InfoWorld review: Whitelisting security offers salvation

New world order

In today's world, where most successful malware exploitations involve Trojan horse programs that the user was tricked into installing, whitelisting programs make more sense than ever. Whitelisting programs typically uniquely identify files using one or more cryptographic hashes (such as MD5, SHA-1, and so on) but can include any identifying file attribute they can query. It is common for the file name, path, publisher, size, and digital signature (if available) to be collected and reported.

Some products cover only executable files, which differ across products. Others can snapshot and block a wider range of files, including scripts and macro modules, and even write-protect any text or configuration file. The latter is useful for noting unauthorized modifications, such as the changes that many malware programs make to the DNS Hosts file. While most whitelisting products can block scripts, some do so only by blocking the main script interpreter (Perl.exe or VBScript.dll, for example), essentially enacting an all-or-none policy, while others can block specific scripts. If you need to allow or deny specific scripts, make sure to tease out your vendor's coverage. As noted in the individual reviews, many vendors can block specific VBScript or JavaScript scripts, but can stop other types of scripts only by blocking the interpreter.

Most whitelisting products also let you allow or deny programs based upon trusted users, trusted paths, and trusted publishers (in other words, digital certificates). A few even include millions to billions of predefined file hashes that they download directly from the vendor who made them. For example, three of the programs reviewed (Bit9 Parity, Lumension Application Control, and SignaCert Enterprise Trust Services) download every file hash directly from Microsoft, so administrators don't have to busy themselves with defining all the files they know are legitimate.

Users marked as trusted can normally install or run any program they like, within the bounds of their security privileges. All the reviewed products linked to Active Directory, and at least one can link to Novell's eDirectory services.

All the whitelisting products in this review allow you to use existing computers as baseline models. You simply scan the system to generate your own internal whitelist. Some of the vendors, as mentioned above, come with "gold standard" whitelists from the various software vendors. A few others add templates that set acceptable baselines as defined in a regulatory standard such as PCI or Sarbanes-Oxley. You can then run reports against the baselines to determine which computers are drifting from the defined baselines and what files are causing the drift. This can be done on individual machines or reported as a metric summarizing the entire environment. I love this sort of feature because it marries real security and regulatory requirements and allows you to report measured improvements to management over time.

A welcome improvement from whitelisting products over the last decade has been the ability to automatically whitelist updated files. In the past, every single updated file had to be manually approved because the updated file contained a different hash than its predecessor. This was an administrative nightmare, especially considering that today's regular updates for small programs can contain 80 or more files and major service packs can involve hundreds of files and multiple reboots.