Malicious software is a disease, and the conventional-wisdom remedies of diligent patching, anti-virus deployment and user education haven't proved potent enough to bring about a cure.
Enter application whitelisting, a different approach to the problem of securing Windows clients. Application whitelisting has been around for a while now, but has gained new currency over the past several months, with industry leaders such as Cisco Systems Chief Security Officer John Stewart pointing out the limitations and the expense of current anti-malware strategies.
Application whitelisting, which is also known as application control, contrasts with the blacklisting approach embodied by typical anti-virus products. Rather than track and quarantine harmful bits, whitelisting involves barring all but approved executables from running on a given machine.
Based on eWEEK Labs research and testing on the current crop of applica??Ãtion whitelisting products, we sug??Ãgest that administrators charged with keeping Windows-based PCs secure from malware further evaluate where whitelisting can fit into their security strategy, either to complement-or perhaps to replace-their existing anti-virus investments.
What's Wrong with the Status Quo?
Prompt software patching and diligent user education efforts form the foundation of any successful security strategy. However, in the face of zero-day vulnerabilities and cleverly targeted social engineering schemes, up-to-date applications and savvy users aren't enough to keep your desktops secure.
The most common complement to patching and education is an applica??Ãtion blacklisting approach implemented through anti-virus software installed on every desktop machine. Anti-virus as a security measure is so well ingrained in the desktop world that Windows instal??Ãlations throw up a warning message if anti-virus software is not installed, and the PCI DSS (Payment Card Indus??Ãtry Data Security Standard) specifically mandates the use of anti-virus software on machines through which credit card data passes.
However, anti-virus applications, which work either by blacklisting known bad software or by actively scan??Ãning systems for suspicious behavior, come with significant drawbacks and cannot block all attacks. For instance, there's considerable system overhead associated with scanning, and the fre??Ãquent signature updates required to keep anti-virus applications in good working order can be difficult to main??Ãtain. These factors can prove particu??Ãlarly onerous on the often aged systems that run point-of-sale applications at PCI-regulated organizations.
Even for systems with enough resources to shoulder scanning over??Ãhead, as well as the connectivity and availability to receive frequent anti-virus signature updates, these security products are reactive in nature and lack potency regarding new or tightly tar??Ãgeted threats not yet included in the anti-virus vendors' signature databases.