Computer security is in a constant state of change, and as software becomes more complex, so does the security, and with the risk of a targeted cyber intrusion, one needs to ensure total protection against any malicious attack.
Deny access by default
A whitelist application only allows executable files to open that are known to be trusted, and the whitelist is created by the administrator, who manages the list through an easy to use interface. This means that any malicious code that tries to execute itself, will be blocked by the whitelisting application, as it is not on the list of trusted files. Denying access by default is a much safer method of protecting the network than the traditional blacklisting approach used by anti-virus programs, which allows by default, and only blocks a file if it is recognised by the virus definition database, which must be regularly updated to include any new malicious code.
Zero day attacks
These are particularly dangerous, as traditional anti-virus programs will not see them as a risk, because the code is new, and has not yet been added to the virus list. Whitelisting will block any executable file that is not on the list of known files, eliminating the risk of a zero-day attack.
Whitelisting uses less resources than traditional anti-virus programs
Whitelisting involves using file hash values, and the whitelisting application can easily compare hash values, and either allow or deny an application. On the other hand, anti-virus programs that use blacklists, must search through the virus definition database every time an executable file wishes to open, and on a large network, this will take up considerable resources.
For businesses, a customised solution will work well with the existing network, and with an easy to use interface, the administrators and users can easily monitor and change the list, as and when necessary.
This is the main benefit of application whitelisting, and there are three levels of file enforcement, which are,
- File enforcement – In this mode, untrusted files are prevented from loading, and the event is recorded locally.
- File audit mode – When running a whitelisting application for the first time, a file discovery phase will build a defined Application Whitelist rule set. The audit mode identifies untrusted files and simulates their blocking.
- Temporary exception – There are certain situations when users must be exempt from application whitelisting, and the administrator can create unique passwords that allow users to be exempt, and can also control the time limit for such exemptions.
Making the unknown known
This is the objective of application whitelisting, and with so many files, endpoints and network crossings, making a whitelist of trusted files in the best way to protect against targeted intrusions. Application whitelisting has come a long way since it was first introduced, and there were many problems initially, however, continued development has enabled application whitelisting to protect against intrusion without using too many resources. Government agencies and other large organisations have been reaping the benefits of application whitelisting for some time now, and even the PC user can protect against intrusion using this deny-by-default technology.