InfoWorld review: Whitelisting security offers salvation

Die, unknown executable! Keeping up with malware signatures is becoming unsustainable, so blocking all but known good programs may be our only hope. A review of five whitelisting security packages yields a clear winner in the battle for 21st century security

1 2 3 4 Page 2
Page 2 of 4

New world order

In today's world, where most successful malware exploitations involve Trojan horse programs that the user was tricked into installing, whitelisting programs make more sense than ever. Whitelisting programs typically uniquely identify files using one or more cryptographic hashes (such as MD5, SHA-1, and so on) but can include any identifying file attribute they can query. It is common for the file name, path, publisher, size, and digital signature (if available) to be collected and reported.

Some products cover only executable files, which differ across products. Others can snapshot and block a wider range of files, including scripts and macro modules, and even write-protect any text or configuration file. The latter is useful for noting unauthorized modifications, such as the changes that many malware programs make to the DNS Hosts file. While most whitelisting products can block scripts, some do so only by blocking the main script interpreter (Perl.exe or VBScript.dll, for example), essentially enacting an all-or-none policy, while others can block specific scripts. If you need to allow or deny specific scripts, make sure to tease out your vendor's coverage. As noted in the individual reviews, many vendors can block specific VBScript or JavaScript scripts, but can stop other types of scripts only by blocking the interpreter.

Most whitelisting products also let you allow or deny programs based upon trusted users, trusted paths, and trusted publishers (in other words, digital certificates). A few even include millions to billions of predefined file hashes that they download directly from the vendor who made them. For example, three of the programs reviewed (Bit9 Parity, Lumension Application Control, and SignaCert Enterprise Trust Services) download every file hash directly from Microsoft, so administrators don't have to busy themselves with defining all the files they know are legitimate.

Users marked as trusted can normally install or run any program they like, within the bounds of their security privileges. All the reviewed products linked to Active Directory, and at least one can link to Novell's eDirectory services.

All the whitelisting products in this review allow you to use existing computers as baseline models. You simply scan the system to generate your own internal whitelist. Some of the vendors, as mentioned above, come with "gold standard" whitelists from the various software vendors. A few others add templates that set acceptable baselines as defined in a regulatory standard such as PCI or Sarbanes-Oxley. You can then run reports against the baselines to determine which computers are drifting from the defined baselines and what files are causing the drift. This can be done on individual machines or reported as a metric summarizing the entire environment. I love this sort of feature because it marries real security and regulatory requirements and allows you to report measured improvements to management over time.

A welcome improvement from whitelisting products over the last decade has been the ability to automatically whitelist updated files. In the past, every single updated file had to be manually approved because the updated file contained a different hash than its predecessor. This was an administrative nightmare, especially considering that today's regular updates for small programs can contain 80 or more files and major service packs can involve hundreds of files and multiple reboots.

Whitelisting solutions at a glance

ProsConsClient supportCost
Bit9 Parity Suite 5.01
  • Trust, risk, and drift ratings enable IT to monitor and report on overall security posture
  • Predefined "gold" file signatures
  • Bulk imports of previously defined blacklists
  • Excellent alerting and reporting
  • Great value
  • Not all script types can be individually blocked
Windows 2000 and laterSubscription pricing ranges from $12.50 to $30 per endpoint and $65 to $150 per server
CoreTrace Bouncer 5
  • Great looking GUI
  • Secure sessions between clients and management server
  • Nice handling of file updates
  • Buffer overflow protection
  • Good reporting
  • Doesn't cover all file types
Windows NT 4 SP6a and later, Solaris 7 through 10Typical deployment costs $39 per endpoint including volume discounts
Lumension Application Control
  • Broad coverage of file types
  • Predefined "gold" file signatures
  • Excellent reporting options
  • Unlimited servers at no extra cost
  • Management Interface is a little busy
  • No digital signature rules
Windows 2000 and laterSubscription pricing is $13.60 per endpoint for 501 to 1,000 seats, with quantity and multi-year discounts available
McAfee Application Control 5.0
  • Supports Linux and Solaris clients
  • Integrated with McAfee ePO
  • Write protection and ownership protection of whitelisted files
  • Good reporting and alerting
  • Client is command-line only
  • Enterprise console takes extra steps
Windows NT 4 SP5 and later, Suse Linux 9 and 10, Oracle Enterprise Linux, Red Hat Linux 3 through 5 (and CentOS), and Solaris 8 through 10 
SignaCert Enterprise Trust Server 3.0
  • Supports Linux, Mac OS X, and Solaris clients
  • Predefined "gold" file signatures
  • Authenticity ratings
  • Extensible via XML
  • Excellent documentation
  • Does not natively block file executions
  • Pricier than competitors
Supports any operating system that runs Java including Windows, Linux, Mac OS X, and SolarisStarts at $50,000 for installations supporting up to 500 endpoints, with volume discounts available
Microsoft AppLocker
  • Included free with Windows 7 editions and Windows Server 2008 R2
  • Easy to configure and manage
  • Manageable through Group Policy Objects
  • Easy importing and exporting of rules
  • Works only with Microsoft's latest and high-end OS editions
  • Reporting is limited to event log messages
  • Cannot easily manage every file type
Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2Included in Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2
1 2 3 4 Page 2
Page 2 of 4
InfoWorld Technology of the Year Awards 2023. Now open for entries!