IT Employment

Application whitelisting: Is it the way to beat malware?

Anti-malware as we know it, is not working. Is application whitelisting the answer? An increasing number of experts think so. Find out why.

Anti-malware as we know it, is not working. Is application whitelisting the answer? An increasing number of experts think so. Find out why.

---------------------------------------------------------------------------------------

It seems the time has come to rethink how we fight malware. Anti-malware applications based on signature blacklists and heuristics derived from previously-observed behavior aren't good enough. So what is? There is a growing consensus among experts that application whitelisting needs to be part of the solution.

IT managers are starting to think more about application whitelisting as well. That's because independent testing indicates application whitelisting is maturing into a viable endpoint-security solution. The same managers also realize application whitelisting can simplify regulatory compliance and software license assurance.

Regulatory compliance

Compliance with industry and government standards is becoming the norm. That's understandable, compliance demonstrates publically, the organization's concern for data security. The following are two examples of how application whitelisting helps companies comply with standards:

  • Payment Card Industry Data Security Standard (PCI DSS): Whitelisting helps maintain PCI DSS compliance by assuring only authorized software and portable storage devices are allowed.
  • Sarbanes-Oxley (SOX): As with PCI DSS, conforming to the SOX standard requires control and accountability of software and data storage. Whitelisting by its nature regulates that, along with providing the required audit trail.
Software license assurance

Determining what is installed on workstations at SMBs can be a significant undertaking. Now consider large enterprises; it's almost impossible without some kind of automated-tracking software. One such solution is to use whitelisting. Doing so assures you of the following:

  • Only management-approved software is allowed on workstations.
  • Licensing-compliance issues within the organization and with the Business Software Alliance are eliminated.

One ancillary benefit of software-license assurance is the reduction of helpdesk overhead. Only whitelisted software needs to be supported.

Endpoint security

The goal of any anti-malware application is to prevent the installation of malicious code. As hard as they try, developers relying on blacklists are doomed to failure. Why? Blacklisting is reactionary, thus ineffective against zero-day malware. By only allowing designated software to run on workstations, malware can not gain a foothold.

Whitelisting also provides the following security features:

  • Storage devices: Whitelisting has the ability to securely control portable storage devices. For example, application whitelisting can audit or prevent files from being copied to or from portable storage devices.
  • Unknown files: There are times when it's imperative to identify an unknown file. Whitelisting applications have either a client or Web-based add-on to accomplish that.
Final thoughts

Well, that's the high-level view. Over the next few weeks, I'm going to dissect two of the more prominent application-whitelisting offerings and look at the major anti-malware companies, as they are starting to integrate whitelisting.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

130 comments
ishisaka
ishisaka

The real key to winning is variance combined with whitelisting. The issues with most whitelisting solutions is they are fixed (keys, rules, hashed etc). This allows the hacker to get one key to all the castles and take down not one but potentially all systems (this is where the $$$ losses occur). The best approach is to make the whitelist variable across all systems and applications. This is what Savant does. Our patented technology not only creates a variant whitelist but inherently provides complete spread mitigation regardless of the threat. The nice thing about it is the technology is passive, VERY fast and works very well with blackware. I personally think one should always use both. Whiteware is good for blocking, blackware is good for cleaning. There is no 100% security solution but if we can keep 999 out of a 1000 systems clean, companies can stop worrying and keep focusing on growth and profit. Ken Steinberg Founder, Savant Protection

The 'G-Man.'
The 'G-Man.'

Everybody using configured and built VM's After a session the VM reverts to it's origional state / no changes are saved If an App is to be added the master VM image is updated

Ocie3
Ocie3

I am. :-) An excellent start. I agree that what we will most likely eventually use is a "blended" system, which has the advantages of both whitelisting and blacklisting, but will your next series be about SNORT?

john barker
john barker

for now but hackers will find a way they allway do i down think you will beat hackers till software become inteligent enought to know when something is wrong with it by self program it to know when it being mess with maybe them john barker

Paul.Zimski
Paul.Zimski

Nice overview Michael - looking forward to following your series. I think what we?ll end up seeing is endpoint security suites that incorporate both antivirus (threat centric) as well as whitelisting (trust centric) approaches to try to manage and enforce how change is introduced on endpoints. Historically, most security suites have been designed around a ?threat centric? approach, where the end goal was to identify and filter anything deemed to be ?bad?. Over time we?ve layered heuristics, sandboxing, fragment matching, etc., to amplify our ability to catch malware, unfortunately at the cost of false positives and sluggish performance. Never-the -less, there is value in the AV model - its just not solving the entire problem of today?s environment. Whitelisting in its raw form seeks to ask the opposite question: ?Do I have a reason to trust this piece of code?? Most of the debate around whitelisting to date has been about this ?pure? whitelist approach and whether or not it?s a better from a security perspective. Well sure, if you limit all executions of applications/code to a verified known list of good, then you?ve got a pretty solid methodology to preventing malware. The problem is that unless you are in a very tightly controlled environment, you?ve also got a terrific methodology for inhibiting your business and end user productivity. It?s funny how ineffective employees are when they can?t download and install the tools they need. Or, how constrained endpoint operations become when users can?t deploy patches or roll out new software without first updating their whitelist. So how does whitelisting become adoptable and flexible for users, and what will its relationship with current anti-virus technologies become? Most likely what we?ll see is a trust centric approach to endpoint protection which is a hybrid of these two approaches with a few new tricks. We are going to start asking many different kinds of questions about the code that wants to run on our systems and we?ll have different tolerances for how much uncertainty we?re willing to live with. What kinds of questions might we ask in the future? Here are a few? ? Is this known bad? ? Is this known good? ? Is this unwanted? ? Do I trust the vendor? ? What program introduced it? ? What URL/UNC did it come from? ? Should this user be able to install anything? ? Am I licensed for this application? Depending on our appetite for risk, we?ll be able to set different policies that balance flexibility and security. In very secure and static environments, a pure whitelist policy may be used ? ?do I have an explicit reason to trust what I see?? In dynamic, mobile environments, we may just need to trust the vendor and ensure that we can?t identify that it?s a virus. In the corporate network, maybe new code that can?t be identified on a whitelist must be introduced by our systems management tools (a trusted program). There can still be flexible with far more protection than our current approaches to endpoint protection. Organizations will be able to determine how strict their policies should be and balance usability with security.

mr_m_sween
mr_m_sween

I've been thinking of using Microsofts Applocker software in a 'whitelist' capacity. Any thoughts on this or has anyone started implementing?

abiemann
abiemann

to drastically reduce the amount of malware and phishing, simply take China off the internet. P.S. using firefox with noscript installed is awesome! it blocks malware and advertising; 2 in 1. Plus, as an engineer I still have control over my PC and don't need to wait for IT to install software I need NOW.

Jtempys
Jtempys

Will Whitelists allow Flash? what about attacks against allowed software? Just another objective for hackers everywhere, how to slip past or worse, use the white list to propagate attacks (e.g. we just found a new exploit for an already approved application, lets watch it run rampant because they think they are "secure"). Sounds like a good idea and all, but it is definatly Not "The Way to Beat Malware", you can not stop terrorism totally, and you can not stop malware totally.

JCitizen
JCitizen

but is not exclusive to it. This HIPs solution works pretty well until you get into DRM issues on Media Center PCs. I'm working with Comodo on this, and they say they will find a solution to the problem. Most of the time Comodo Firewall Pro looks for new programs that aren't on the whitelist and askes the user to send them in for analysis. In the past this has worked very well. I've had updates that fixed issues with my syslog program within a week or two. The other feature of their HIPs is automatic file manipulation blocking and alerting. This rarely pops up unless you are installing things and now works so well, I don't even go to installation mode when downloading new applications. This is all done without actually going in and adding the utility as a trusted application. This is great for my IT disabled clients. I do hope they get past this latest issue however, as I had to drop them and go to the Windows Firewall on Vista x64 for now. Hey Michael!! When is Online Armor going to get a 64 bit version???

atodd1985
atodd1985

Good intro, a very live issue for me. Look forward to the follow-ups.

CG IT
CG IT

"Approved" applications and company polcies on software installs on company owned equipment have been around for decades. Is this "whitelisting" a sales gimmick for security software like malware and antivirus programs that will only allow "whitelist" programs? Businesses already have this capability of determining what's installed and whether it's approved with programs like Microsoft's Sytem Center Configuration Manager, as well as with in theory, Windows 7 it's Network Access Protection [NAP]. Personally, I just think "whitelisting" is a gimmick the security firms are using to sell their products. In the corporate world, there are already tools to track what's installed on what, but for consumers who are clueless, well they would buy or try something purpotrated to be able to scan their computer and find applications that are not "whitelisted". They do that already for finding viruses and malware. Run malwarebytes and it will identify Limewire as "bad" or other file sharing programs. So what's new?

Ocie3
Ocie3

these statements: [i]" .... The issues with most whitelisting solutions is they are fixed (keys, rules, hashed etc). This allows the hacker to get one key to all the castles and take down not one but potentially all systems (this is where the $$$ losses occur)." italicization added[/i] The Savant web site does not disclose much information about its product(s). Aside from the bare minimum as to what sort of system it is, just hyperbole and "contact the sales department". (My Opinion After Reading Its Pages For A While)

kenpsec
kenpsec

of centralized whitelisting solutions. Client-based whitelistig solutions all protect each machine from all others, as each individual machine maintains its own, unique whitelist. No need for unique keys on each machine for this to happen. Just because a HASH or other combination of HASH/Filename/Filesize gets authorized on one system does not mean that it will get authorized on all machines.

Michael Kassner
Michael Kassner

What about during the session. Lots of damage can be done.

Michael Kassner
Michael Kassner

But, I am the eternal optimist. I also will try my best to keep the Internet the amazing place that it is. I have met so many wonderful people here, like yourself.

Michael Kassner
Michael Kassner

Many experts agree with your interpretation. I do as well. Several of my questions will hopefully shed light on what you are concerned about. Other members are concerned about flexibility as well.

Michael Kassner
Michael Kassner

There is lots of malware that FF and NoScript cannot handle. That's why unlike good scotch, I think the ultimate antimalware app will be a blend.

Michael Kassner
Michael Kassner

I will ask the developers what they think. I suspect it will be a melding of all antimalware. Whitelisting, just makes a lot more sense than blacklisting.

Michael Kassner
Michael Kassner

Application whitelisting takes on many different roles. But, the ones I am working with do not give the user an option to opt in. As for Online Armor and 64 bit, I wish. I hear they are working on it. That's about all I know.

Michael Kassner
Michael Kassner

If you have any specific questions that you would like answered, please let me know.

Brenton Keegan
Brenton Keegan

When I saw the title of this thread I had the same thoughts. This has been a general good practice in network security for years and years. This is the same reasoning we apply to decided what traffic we allow to cross networks. "Deny all" "Allow x..." "Allow x..." No piece of software goes on my network without me looking at it and giving it the clear. Then this software is managed for versioning control.

SgtPappy
SgtPappy

Limewire or other file sharing programs are not bad?

Michael Kassner
Michael Kassner

What is new is that the applications are getting better. The tracking applications you refer to, if I understand you are not the same. They are passive. Application whitelisting will not allow anything other than the prescribed applications to exist on the computer. Also what is new is that the security community is starting to come together and working on what could be considered a method to classify applications for whitelists. More on that later.

Craig_B
Craig_B

I'm interested in hearing more about whitelisting. Yes, the concept has been around for awhile; I just think the management tools of such have improved. Whitelisting doesn't just identify and track software, I believe it's the approval database if you will. If you try to install AppA and it's not whitelisted it can not be installed.

JCitizen
JCitizen

very smart spammers, but none the less! :-q

JCitizen
JCitizen

I like the fact that some solutions could be linked to AD policy. We were big on that at my last contract.

Jtempys
Jtempys

A Hybrid approach that represents a cumulative aggregate of prevention seems the best approach to me. Why say whitelisting is better than blacklisting signatures, when truly the best approach would be to do both things.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Do you know what it is and what it does? We are not just talking about packaged applications from known vendors. White listing has to track and manage all executable files and scripts or it does no good. This includes operating system files and web application files from the government agency that you have to report to, etc. Bill

Jaqui
Jaqui

the programs themselves are not malicious, it the content available via them that can be. even windows live messenger, yahoo messenger, skype are peer to peer file share programs. society has changed because of the internet, we need to have the ability to transmit or receive files now. :\

Ocie3
Ocie3

system for software could be interesting. :-) Surely it could work as well or better for software as it has worked for wetware.

CG IT
CG IT

and in a corporate environment uses simply can't install programs they choose. Domain users can't install software unless it's advertized or published to the user. The other thing big question is is whitelisting simply marketing ploy to provide users with a false sense of security in that "whitelisted" applications are "safe" when businesses pay to have their applications on a whitelist"?

Ocie3
Ocie3

(1) If AppA is introduced as an .MSI file, it would be installed by Windows msiexec.exe unless the whitelisting system doesn't allow msiexec.exe to run at all. The whitelisting system could instead just require admin privileges for the user's account before it will allow msiexec.exe to run. (2) If AppA is installed by running an installation program which its developer or vendor supplies to the buyer/user, the installation program should be whitelisted, and not allowed to run if it isn't. (3) If AppA does not require any "installation" to use it (although it might alter the Windows registry at some time or another), then at least its respective executable file(s) must be whitelisted. Regardless, with all of the whitelisting systems reviewed in the Infoworld article, all executable files of any software must be on the whitelist, regardless of how it is installed. The launch of any executable that is not on the whitelist will be blocked.

Michael Kassner
Michael Kassner

That's why experts have high hopes. Malware changes fast and whitelists don't care.

mronayne
mronayne

Who exactly do you suspect of being spammers and why?

santeewelding
santeewelding

Both the material about application whitelisting, and the scotch. Staying tuned.

Michael Kassner
Michael Kassner

Your questions along. Hopefully they will act upon them.

Ron_007
Ron_007

White Listing can't stand alone, just as current signature based anti-malware (blacklisting) can't. I look forward to having WL that will work on my home PC too. Some questions I'd like to see answered include: (starting from assumption that WL app will be downloading updates to a master WL from the vendor) - as the local admin, I have to be able to update the WL. If we have an in-house app, I need to be able to generate signatures without sending app to vendor (due to corporate confidentiality restrictions). Will their software allow admin to generate signatures? - I need to be able to allow more than one version of an application to be valid, as well as the opposite, limit to one specific version of an app. For example, I am currently running Office 2003, 2007 and 2010 Beta on my machine - will the WL companies be working with other vendors to co-ordinate updates. Either allow other vendors to provide updated WL signatures when they roll out patches, or have process in place that will allow other vendors to submit new app patches/versions for signature generation before the go GA so that WL app will not block fixes - will there be a mechanism to check back to WL site for signature updates when I install new apps? - in enterprise setup on the end user computers, will WL signature DB be limited to just approved apps or will it be a large file of all signatures that has flag to indicate if that specific signature is allowed

Ocie3
Ocie3

if a program has a security vulnerability, then there is no antimalware application -- of which I've been apprised -- that can prevent the vulnerability from being exploited [b]if[/b] malware that [i]can[/i] exploit it has an [i]opportunity[/i] to exploit it. Neither is there an antimalware application that can prevent every attempt, if any at all, to exploit a vulnerability in the computer's operating system, and perhaps also not in the BIOS. That is why I run all programs that access the Internet in a Sandboxie sandbox while they do that. Sandboxie confines the installation and operation of malware, which has exploited a vulnerability in a program while it is accessing the Internet, to the sandbox. Let's hope that Sandboxie itself does not have any security vulnerabilities. ( ;-) ) If it is designed and implemented well, then a whitelisting system can prevent the installation of malware on a computer that it protects. If under some circumstance it cannot do that, then it can prevent the malware from executing on the computer at all -- unless the malware executable has been added to the "whitelist", of course. How would that happen?? Inadvertently, most likely. Many whitelisting systems allow an admin to vouch for the integrity of software -- its executable(s) -- that is already installed on the computer, thus adding it to the whitelist. But we know "To err is human, ...". With regard to [b]the exceptions[/b]: AFAIK, the primary types of attack that a whitelisting system can stop are buffer overflows and code-injection. But it could also be created with the features of HIPS systems that prevent some other specific attacks. Some firewalls and some AV utilities offer those protections, too. There is no system that is foolproof which anybody would want to use, and the weakest link in any system is user discretion.

Michael Kassner
Michael Kassner

Those are two questions I am directing to the product teams. Do you have any other thoughts?

GavGavGav
GavGavGav

I agree that whitelisting is potentially a much more powerful foundation on which to build an anti-malware infrastructure than blacklisting. You decide what's allowed, then you take steps to keep that stuff patched, keep other stuff out, sprinkle on some DLP, and there's your nice compliant, relatively secure corporate environment. But I suspect, as with all things, you get what you pay for. There must be vastly different levels of sophistication in whitelisting engines. Name-matching is nearly useless. Are all the .dlls or executables hashed in some manner for authenticity to check that this latest version of flash really is from Adobe? If so, how quickly do the whitelist vendors get the latest data to the end-user when an application is updated and how much of that is automatic? I.e. does it now involve a lag time before Java 6 update twenty-something will be accepted as a whitelist product and not a potentially maligned one? Then what happens if I use obscure software packages in my environment that the whitelist vendor doesn't know about? I'd assume I'd now have to have some kind of before-and-after-installation snapshot approach on a computer somewhere to 'teach' the whiltelist system that *this* set of changes is okay. So I like it, but in a big environment with a lot of different software packages, some mainstream, some obscure and some developed in-house, maintenance of a whitelist system that is sophisticated enough to be useful could become a serious consideration.

Michael Kassner
Michael Kassner

I guess I was back in the either or mentality at that moment. Existing antimalware applications are needed to protect whitelisted applications, as they could have vulnerabilities.

JCitizen
JCitizen

very appreciative. I've been away from large enterprises so long, I've forget to even think that way much anymore. Thanks for your patience! I must admit, our AD and other policies always seemed to work better than enterprise solutions when I did work in that environment. Of course we used a blend of white and black listing for our web server, but that is a different story when you talk web portals of course. Comodo does offer Enterprise solutions now; but the article you linked to, shows me they haven't been in that particular game long enough to be counted.

Michael Kassner
Michael Kassner

Others on this post are in agreement with you. I was thinking more along the lines of an enterprise situation. Yet, this can work for individuals if applied correctly. Thank you for your insight.

Brenton Keegan
Brenton Keegan

I think a tougher challenge to overcome is the actual number of applications to keep track of. Typically this goes up with large user bases, but not always. It's easy to manage hundreds of workstations if they all have the same set of software. I believe it's very possible to set up a system that allows for tight control over what applications go where. Once you do this you are spending less time running around trying to clean up malware or applying patches.

Ocie3
Ocie3

is, if I recall correctly, more usable by individuals and in a SOHO environment than the large enterprise whitelisting systems that were reviewed in Infoworld. It isn't clear to me whether Windows 7 Ultimate AppLocker can be used with just one computer. I've looked at Faronics before, and planned to pay a visit again this evening. I was thinking about using it mostly to replace the Application Behavior Blocking feature that apparently was omitted when Sunbelt Personal Firewall was merged into VIPRE Premium 4.0.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Malware doesn't want admin rights, it wants system rights which can't be disabled. Once you have system then you can do anything you want include add users with full admin rights. Bill

Michael Kassner
Michael Kassner

I am asking how whitelists are created and maintained. It seems somewhat nebulous. Bit9 has some information, but it's mainly sales-oriented.

Ocie3
Ocie3

allow malware to be installed, but I doubt that it would allow the malware to run, unless somehow the malware executable(s) are on the system's whitelist. Some of the reviewed systems include blacklists, so when [i]some[/i] malware executables are launched, they will not only be blocked because they're not on the whitelist, they will also be identified as an intruder because they're on the blacklist. As to allowing malware to be installed, some of the systems intercept JavaScript and VBScript (Bit9 Parity is one), so malware installation by using them could be prevented with such a feature.

Ocie3
Ocie3

that have paid anyone to have their software included on a "whitelist"??

Jaqui
Jaqui

in the ubuntu config. the user has to put their login password in for elevated privileges. the problem is, they are using a "typical end user" password to gain access to full privileges. sudo [ Super User DO ], like the alternative doasroot, has the process invoked running under setuid as root, which is a 100% unrestricted access. generally, the use of the tools is fine, it's when the password required for using them is a weak password, commonly used for every single login the user has online, that the flaw becomes apparent, many websites do nothing to protect passwords during login, so the "admin" password has been transmitted in the clear online. every single distro uses these tools to run admin tools with the right privileges, it's Canonical that screwed up by not having admin access be a seperate password.

ultimitloozer
ultimitloozer

By default in Win7, the administrator account is disabled. When it is installed, at least 1 account is created as an administrator account, but it does not run with full administrator privileges. When elevated privileges are required, you will be prompted to allow the privilege elevation (UAC prompt) and possibly enter the account password. With a limited account, the user would always be required to enter the password. From what I understand of the Ubuntu situation, it is "merely" an abuse of the sudo tool that rips a huge hole in the security of the entire system and the end-user doesn't need to do anything for elevated privileges. Let me know if I am wrong with this one since I will not be able to create my Ubunto VM for about 2 weeks yet.

Jaqui
Jaqui

not disagreeing with the fact that there is a lot of bad content, or that people will do stupid things to get "free" stuff. but blocking the protocols / apps totally isn't going to change anything for the better, it only make the legitimate use of the protocols / apps harder.

CG IT
CG IT

Though Rivera and Zheng created programs that could disable UAC or use the self elevate privileges in Windows 7 Beta UAC through the rundll32.exe, UAC is still far better than other older operating systems in not allowing rogue applications to make changes to the base operating system to exploit code flaws. Just my personal opinion about security on Windows 7, UAC and how it's better than what was available in Windows Vista and Windows XP. Also a personal opinion that whitelisting is simply a way in which to market a security program that purports itself to "provide the unaware consumer or user of what is good vs what is bad applications/programs. Unaware consumers would buy it believing it provides them with a program that will keep them safe from "bad" programs. I can see the lawyers wringing their hands about the potential liability when the sales and marketing people tout that the security whitelist makes them safe. There will always be someone who will try and take advantage of that either to sue to make money [hey it was on the whitelist] or get their malicious program on the whitelist hidden in a legitimate program. It will happen.

CG IT
CG IT

and I can see a whitelist vendor thinking, Torrents are risky business, lets just block em by default, then let the user chose. As I mentioned, if the whitelist vendors decides what's good and what's bad, who's looking at them to determine if what they say is good and bad is in fact, good or bad? or do we take it on faith they are the experts and are not swayed by money to whitelist a program or apps that they might otherwise not whitelist? From what I have seen, there are those users who want something for free and will risk infecting their computer and losing all their data, songs music, videos just to get a 99 cent song for free. They discount or ignor the risks, for the payoff, something for nothing.

Jaqui
Jaqui

except not all content in the p2p systems is criminal, nor is it all infected. http://fedoraproject.org/en/get-fedora-all has TORRENTS in the top of he list for obtaining this legal software, free. it's actually difficult to find a distro that doesn't use bittorent system to distribute the free download version(s)

CG IT
CG IT

and UAC stops the elevation of privileges of malware written that would try and elevate privlege. Further, with the admin account disabled by default malware can't try and invoke it behind the scenes. Again, malware assumes users use a local admin account all the time because of the convience factor. Windows 7 disables the admin account. It doesn't disable the admin security group. Adding a standard user to the admin security group is the same as local machine admin account. So what does this have to do with whitelisting? Not alot. Whitelisting from what I've seen over the years is someone simply saying this is a "trusted" application. over the years software makers have tried many different things for "trusted computing". Certificates, digital signatures, and much of that hasn't worked simply because of the 80/20 law. 80% of the problem is caused by 20% of XXX. Most average consumers are educated enough to know they need Antivirus, Antispyware, and not to click links. Most buy software from places like Best Buy. A "Trusted Source." The 20% don't do that and go further, use programs like bearshare, limewire, bittorrent to get "free" stuff. Their the ones who don't care about the risks, rather want to get something for free. They are also the ones who complain the loudest, want their computers fixed for free or if not, try to stiff you on paying. Should software be made to "protect" them? I like the concept of NAP. I think NAP should be expanded to where like whitelisting, it can determine if a computer has software like torrents, limewire, bearshare, or other risky software and refuse to allow them on the network. But whitelisting applications I think is a gimmick security vendors would use to sell their product giving users a false sense of security because the security application will determine if the software is good or bad. Who says it's good or bad? and who checks up on them?

Jaqui
Jaqui

"as the admin account is disabled" that is not a good security feature at all. that is what Canonical did with Ubuntu. they made END USER passwords into full privilege admin access passwords.

CG IT
CG IT

domain users can't install anything. With Windows 7, malware can't invoke elevated privileges to install undetected as the admin account is disabled by default. I guess I simply see the whitelist as a gimmick to sell "safety" in a product. With a whitelist, users will get the false sense of security because the product purportrates that "whitelist" applications as safe applications when in fact all a user has to do is "click a link", visit a bad site, or do a multitude of things that will provide malware an avenue to get in. It's possible to lock down workers desktops to only approved web sites, only approved software, only approved anything. The banking and insurance industry have such a level of security. Their computers are on closed networks. What's a whitelist going to do for them? Then there is the question of cloud computing? Will providers demand users use a particular software before their allowed to use cloud services? Is whitelists like apps stores for cell phones?

Michael Kassner
Michael Kassner

Malware to be installed. I would be concerned about malware that does not require admin rights.