Application Whitelisting Offers A Tantalizing Alternative To Popular "Whack-A-Mole" Antivirus Strategies

Guest Post From Researcher Chris Sherman

Traditional antivirus techniques have been fighting a losing battle for years. Popular hacker exploit kits pounce on new vulnerabilities quickly while advanced tools such as polymorphic viruses propagate their malicious intents.  As a result, signature databases (known as “blacklists”) have ballooned in size, causing strain on a company’s infrastructure and endpoint performance. Combined with the fact that antivirus vendors  miss a significant number of the unknown or zero-day threats, many security professionals are left questioning their antivirus-centric approach to endpoint protection.  As the number of malware samples rise, this traditional "Whack-A-Mole" blacklist strategy of signature-based antivirus protection is simply unscalable.

In our new report “Application Control: An Essential Endpoint Security Component,” my colleague Chenxi Wang and I discuss the importance of supplementing antivirus with application control in an effort to reduce the number of potential avenues for attack (otherwise known as the endpoint’s attack surface). One of the most promising forms of application control comes is application whitelisting. Whereas traditional antivirus technologies laboriously scan every file on the endpoint looking for known bad scripts, whitelisting takes a very different approach and blocks everything except those applications known to be trusted. This leads to faster endpoint performance and overall better protection against zero-day threats when compared to traditional antivirus techniques.

Now of course, there are operational challenges that make the move to a whitelisting approach difficult in certain environments. Organizations will sometimes struggle with building an initial whitelist, and there can be many difficulties maintaining one once it’s set in place, especially in dynamic environments. Deciding which applications are necessary and which should be eliminated is not a trivial task. However, at the end of the day you are left with an endpoint environment with less reliance on antivirus techniques and a significantly reduced attack surface.

For more information on the challenges and benefits of application control, as well as how the attack surface can be further mitigated through targeted patch management and privilege management, look to our published report. And as always, we welcome your comments below.



old arguments and outdated perspectives

Hi Chris (and Chenxi),
Seems like every few years we see the topic of whitelisting resurfaces with the same tired arguments against ever-growing signature databases. I'm not against whitelisting per se as a tool in the toolbox, but the perspective in this report about the traditional AV tools, and even about whitelisting, seems inaccurate, out of date,or incomplete.
First of all, "antivirus" is much more than just AV signature-based blocking. None of the major "AV" companies competing in either the enterprise or even the consumer space are just focused on signature-based virus databases, and this has been the case for years. They sell a suite that includes HIPS and other forms of behavior blocking, file reputation, and sandboxing -- all of which are looking at the apps on the PC.
Second, signature databases have been moving to the cloud (granted, not fast enough). So to solve your complaint about endpoint performance hits from large signature files, why not just call for more rapid evolution to cloud-based scanning instead? And anyway, if you map AV performance impact versus virus DB size over time, you will not see a direct correlation, so saying large virus DBs impact performance sounds good but doesn't seem to bear up under evidence.
Third, if most attacks are coming through the web, and specifically through exploits of non-malicious plug-ins like Flash or through JavaScript injected in compromised sites, then it's not clear how application whitelisting actually improves your defenses here, and it sounds like people still need "AV".
Finally, you fail to distinguish between whitelisting of files for endpoint security (ie, a whitelist of all non-malicous files) and whitelisting of files for policy enforcement (where files that don't contain malware may not be on the whitelist because they violate a corporate policy). Yet it's important to maket his distinction because they are not at all equivalent in terms of the problem they solve or how they solve it. It's one thing to block a an app that contains malicious code; it's quite another to dictate which browser employees must use or whether they can download a screenshot app, TweetDeck, or their favorite useful browser toolbar. Both are different forms and uses of "whitelisting". Yet while no one would argue with the first type of whitelisting, the second flies in the face of the entire "empowered" trend running through all of Forrester's research.

Hi Jonathan, Thank you for

Hi Jonathan,

Thank you for your comments, it's good to get the AV vendor perspective, and especially good to hear from former colleagues! That said, we disagree with you on several fronts. First of all, there is no question that AV vendors are improving their technologies. Anomaly-based detection logics, cloud-delivered signatures- these are just some of the examples. However, what AV vendors are doing is optimization; it does not change the fundamentals of the game. The ultimate limiting factors are still there.

The fact that Google, Facebook, Intuit, some of the most innovative IT companies on the planet implement app control as a fundamental layer of endpoint security illustrates that application control, as a technology, has a lot of value. True, this is not the first time the argument for application control (or more specifically whitelisting) is made, but there are valid reasons to reiterate the argument--the vast majority of the market is still stuck in the old “AV is the be all and end all endpoint security approach” mindset.

It’s also important to note that we do not equate app control with “whitelisting”. Whitelisting is a specific instance of application control with a stronger logic, but the two are not equal. The fact that companies with some of the most liberal corporate culture find application control essential to their endpoint security tells you that application control does not have to be restrictive; it does not have to fly in the face of empowered employees.

We also note that some of the app control products allow for near real-time visibility of the endpoint environment, which we really like – we are fans of technologies that increase situational awareness and help to improve continuous monitoring capabilities. This visibility part is lacking in many AV products.

We are firmly of the opinion that an endpoint security approach that is focusing on managing vulnerabilities in the environment is more effective than ones that are threat-focused. It is not an old argument; it is the “only” argument.

Once again, thank you for your comments; we welcome others to join the discussion as well!

Well, you're paid to disagree

Well, you're paid to disagree with him, so this is not surprising. However you still keep introducing "inaccuracies" - now in the comments - which seriously hurt your credibility as a researcher.

First you mention "app control" in Google, Facebook and Intuit. I happen to work in one of those companies, and I can ensure you there is NO app control in terms of whitelisting. Nobody prevents you from downloading the Firefox source code, compile your own Firefox and use it. But if by "app control" you meant the "no warez/copyrighted software" policy, well this has nothing to do with the whitelisting as a security solution.

Second, you mentioned the size of AV databases, but you conveniently forgot to compare it with the size of the whitelisting database. The number of clean applications definitely grows up faster than the number of viruses, and therefore the whitelisting database size should increase much, much more.

Another issue you forgot to mention is the typical whitelist vendor delay to add new versions. For the self-updating modules such as Firefox plugins this may be a major issue. With the regular AV such issues simply do not exist.

And of course there is a major issue mentioned by Jonathan Penn which you ignored altogether. Whitelisting is completely defenseless against such old and well-known attacks like infected DOC and PDF documents - the MS Office and Adobe Acrobat are typically whitelisted apps, so they'll gladly open that infected Word file and send the content of your whole address book to an attacker - all without a single warning from a whitelisting software.

Finally, the effectiveness of whitelisted software is something the vendors claim. Unlike the anti-virus software which is subject to multiple independent tests such as Virus Bulletin, there is no such tests for the whitelisted software. Which makes me take the claims of any whitelisting vendor with a huge grain of salt.

Response to Phil

Hi Phil, thank you for your comments.

We are not paid to disagree with Jonathan or any other viewpoint for that matter. In fact, Jonathan's company, Avast, is our client. On top of that, we have many AV vendors as our clients. Our opinions are not paid and cannot be bought.

You seem to equate app control with whitelisting. That's a common misconception. We think of whitelisting as a special case of app control. App control technologies can do whitelisting, but the two are not the same. These companies mentioned above, in fact, use app control technologies. All three have app control in their server environments (you can check with your IT department) - some servers implement more strict whitelisting than others. They also have app control on user endpoints, but with different policies than the server environments.

In regard to your comments on whitelist size, a good app control approach does not require you to build a file-level whitelist. What you want is a policy-based app control mechanism, rather than building a massive list of everything under the sun. Sure, you can build an actual file list if you want to do it that way, but that would be the naive way of doing it.

Now you also mentioned the issue of out-of-date whitelists not including recent application updates. Organizations get around this through the use of policies such as trusted application publishers. Any good app control tool worth its salt will include this functionality. However, you brought up a good point. Web scripts are actually difficult for app control technologies - and that remains an issue today.

Regarding your comments on threats faced within whitelisted applications. We did in fact cover this in our report, but just to be clear- the infection process usually includes 2 steps. Yes, vulnerabilities may exist in the approved applications and their associated files, such as PDF and DOC. And the initial exploitation may very well happen. However, the subsequent download, which is the main part of the malware, can be blocked using a good app control policy.

And finally, we would also like to see more industry standard testing for app control technologies. But I would wager you that testing app control products, by definition, will be much more simple and straightforward than testing the AV products.

To add more to what Jonathan

To add more to what Jonathan said, attackers are developing techniques to bypass application whitelisting by exploiting vulnerabilities in the whitelisted applications/processes...AWL is becoming something like makes life slightly more difficult for attackers, yet it can be bypassed...

You mentioned the size of AV

You mentioned the size of AV databases, but you conveniently forgot to compare it with the size of the whitelisting database. The number of clean applications definitely grows up faster than the number of viruses, and therefore the whitelisting database size should increase much, much more.