InfoWorld review: Whitelisting security offers salvation
Die, unknown executable! Keeping up with malware signatures is becoming unsustainable, so blocking all but known good programs may be our only hope. A review of five whitelisting security packages yields a clear winner in the battle for 21st century securityFollow @rogeragrimes
New world order
In today's world, where most successful malware exploitations involve Trojan horse programs that the user was tricked into installing, whitelisting programs make more sense than ever. Whitelisting programs typically uniquely identify files using one or more cryptographic hashes (such as MD5, SHA-1, and so on) but can include any identifying file attribute they can query. It is common for the file name, path, publisher, size, and digital signature (if available) to be collected and reported.
Most whitelisting products also let you allow or deny programs based upon trusted users, trusted paths, and trusted publishers (in other words, digital certificates). A few even include millions to billions of predefined file hashes that they download directly from the vendor who made them. For example, three of the programs reviewed (Bit9 Parity, Lumension Application Control, and SignaCert Enterprise Trust Services) download every file hash directly from Microsoft, so administrators don't have to busy themselves with defining all the files they know are legitimate.
Users marked as trusted can normally install or run any program they like, within the bounds of their security privileges. All the reviewed products linked to Active Directory, and at least one can link to Novell's eDirectory services.
All the whitelisting products in this review allow you to use existing computers as baseline models. You simply scan the system to generate your own internal whitelist. Some of the vendors, as mentioned above, come with "gold standard" whitelists from the various software vendors. A few others add templates that set acceptable baselines as defined in a regulatory standard such as PCI or Sarbanes-Oxley. You can then run reports against the baselines to determine which computers are drifting from the defined baselines and what files are causing the drift. This can be done on individual machines or reported as a metric summarizing the entire environment. I love this sort of feature because it marries real security and regulatory requirements and allows you to report measured improvements to management over time.
A welcome improvement from whitelisting products over the last decade has been the ability to automatically whitelist updated files. In the past, every single updated file had to be manually approved because the updated file contained a different hash than its predecessor. This was an administrative nightmare, especially considering that today's regular updates for small programs can contain 80 or more files and major service packs can involve hundreds of files and multiple reboots.
|Bit9 Parity Suite 5.01||Windows 2000 and later||Subscription pricing ranges from $12.50 to $30 per endpoint and $65 to $150 per server|
|CoreTrace Bouncer 5||Windows NT 4 SP6a and later, Solaris 7 through 10||Typical deployment costs $39 per endpoint including volume discounts|
|Lumension Application Control||Windows 2000 and later||Subscription pricing is $13.60 per endpoint for 501 to 1,000 seats, with quantity and multi-year discounts available|
|McAfee Application Control 5.0||Windows NT 4 SP5 and later, Suse Linux 9 and 10, Oracle Enterprise Linux, Red Hat Linux 3 through 5 (and CentOS), and Solaris 8 through 10|
|SignaCert Enterprise Trust Server 3.0||Supports any operating system that runs Java including Windows, Linux, Mac OS X, and Solaris||Starts at $50,000 for installations supporting up to 500 endpoints, with volume discounts available|
|Microsoft AppLocker||Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2||Included in Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2|