Will the Antivirus Market Be Challenged or Complimented By Whitelisting?

Application whitelisting is being talked up by everyone from pure-play vendors like CoreTrace to larger security vendors like McAfee and Symantec. But while many say a hybrid blacklist/whitelist approach is needed, CoreTrace is positioning itself as an alternative to blacklist-based anti-virus.

There has been plenty of talk in the past year or so among anti-virus vendors about the usefulness of application whitelisting. But when it comes to the question as to whether or not the technology can replace anti-virus, the subject gets a bit stickier.

Whitelisting allows a list of approved files to be used on a particular machine, the idea being that rogue or suspicious applications would be automatically blocked. The concept is not new, but of late has attracted more attention from vendors such as Symantec and McAfee as the amount of rogue applications being created continues to surge.

Pure-play whitelisting vendors such as Bit9 and CoreTrace have taken the attention as market validation. But according to Wes Miller, director of product management at CoreTrace, whitelisting is more than just a compliment to anti-virus - it is the solution to thwarting malware attacks.

To back up his claim, the company is touting the upcoming version of its BOUNCER product, which works to protect memory in two ways. First it prevents a non-whitelisted dll placed in memory from infecting a whitelisted process. In addition, it offers kernel memory write protection designed to prevent a buffer overflow from tampering with the Windows kernel and starting an illegitimate process. The two features work together to improve protection versus traditional payload-only whitelisting, Miller said.

"Whitelisting isn't just an important component, it's the key," he said. "Using application whitelisting as the primary enforcement mechanism, all threats are proactively stopped, and blacklisting can be used in a manner that is more fitting of a reactive solution. In short, yes, we believe whitelisting can stand alone, as many of our customers actually do just that."

Still, whitelists have to deal with all the unknown apps out there, of which there is no shortage. Many of these are legitimate applications that are specific to certain markets or geographies, or custom applications developed for use within a company, 451 Group analyst Paul Roberts said. While whitelisting may be effective for ATMs, point-of-sale (POS) terminals and other single-purpose devices that shouldn't run anything other than the software that allows them to perform their function, it may not translate as well for other machines, he said.

"It's not a model that works easily with the typical enterprise laptop/desktop, where users want the freedom to add new tools or software they need to do their job," Roberts said. "Whitelisting is still a tough sell for many enterprises that are worried about the support hit they'll take, about hampering productivity or, even worse, pissing off C-level folks. The frustration with existing, signature based detection is making it more attractive, but I'd say its appeal is still primarily with POS and other kinds of focused deployments."

While it's relatively easy for an administrator to build a whitelist for a locked-down server with popular apps, it is much more difficult for a typical corporate or home PC user, argued Carey Nachenberg, a Symantec Fellow with the company's Security Technology and Response team.

"Users install millions of legitimate applications every day from literally hundreds of thousands of software vendors," he noted. "Thus, it's all but impossible for the average company, or for that matter even most security vendors, to maintain a comprehensive, up-to-date whitelist."

Fighting malware, he continued, takes a hybrid approach that leverages blacklisting and whitelisting, a strategy Symantec is calling "reputation-based security."

"Just as consumers use ratings on Amazon.com to glean information for their shopping choices, we believe that application and URL reputation - derived from the wisdom of our tens of millions of opt-in customers - will ultimately help us identify and rank these millions of "long-tail" applications, both good and bad, that would otherwise be missed by both whitelisting and blacklisting approaches," he said.

McAfee meanwhile just acquired SolidCore Systems a few weeks ago, which specialized in whitelisting technology for POS devices. According to statements by the company at the time, the purchase was in part meant to combine SolidCore's dynamic whitelisting and real-time file integrity monitoring with the security and compliance management capabilities of McAfee ePolicy Orchestrator.

In the end, it is not an either or situation for organizations, Gartner analyst John Pescatore opined.

"What it really comes down to is needing both - block known bad with the same engine that allows only known good," he said. "That will still be reactive - there will always be a "graylist" of apps/executable/browser helper objects/applets/ActiveX/Javascript/etc that aren't on either list. That's where application control approaches...are needed to deal with the increasing problem of the graylist."