Application whitelisting is our chance to be proactive. That alone has to mean something. Let's look at how three companies leverage that into real-world protection.
Application whitelisting seems simple enough. Only allow approved applications to run. Not exactly, my last article about application whitelisting generated all sorts of "how do they do that" questions. Good questions that deserve answers.
So I got busy, asking experts at several security companies to explain their application-whitelisting product and answer your questions. Three of the four companies I asked; CoreTrace, Faronics, and Savant Protection were kind enough to respond. Here is what they had to say:TechRepublic: Could you introduce your company and its application-whitelisting product? CoreTrace: CoreTrace is focused on creating high-security, easy-change application whitelisting solutions. The company was founded by Dan Teal. The directors and officers of CoreTrace have significant experience building enterprise software and security companies such as Check Point Systems and PGP.
Our whitelisting solution, Bouncer, automatically creates a whitelist from each computer, and updates that whitelist whenever new and trusted applications are added.Faronics: Faronics is interested in computer power management and cost-reducing IT solutions. We have offices in the USA, Canada, and the UK. Our customer base exceeds 30,ooo customers in over 150 countries.
Our product is called Anti-Executable. What makes Anti-Executable unique is the inclusion of both blacklisting (any non-trusted program will be blocked from running) and whitelisting in a single application.Savant Protection: Savant Protection is a private company focused on automated application-whitelisting. The product, with the same name as the company, is a business-driven application-whitelisting solution that protects the operating system and software running on desktops, servers, process control systems, and point-of-sale systems. TechRepublic: There are many definitions of application whitelisting. So we can be clear, what is your interpretation? CoreTrace: Application whitelisting is the ability to guarantee that only safe, approved applications--both originally approved and those added over time--are allowed to execute. Application whitelisting solutions should also prevent memory attacks within legitimate whitelisted applications. Faronics: Whitelisting is a practical and realistic approach to how files are controlled on a computer: Instead of worrying about the universe of existing files and the files that might be created, whitelisting focuses on the files already present and verified. Savant Protection: The primary objective of application whitelisting is to protect the functioning of the computer and its executing programs. This includes all executables of the operating system and the applications. If it is not on the list, it won't run. TechRepublic: How is the whitelist created and if needed, updated? What attributes are used to identify the application? CoreTrace: Once installed; Bouncer identifies all executable binaries, adding select information about each binary to the whitelist. Once the whitelist is completed, the system will be in a protected state. You can loosen up specificity if you wish. For example, you could configure Bouncer to allow Notepad to run from any location.
For the addition of new applications and upgrades, trust models (trusted applications, paths, digital signatures, users, and even ActiveX installations) are established using Bouncer's Trusted Change feature. Once set up, automated delivery mechanisms or specified users can add or update applications without requiring further IT approval.
Each binary is uniquely identified by file name, file size, file path, and SHA1 hash.Faronics: A whitelist can be created by scanning folders or drives. When using this "scanning" function all the executable files in the folder or drive will be added to the whitelist. Anti-Executable also allows selecting a specific file and adding it to the whitelist. A third option is to add a whole folder to the whitelist. This folder is called a whitefolder. All the executable files in the whitefolder will be allowed to run.
There are several ways to maintain the whitelist. The first way is called Maintenance Mode. While in Maintenance Mode, Anti-Executable allows software to be installed or updated. When Maintenance Mode ends, Anti-Executable will add the new or updated files to the whitelist.
Another method is using Publisher entries. When a Publisher is added to the whitelist, new software can be installed and existing applications can be updated provided they are digitally signed by that Publisher.
To identify an application, we use the SHA-1 hash and publisher.Savant Protection: The whitelist is created on each device when the agent is deployed to that device. The agent scans the specified disks and adds all executables to the whitelist. As described earlier, it maintains the list automatically. The hash is unique to both the file and the computer. For example, the hash for wordpad.exe would be different on different computers. This prevents malware from proliferating.
Savant Protection has a library of "filter sets" that allow you to configure which processes can upgrade, install, or patch software. New filter sets can be easily created if they are not in the library. For example, Savant Protection's library has filter sets for software delivery systems, which allow administrators to continue using the same tools they normally would to install and update software.
The SHA-1 hash, file size, and file name identify the executable.TechRepublic: How does your product prevent non-listed applications from executing? CoreTrace: Bouncer is a kernel level service. This allows us to perform a check immediately prior to execution load and determine whether the binary is on the whitelist or not. If the binary is not on the whitelist (and not originating from a pre-authorized trusted source), Bouncer prevents the execution of the binary. This is an important aspect of Bouncer. It checks the validity of the binary before it loads; not as it loads or immediately after. By then, the damage could have already been done. Faronics: When there is an attempt to execute a file, Anti-Executable checks if the file is digitally signed. If it is, Anti-Executable crosschecks the file's publisher against the whitelist. If the publisher is in the whitelist, the file is allowed to run.
If the file is not digitally signed, Anti-Executable calculates the file's hash (SHA-1) and crosschecks the whitelist. If the file's hash is found, the file is allowed to execute. Otherwise the file will be prevented from running.Savant Protection: Savant Protection is implemented with a Kernel-level filter driver. It starts at boot time and it intercepts the start of an application and the loading of dll's from within the kernel. In this way we prevent any executable not on the whitelist from running. TechRepublic: Not every user requires the same software applications. For example, engineers may need a CAD program where other users wouldn't. How does your product handle that? CoreTrace: Bouncer creates and enforces a different whitelist for each computer. If one engineer's workstation has a CAD program on it, there is no reason to have that same application pre-approved for the receptionist's computer.
Bouncer also has role-based management capabilities, allowing administrators to group computers together. For example, you could pre-approve the same CAD program for all engineering workstations, without doing so for the entire enterprise.Faronics: You can have a single whitelist to control your whole company, or have a different whitelist for every department, or have a whitelist for every individual computer. With Anti-Executable, you can have different whitelists apply depending on the time of the day. Savant Protection: The white list would be modified on only those machines without the administrator needing to do separate approvals. And the CAD software would only run on those endpoints. Since we have a full agent on each device, an administrator could install software from a CD and the white list would automatically be updated with all the executables. TechRepublic: There is some concern about what happens when an approved application is targeted by malware. Is that type of attack a problem? CoreTrace: This is a key question in our minds. Application ‘Foo' could be a valid application and needs to be on the whitelist. Unfortunately, Foo happens to have a known vulnerability. Without some form of memory protection in place, we believe you are still susceptible to malicious attacks.
CoreTrace is focused on reducing those attack surfaces. That's why Bouncer protects against several types of memory attacks, including dll injections and attempts to write to kernel memory.Faronics: Imagine a file's hash as the file's DNA. Any change on a file will imply a complete change in the file's hash. If the hash is not in the whitelist, the file will not run. It is the same with Publisher entries; any change to the file will break the file's digital signature, preventing the file from being executed. Any malware attack to an approved application will be detected by Anti-Executable and the application will be prevented from running. Savant Protection: Many exploits will deposit an executable on the system in order to complete the attack. Since that executable won't be on the whitelist there will be no persistent threat. However, an in-memory exploit would not be stopped if it's part of an approved application. Since a successful compromise generally requires stages of exploitation, when an in-memory exploit attempts to deposit an executable, we will stop it.
In addition to preventing non-listed executables from running, Savant Protection has a secure mode that only allows trusted processes to create, modify, or delete executables.One thing is clear
It became evident while researching this article that application whitelisting has one caveat. You have to make sure the computer is clean before installing any of the above programs. If malware is already entrenched, these applications will gladly whitelist it and allow it to run.Final thoughts
Application whitelisting may not be the end-all answer, but it does allow us to be proactive in the fight against malware. That's its advantage over threat-centric anti-malware.
I am concerned about the complexity, application whitelisting definitely requires babysitting. A homeowner with only a few unmanaged computers will not want to go through all the effort to maintain the whitelist. That's where some work needs to be done.
I would like to thank Kelly Batke of Faronics, Paul Paget of Savant Protection, and Kristina Molfino of Kulesa Faul (represents CoreTrace) for helping me research application whitelisting.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.