Get started Bring yourself up to speed with our introductory content.

Whitelisting: Filtering for advanced malware prevention

Though it's been maligned in the past, whitelisting can be an effective tactic for filtering advanced malware attacks against enterprise endpoints.

The recent data breaches at Target, Neiman Marcus and others highlight how important it is to know with certainty what underlying processes are running on the systems processing credit card data or any enterprise endpoint that touches highly sensitive data.

Whitelisting is one way to assure that certainty. Whitelisting techniques involve the creation of a list of pre-approved or trusted applications and processes on a machine, allowing only those "known-good" applications and processes to run, and blocking everything else by default. It is the reverse of blacklisting, in which an organization creates a list of applications or processes that are not allowed to run. However, whitelisting addresses enterprise security better than blacklisting as a "default-deny" vs. "default-allow" approach. The whitelisting filtering approach can be used in every technology area an enterprise uses today. Specific types include application whitelisting, email whitelisting and network whitelisting.

With advanced malware attacks increasing and evolving every day, it's a continuous challenge for enterprises to detect them or, ideally, prevent them. Therefore, whitelisting technology can stand out as a choice for an organization looking to add a solid defense layer against evolving threats, particularly zero-day attacks that endpoint antimalware products frequently fail to detect.

In this tip, we'll examine the advantages of whitelisting, how the technology has evolved, and potential challenges with implementing whitelisting as an endpoint protection technology.

How whitelisting works

Whitelisting technology enables an organization to approve which processes are allowed to run on a given system by uniquely identifying the programs or files in the system with approved attributes, common process names, file names, publisher names, digital signatures and so on. Some vendor products cover only executable files, while other offers include scripts and macros and block a wider range of files. An increasingly popular whitelisting subset called "application control" specifically focuses on managing the behavior of endpoint applications.

It's no secret that whitelisting was once a much-maligned technology. It has historically been difficult to deploy, time-consuming to manage, and painful for project owners to deal with workers who dislike not being able to install the applications of their choice. Fortunately, the products have evolved considerably in recent years, integrating better with existing endpoint security technology to ease implementation and management, and offering quick and often automated approvals for users looking to install an app quickly. In addition, most products now provide the capability to take a system as a baseline model and generate its own internal whitelist database or provide templates that are used to set the acceptable baselines, which can also support compliance with standards like the PCI DSS or SOX.

Additionally, many security vendors are using cloud-based whitelisting solutions to maintain a large whitelist database and collect the unique known and trusted application and file types from around the world to make configuration and automated policy-based decisions more intuitive.

Whitelisting for advanced malware prevention

Let's outline the specific benefits that whitelisting provides in preventing advanced malware from infecting enterprise endpoints.

  • The technology provides protection against zero-day malware and targeted attacks because by default, any unapproved software, tools or process can't run on the endpoint. Should malware attempt to install on an endpoint with whitelisting enabled, the whitelisting technology would determine it is not a trusted program and deny it privileges to run.
  • Even if an organization doesn't want to use whitelisting to deny the installation of programs, it can be used to provide alerts. If a user accidently or unknowingly installs a malicious program or file, whitelisting can detect the policy violation and alert the respective team about the unauthorized process being running in the system so security staff can take action.
  • Whitelisting can increase user productivity and maintain the system's optimal performance. Help desk support staff may get a complaint from a user about a system running slow or unpredicted behaviors and, upon investigation, find out that spyware had made its way to the endpoint undetected and was eating up memory and processor power. This is another scenario that involves using whitelisting to detect and alert staff to unauthorized programs, and not necessarily deny them by default.
  • Whitelisting can provide complete visibility of a system in terms of what applications, tools and processes are running. So if the same unauthorized program attempts to run on numerous endpoints, the data could be used to help trace the path of an attacker.
  • Whitelisting offers protection against sophisticated memory injection attacks; the technology provides features to validate all the approved processes running in the memory and ensure those processes are not modified while running to provide protection against sophisticated memory exploits.
  • Advanced attacks often involve manipulation of legitimate applications. Whitelisting products can recognize and alert when advanced attacks involve memory violations, suspicious process behavior, configuration changes or operating system tampering.

Overcoming whitelisting challenges

Implementing a whitelisting product may seem like a challenging task initially, but well-thought-out processes and project planning based on stakeholder objectives can ease implementation considerably.

Whitelisting products allow for the creation, customization and management of a collection of centralized policies to be pushed down to endpoints. The whitelisting product's policy management console also provides the feature to create exceptions if needed and push changes to certain sets of endpoints. Due to the purpose-built architecture, policies require a process to get the changes approved before being pushed to the endpoints. This can be burdensome, especially for large organizations, but many of today's whitelisting products offer features that attempt to facilitate and streamline policy exception approval and implementation.

Some organizations also fear an inordinate amount of end-user pushback; employees often complain if one day they go from having full access to install and manage their own applications to having to ask for approval. However, enterprises can mitigate this push through employee security awareness training as well as a phased rollout during which employees are given the opportunity to provide feedback. The bottom line, though, is that end users are obligated to follow enterprise security policies, and if an organization updates its policies to include the use of whitelisting, then the user population has no choice but to comply.

In summary, enterprises should consider the use of whitelisting for managed hosts in the network. Legacy technologies like blacklisting or endpoint antivirus are simply not sufficient to detect and stop today's complex malware. By implementing the whitelisting technologies to only allow known applications and processes, enterprises can reduce risk, lower support costs and increase visibility into every network endpoint, another important layer in the ongoing effort to ensure effective defense-in-depth against advanced attacks.

About the author:
Ajay Kumar is an information security manager who has been working for a decade in the information security and risk management domain and has expertise in cyber security, identity and access management, security operations management, data protection, cloud security and mobile security. He specializes in the planning, design and implementation of the security services and systems required to protect the confidentiality, integrity, privacy and authenticity of the information stored in enterprise environments. Ajay can be reached at

This was last published in April 2014

Dig Deeper on Network Access Control technologies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.