Die, unknown executable! Keeping up with malware signatures is becoming unsustainable, so blocking all but known good programs may be our only hope. A review of five whitelisting security packages yields a clear winner in the battle for 21st century security Credit: Olivier Le Moal / Shutterstock Whitelisting security has always taken a backseat to blacklisting approaches. After all, when there is far more good software running on computers and networks than bad software, it’s just easier to block the bad than to approve all the good. But that was then, and this is now. Last year, the computer security defense world quietly marked a momentous threshold that should have us all looking anew at the value of whitelisting. In 2008 the number of unique malicious programs and variants that were created outstripped all the legitimate software published in the world, straining the accuracy of anti-virus solutions like never before. It’s a disturbing fact that suggests whitelisting is now more suitable as a primary security defense than traditional anti-virus scanners, which are really nothing more than blacklisting programs. Now for some good news: Just as whitelisting may be finding a receptive audience, a number of whitelisting solutions are proving to be mature, capable, and manageable enough to provide significant protection while still giving trustworthy users room to breathe. Nor are today’s whitelisting programs limited to locking down desktops to prevent malware executions — they’re also useful for software configuration and licensing compliance and regulatory auditing. With these benefits in mind, InfoWorld tested six enterprise-grade whitelisting programs, otherwise known as application control programs. The reviewed products include Bit9 Parity, CoreTrace Bouncer, Lumension Application Control (formerly SecureWave Sanctuary), McAfee Application Control (formerly Solidcore S3 Control), and SignaCert Enterprise Trust Services. We also tested Microsoft AppLocker, the application whitelisting feature built into Windows 7 and Windows Server 2008 R2. In all cases, testing was done using the product’s Windows clients, though one or two of the products also support Linux or Solaris or Mac OS X. In a rare occurrence for a product comparison of this scope, all the products came out pretty well. The overall conclusion is that any of the reviewed products would help you reduce real and measurable security risk. A few are borderline excellent (scoring in the high 8s on InfoWorld’s 10-point scale), and one, Bit9’s Parity, is not only the clear frontrunner (with a score of 9.4) but a likely candidate for InfoWorld’s Technology of the Year Award. Oh, to have such choices. InfoWorld ScorecardCoverage (15.0%)Administration (25.0%)Accuracy/Effectiveness (30.0%)Reporting (10.0%)Value (20.0%)Overall Score (100%)Bit9 Parity Suite 5.018.09.010.09.010.09.4CoreTrace Bouncer 59.09.09.08.09.08.9Lumension Application Control9.08.08.09.09.08.5McAfee Application Control 5.09.09.09.08.08.08.7SignaCert Enterprise Trust Services 3.09.08.08.08.08.08.2 New world order In today’s world, where most successful malware exploitations involve Trojan horse programs that the user was tricked into installing, whitelisting programs make more sense than ever. Whitelisting programs typically uniquely identify files using one or more cryptographic hashes (such as MD5, SHA-1, and so on) but can include any identifying file attribute they can query. It is common for the file name, path, publisher, size, and digital signature (if available) to be collected and reported. Some products cover only executable files, which differ across products. Others can snapshot and block a wider range of files, including scripts and macro modules, and even write-protect any text or configuration file. The latter is useful for noting unauthorized modifications, such as the changes that many malware programs make to the DNS Hosts file. While most whitelisting products can block scripts, some do so only by blocking the main script interpreter (Perl.exe or VBScript.dll, for example), essentially enacting an all-or-none policy, while others can block specific scripts. If you need to allow or deny specific scripts, make sure to tease out your vendor’s coverage. As noted in the individual reviews, many vendors can block specific VBScript or JavaScript scripts, but can stop other types of scripts only by blocking the interpreter. Most whitelisting products also let you allow or deny programs based upon trusted users, trusted paths, and trusted publishers (in other words, digital certificates). A few even include millions to billions of predefined file hashes that they download directly from the vendor who made them. For example, three of the programs reviewed (Bit9 Parity, Lumension Application Control, and SignaCert Enterprise Trust Services) download every file hash directly from Microsoft, so administrators don’t have to busy themselves with defining all the files they know are legitimate. Users marked as trusted can normally install or run any program they like, within the bounds of their security privileges. All the reviewed products linked to Active Directory, and at least one can link to Novell’s eDirectory services. All the whitelisting products in this review allow you to use existing computers as baseline models. You simply scan the system to generate your own internal whitelist. Some of the vendors, as mentioned above, come with “gold standard” whitelists from the various software vendors. A few others add templates that set acceptable baselines as defined in a regulatory standard such as PCI or Sarbanes-Oxley. You can then run reports against the baselines to determine which computers are drifting from the defined baselines and what files are causing the drift. This can be done on individual machines or reported as a metric summarizing the entire environment. I love this sort of feature because it marries real security and regulatory requirements and allows you to report measured improvements to management over time. A welcome improvement from whitelisting products over the last decade has been the ability to automatically whitelist updated files. In the past, every single updated file had to be manually approved because the updated file contained a different hash than its predecessor. This was an administrative nightmare, especially considering that today’s regular updates for small programs can contain 80 or more files and major service packs can involve hundreds of files and multiple reboots. Whitelisting solutions at a glance ProsConsClient supportCostBit9 Parity Suite 5.01Trust, risk, and drift ratings enable IT to monitor and report on overall security posturePredefined “gold” file signaturesBulk imports of previously defined blacklistsExcellent alerting and reportingGreat valueNot all script types can be individually blockedWindows 2000 and laterSubscription pricing ranges from $12.50 to $30 per endpoint and $65 to $150 per serverCoreTrace Bouncer 5Great looking GUISecure sessions between clients and management serverNice handling of file updatesBuffer overflow protectionGood reportingDoesn’t cover all file typesWindows NT 4 SP6a and later, Solaris 7 through 10Typical deployment costs $39 per endpoint including volume discountsLumension Application ControlBroad coverage of file typesPredefined “gold” file signaturesExcellent reporting optionsUnlimited servers at no extra costManagement Interface is a little busyNo digital signature rulesWindows 2000 and laterSubscription pricing is $13.60 per endpoint for 501 to 1,000 seats, with quantity and multi-year discounts availableMcAfee Application Control 5.0Supports Linux and Solaris clientsIntegrated with McAfee ePOWrite protection and ownership protection of whitelisted filesGood reporting and alertingClient is command-line onlyEnterprise console takes extra stepsWindows NT 4 SP5 and later, Suse Linux 9 and 10, Oracle Enterprise Linux, Red Hat Linux 3 through 5 (and CentOS), and Solaris 8 through 10 SignaCert Enterprise Trust Server 3.0Supports Linux, Mac OS X, and Solaris clientsPredefined “gold” file signaturesAuthenticity ratingsExtensible via XMLExcellent documentationDoes not natively block file executionsPricier than competitorsSupports any operating system that runs Java including Windows, Linux, Mac OS X, and SolarisStarts at $50,000 for installations supporting up to 500 endpoints, with volume discounts availableMicrosoft AppLockerIncluded free with Windows 7 editions and Windows Server 2008 R2Easy to configure and manageManageable through Group Policy ObjectsEasy importing and exporting of rulesWorks only with Microsoft’s latest and high-end OS editionsReporting is limited to event log messagesCannot easily manage every file typeWindows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2Included in Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2 Trust and protect Today, the best whitelisting products (including most in this review) allow administrators to define trusted updaters. For example, an administrator can add SMS, SCOM, WSUS, PatchLink, or Shavlik as a trusted updater, and anything they install will be automatically approved. This is a huge improvement. Most whitelisting programs can be configured in either audit or enforcement mode. SignaCert is the only exception in this review; it has no built-in enforcement mode, but can monitor any file type. In audit mode, the whitelisting program only monitors and reports file executions. Enforcement mode blocks all monitored file types from executing or running, barring any specific exceptions. Most vendors recommend living with audit mode for a set period of time and running reports to find out what would have been denied had enforcement been enabled. Once enforcement mode is enabled, any execution not explicitly allowed will be blocked. It goes without saying that desktop lockdowns aren’t warmly welcomed by most end users. You’re taking away their freedom. If you use any of these products in enforcement mode, make sure you’ve spent the necessary time to define the right policies to stop malware and unauthorized programs from executing while at the same time allowing end users to do their jobs. Expect an increase in the number of help desk calls. As users begin to understand that certain applications are not allowed, the help desk calls will decrease. Most whitelisting programs are smart enough to identify file types based upon file header and don’t rely on file extensions alone. All the products reviewed allow administrators to find any specific file, by name or hash, anywhere it exists on any of the monitored systems. Some products even allow hashes to be populated before the file even exists in the environment, looking ahead to block a specific hacker tool or malware program. Of course, because blocking often uses file names or hashes, identifying polymorphic malware programs can be a challenge. That’s why it’s already better, from a pure security standpoint, to block by default all that is not specifically allowed. It’s important to understand that whitelisting programs cannot stop every program or malware from executing. First, it’s not uncommon for malware to use legitimate software to do its dirty business. For example, the MS Blaster worm used Windows’ built-in Trivial File Transfer Program (tftp.exe) to copy itself from computer to computer. Macro viruses would be allowed to run inside of other approved programs just fine. Second, whitelisting programs often have difficulty blocking programs that run inside of virtual environments such as Java or .Net, although all of the products in this review claim to handle the individual hosted applications correctly. Most whitelisting programs cannot stop buffer overflow malware programs, concentrating more on denying the payload executable that almost always results. Nevertheless, both CoreTrace and McAfee did an excellent job of blocking buffer overflows in my testing. CoreTrace Bouncer even stopped a buffer overflow program that was started before the whitelisting program was enabled. See the features table to compare client support, file type coverage, and other features across all of the solutions. Layer 8 considerations Administrators trying to implement a whitelisting program across a large organization should make sure to have senior management’s buy-in. Once you start taking away users’ “freedom,” the complaints will start coming. I’ve yet to see an administrator turn on enforcement mode, even after weeks of application inventorying, without some mission-critical application that escaped detection being temporarily interrupted. IT shops using application control must be immediately responsive to customer needs and requests. One of the biggest unexpected side effects of using a whitelisting program in enforcement mode is lower support costs. Companies that are able to lock down desktops have significantly fewer troubleshooting events and rebuilds. Although some users will complain about their inability to install anything they like, the lockdown also means that users won’t install nearly as much malware, and that, along with the savings in support costs, usually translates well to senior management. Most companies will want to define emergency and ad hoc approval processes so that requested software can be whitelisted and allowed to run as quickly as possible. No one wants to tell the CEO that he has to wait a week for his new golf game or stock trading program to get approved. Some environments enable enforcement mode only on problematic users with a history of abuse, while running auditing mode for everyone else. Every company should create baselines from images and programs their users are supposed to be running, and use the whitelisting solution’s reporting feature to track deviations and drift. This review ranks the whitelisting programs based upon overall functionality, including the file types and operating systems they cover, accuracy and effectiveness against policy violations, administration (how hard was it to configure and manage), reporting (including alerting), and overall value. As noted above, all of the reviewed products performed well. There are many good choices here, and the real challenge is in picking a product that has the best feature set for your environment. One product, Bit9’s Parity, rose to the top and should be included in anyone’s consideration list. Read the individual reviews: Application whitelisting review: Bit9 Parity SuiteBit9 Parity 5.0 shines brightest among whitelisting competitors with strong protection and useful risk metrics Application whitelisting review: CoreTrace BouncerCoreTrace Bouncer 5 provides first-rate application control with a few unique features Application whitelisting review: Lumension Application ControlLumension Application Control is a competitive product with a number of standout features and one significant omission Application whitelisting review: McAfee Application ControlMcAfee’s whitelisting protection for Windows, Linux, and Solaris is short on shortcomings Application whitelisting review: SignaCert Enterprise Trust ServicesSignaCert is great for monitoring compliance with application and configuration policies, but it lacks built-in blocking Application whitelisting in Windows 7 and Windows Server 2008 R2Microsoft’s AppLocker is limited compared to third-party options, but you can’t argue with the price Endpoint ProtectionSoftware DevelopmentSmall and Medium Business