every day, as malware morphs and multiplies at astounding rates.

More and more, I find myself believing that application whitelisting is the best way to really protect Windows computers.

[ How hard is it to detect malware? As InfoWorld's Woody Leonhard points out, it took Microsoft two years to get its Malicious Software Removal Tool to look for Zeus. | See InfoWorld's complete review of the Bit9 Parity Suite. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. ]

Maybe Symantec, Trend Micro, McAfee, and the rest have done too good a job of scaring the hell out of me, but if the number of malware exploits knows no bounds, how can you possibly defend against all of them? For business computing, at least, it makes more sense to bite the bullet and declare: The only executables that can run on a given system are known, good executables.

Application whitelisting starts with a clean, malware-free image of a desktop or server. Then whitelisting software is run to uniquely identify files using cryptographic hashes. From that point on, monitoring agents installed on managed systems flag the presence of any executables not on the hash list -- or prevent them from running. Most companies create standard system images, so whitelisting can be a highly effective way to lock down security.

"There are 15,000 legitimate executables on the average Windows computer," says Tom Murphy, chief strategy officer of Bit9, a whitelisting software vendor whose Bit9 Parity Suite won a 2010 InfoWorld Technology of the Year Award. Isn't it a little easier to bless 15,000 legitimate executables and prevent anything else from running than to try to recognize and block every malware exploit on the planet, including those being invented this second?

I spoke with Murphy in advance of today's announcement of the Bit9 Cyber Forensics Service, which targets forensics professionals and is based on the company's Global Software Registry, a database that contains billions of metadata records for nearly 500 million unique files. According to Murphy, "this new service makes it easy to identify, validate, and understand the reputation of software files, reducing the investigations process from weeks to days."

A database like this (Bit9's isn't the only one) not only helps isolate suspect files, it also vastly increases the pool of legitimate applications that you can run without worry. Bit9 already has a free service called File Advisor that lets anyone check an individual file against its database. The new Cyber Forensics Service provides forensics investigators with full database access and complete file metadata at a yearly subscription rate of $50,000 for five seats.

I understand that many people dislike the idea of an approved list of applications -- and a draconian rule that no others should run. But the fact is, in many companies, users have already lost the administrative privileges to install software, and admins fall prey to ever tighter restrictions. Whitelisting actually exonerates executables that otherwise might be considered suspect.

Application whitelisting is not a perfect security solution -- there will always be intrusions that don't involve malware and systems that can't be protected. But focusing on the known good rather than the vast unknown seems like a strategy with a better chance of success.

This article, "Application whitelisting: The only solution?," originally appeared at Read more of Eric Knorr's Modernizing IT blog and get a digest of the key stories each day in the InfoWorld Daily newsletter and on your mobile device at