InfoWorld review: Whitelisting security offers salvation
Die, unknown executable! Keeping up with malware signatures is becoming unsustainable, so blocking all but known good programs may be our only hope. A review of five whitelisting security packages yields a clear winner in the battle for 21st century security
Columnist, InfoWorld |
Trust and protect
Today, the best whitelisting products (including most in this review) allow administrators to define trusted updaters. For example, an administrator can add SMS, SCOM, WSUS, PatchLink, or Shavlik as a trusted updater, and anything they install will be automatically approved. This is a huge improvement.
Most whitelisting programs can be configured in either audit or enforcement mode. SignaCert is the only exception in this review; it has no built-in enforcement mode, but can monitor any file type. In audit mode, the whitelisting program only monitors and reports file executions. Enforcement mode blocks all monitored file types from executing or running, barring any specific exceptions. Most vendors recommend living with audit mode for a set period of time and running reports to find out what would have been denied had enforcement been enabled.
Once enforcement mode is enabled, any execution not explicitly allowed will be blocked. It goes without saying that desktop lockdowns aren't warmly welcomed by most end users. You're taking away their freedom. If you use any of these products in enforcement mode, make sure you've spent the necessary time to define the right policies to stop malware and unauthorized programs from executing while at the same time allowing end users to do their jobs. Expect an increase in the number of help desk calls. As users begin to understand that certain applications are not allowed, the help desk calls will decrease.
Most whitelisting programs are smart enough to identify file types based upon file header and don't rely on file extensions alone. All the products reviewed allow administrators to find any specific file, by name or hash, anywhere it exists on any of the monitored systems. Some products even allow hashes to be populated before the file even exists in the environment, looking ahead to block a specific hacker tool or malware program. Of course, because blocking often uses file names or hashes, identifying polymorphic malware programs can be a challenge. That's why it's already better, from a pure security standpoint, to block by default all that is not specifically allowed.
It's important to understand that whitelisting programs cannot stop every program or malware from executing. First, it's not uncommon for malware to use legitimate software to do its dirty business. For example, the MS Blaster worm used Windows' built-in Trivial File Transfer Program (tftp.exe) to copy itself from computer to computer. Macro viruses would be allowed to run inside of other approved programs just fine. Second, whitelisting programs often have difficulty blocking programs that run inside of virtual environments such as Java or .Net, although all of the products in this review claim to handle the individual hosted applications correctly.
Most whitelisting programs cannot stop buffer overflow malware programs, concentrating more on denying the payload executable that almost always results. Nevertheless, both CoreTrace and McAfee did an excellent job of blocking buffer overflows in my testing. CoreTrace Bouncer even stopped a buffer overflow program that was started before the whitelisting program was enabled.
See the features table to compare client support, file type coverage, and other features across all of the solutions.