Try Application White Listing to Mitigate Malware

Thursday, May 03, 2012

Paul Paget

92c1398d4414653ce3791460da01a2e4

There will always be a threat from malware - malicious software that is designed to steal or corrupt data on computers. Malware affects everyone from security services to silver surfers, and when it isn’t checked it can wreak havoc.

Ultimately, it doesn’t matter what size your business is, whether you’re a multinational or a sole trader, the threat from malware is real and present, which means that you’ll need a solution. Usually this means anti-virus software, but keeping on top of updates and distributing these to all of the computers in your organization requires regular attention.

So can application whitelisting help? Is it even a valid alternative, or should your business stick to the tried and tested solution of anti-virus software and malware removal tools that detect and quarantine malicious software, keyloggers, rootkits and Trojans?

The Typical SME Approach to Anti-Virus and Malware

If you are responsible for managing online security in your organization or you’re involved as a stakeholder or an engineer, then you will appreciate that most businesses take a reactive approach to virus and malware threats.

If a virus or malware infects one or more computers, steps are taken to update the AV software (typically by downloading the latest virus signatures) and remove the infection. In most cases this is successful – anti-virus software is generally fit for purpose. However, there may be cases when virus signatures are yet to be added, making it difficult for the anti-virus software to find and remove the infection.

When malware is uncovered and the anti-virus solution is unable to deal with it, as is the situation in most cases, then the latest version of one of the popular anti-malware tools should be used.

You might find that running the removal process in Safe Mode works best. Although it typically takes over an hour for a single infected computer, you should eventually be able to diagnose the machine as safe to use. In extreme cases, it can take a few hours to rebuild the machine because remediation efforts fail. 

It’s all rather slow, though, isn’t it? More to the point, it is reactive rather than proactive.

How Application Whitelisting Can Help

In the horrific circumstance that all of your computers have been infected with malware you might be pulling your hair out trying to raise as many engineers as possible while making alternative arrangements for users affected by the problem.

Or, you could be carrying on with the expected day’s work, safe in the knowledge that there is no outbreak; no malware has been installed and no data has been lost or stolen.

Unless you run a computer network that has no Internet connection and a “no disks” policy, the only way to fully protect your users from malware is to employ a solution that uses application whitelisting, a process that protects the software that controls the behavior of your computers. If the software is not on the whitelist, it won’t run.

It’s the doorman of the software world, in many ways. Basically, if your name’s not down, you’re not coming in.

Is Application Whitelisting the Solution or Part of the Equation?

As things stand, no single solution can exist as anti-virus software companies are busy keeping their applications up-to-date, with both virus signatures and tools to prevent the applications themselves being targeted by viruses. This means that it is unlikely at present that any AV or anti-malware developer will branch out into providing a complete application whitelisting solution.

Similarly, application whitelisting cannot claim to be the complete solution as it cannot deal with the task of removing threats.

It is, therefore, the perfect companion to anti-malware applications. When correctly configured application whitelisting can protect individual computers, servers and the entire networks from malware.

Be Proactive, Not Reactive

Whichever way you look at it, the reactive solution of anti-virus and malware removal tools is only a single item on your network security utility belt. It has been proven to work in quarantining the offending code but is largely useless in actually protecting computers from being infected in the first place.

This is why application whitelisting is vital as a proactive solution. Using both in tandem can leave you with an extremely secure network that is protected against malware and anti-virus however they might be introduced (targeted attacks, USB sticks, or malicious attachments to emails.)

Whitelists are widely used in website blocking and spam email management. Employing an application whitelist to protect your computers from malicious code that tries to run or install is a logical step to take in the fight against malware.

Paul Paget is CEO of Savant Protection based in Hudson, NH. He was previously CEO of Core Security and SVP Americas for Baltimore Technologies. He’s held VP Sales positions at GTE CyberTrust, and IDG World Expo.  You may contact him at ppaget@savantprotection.com

Possibly Related Articles:
13262
Webappsec->General
Information Security
Antivirus malware Application Security Security Strategies Network Security White Listing Risk Mitigation Security Solution
Post Rating I Like this!
B9d9352326e5421a02e698a51d10ad2c
Beau Woods Anti-virus is definitely failing at preventing malicious software from executing on devices. And whitelisting should be a part of the solution. I've been called into incidents where a whitelisting solution was turned on and immediately identified multiple outbreaks going back months, where antivirus totally failed.

That said, I want to emphasize that it's just _part_ of the solution. System hardening and security awareness programs are also hugely helpful at combating not just malware, but other security threats, as well.
1336146507
2e541940bc9b12ea62726bb51ed8787d
Phil Klassen I fully agree that whitelisting should be incorporated w/any endpoint security and as Beau adds its just one component. After all 'approved' apps can also be infected - something called Adobe comes to mind - I also wish that the whitelist solutions could actually prevent it from being installed. I havent really received an adequate answer on why this capability hasnt been incorporated yet.
1336182831
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.