Trust and protect
Today, the best whitelisting products (including most in this review) allow administrators to define trusted updaters. For example, an administrator can add SMS, SCOM, WSUS, PatchLink, or Shavlik as a trusted updater, and anything they install will be automatically approved. This is a huge improvement.
Most whitelisting programs can be configured in either audit or enforcement mode. SignaCert is the only exception in this review; it has no built-in enforcement mode, but can monitor any file type. In audit mode, the whitelisting program only monitors and reports file executions. Enforcement mode blocks all monitored file types from executing or running, barring any specific exceptions. Most vendors recommend living with audit mode for a set period of time and running reports to find out what would have been denied had enforcement been enabled.
Once enforcement mode is enabled, any execution not explicitly allowed will be blocked. It goes without saying that desktop lockdowns aren't warmly welcomed by most end users. You're taking away their freedom. If you use any of these products in enforcement mode, make sure you've spent the necessary time to define the right policies to stop malware and unauthorized programs from executing while at the same time allowing end users to do their jobs. Expect an increase in the number of help desk calls. As users begin to understand that certain applications are not allowed, the help desk calls will decrease.
Most whitelisting programs are smart enough to identify file types based upon file header and don't rely on file extensions alone. All the products reviewed allow administrators to find any specific file, by name or hash, anywhere it exists on any of the monitored systems. Some products even allow hashes to be populated before the file even exists in the environment, looking ahead to block a specific hacker tool or malware program. Of course, because blocking often uses file names or hashes, identifying polymorphic malware programs can be a challenge. That's why it's already better, from a pure security standpoint, to block by default all that is not specifically allowed.
It's important to understand that whitelisting programs cannot stop every program or malware from executing. First, it's not uncommon for malware to use legitimate software to do its dirty business. For example, the MS Blaster worm used Windows' built-in Trivial File Transfer Program (tftp.exe) to copy itself from computer to computer. Macro viruses would be allowed to run inside of other approved programs just fine. Second, whitelisting programs often have difficulty blocking programs that run inside of virtual environments such as Java or .Net, although all of the products in this review claim to handle the individual hosted applications correctly.
Most whitelisting programs cannot stop buffer overflow malware programs, concentrating more on denying the payload executable that almost always results. Nevertheless, both CoreTrace and McAfee did an excellent job of blocking buffer overflows in my testing. CoreTrace Bouncer even stopped a buffer overflow program that was started before the whitelisting program was enabled.
See the features table to compare client support, file type coverage, and other features across all of the solutions.
You may still be better off sticking with Win7 or Win8.1, given the wide range of ongoing Win10...
Now that we're down to the wire, many upgraders report that the installer hangs. If this happens to...
Based on a technique created by a German blogger, here's how to stop wasting hours checking for Windows...
Everyone benefits from Network Time Protocol, but the project struggles to pay its sole maintainer or...
We reviewed a lot of gadgets and services in 2016, and here are our top 12 recommendations for tech...
The kit helps developers build apps that boot as OSes and are less dependent on hardware
Were it not for an alert customer, attackers could have compromised every RHEL instance on Microsoft...