Whitelisting: Is It Good Enough To Replace Anti-Virus?

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

An approved list of apps, or whitelist, is flavour of the month in security. But vendors and alanlysts question whether it can be a panacea

Whitelisting is good for ATMs, not so good for humans

While it’s relatively easy for an administrator to build a whitelist for a locked-down server with popular apps, it is much more difficult for a typical corporate or home PC user, argued Carey Nachenberg, a Symantec Fellow with the company’s security technology and response team.

“Users install millions of legitimate applications every day from literally hundreds of thousands of software vendors,” he noted. “Thus, it’s all but impossible for the average company, or for that matter even most security vendors, to maintain a comprehensive, up-to-date whitelist.”

Fighting malware, he continued, takes a hybrid approach that uses blacklisting and whitelisting, a strategy Symantec is calling “reputation-based security.”

“Just as consumers use ratings on Amazon.com to glean information for their shopping choices, we believe that application and URL reputation – derived from the wisdom of our tens of millions of opt-in customers – will ultimately help us identify and rank these millions of “long-tail” applications, both good and bad, that would otherwise be missed by both whitelisting and blacklisting approaches,” he said.

McAfee meanwhile just acquired SolidCore Systems a few weeks ago, which specialised in whitelisting technology for POS devices. According to statements by the company at the time, the purchase was in part meant to combine SolidCore’s dynamic whitelisting and real-time file integrity monitoring with the security and compliance management capabilities of McAfee ePolicy Orchestrator.

It’s not either-or

In the end, it is not an either or situation for organisations, Gartner analyst John Pescatore opined: “What it really comes down to is needing both – block known bad with the same engine that allows only known good,” he said. “That will still be reactive – there will always be a “graylist” of apps/executable/browser helper objects/applets/ActiveX/Javascript/etc that aren’t on either list. That’s where application control approaches… are needed to deal with the increasing problem of the greylist.”