Application whitelisting (AWL) is a proactive way to mitigate targeted cyber intrusions, as opposed to the traditional blacklisting approach that anti-virus software uses, by blocking applications that are known to be malicious. Here are a few misconceptions about AWL.
Windows AppLocker can do the job
While Applocker can perform whitelisting to a limited degree, and it must be configured correctly. Here are some important points to remember when using Applocker,
- Local administrators are exempt from Applocker by default.
- Administrators can disable Applocker using group policy modification.
- Applocker does not support hash-based application whitelisting.
On a typical operating system, there are hundreds of thousands of files, and many of these can dynamically change on the fly, so managing these files can be a real burden that perhaps outweighs the security benefits. Todays application whitelisting software can track the execution and blocking of executable files within a network environment, and collect the file hash values and metadata, which can be used to search the central database.
Application whitelisting is too difficult to manage
The administrator’s main task is to manage what is and isn’t on the whitelist, and with the latest software, the whitelist can be created by capturing hash values. This whitelist would be created on site, and with no cloud access, it cannot be copied. Using a hash-based solution gives the administrator a simple way to create a whitelist, and with a user-friendly interface, administrators can effectively manage the whitelisting process.
Application whitelisting slows the system down
A common misconception is that every user must wait for permission before executing any file, and with the latest versions, one can allow users to make limited changes. The whitelist database is at the endpoint, so there is no need to clog up the network with database requests.
Application whitelisting prevents developers from working
Software developers regularly create and use executable files, and as these are the type of files monitored by the whitelisting, it could cause many problems, as the files must all be whitelisted before they can be run. The solution is to allow the developer’s tools to create and run executable files, and this allows the developer to work without interruption.
Application whitelisting does not work with anti-virus programs
This is untrue, and it is recommended to use both black and whitelisting, as the traditional anti-virus software will block any known malicious code that may have got on the whitelist, and the whitelist will protect against zero-day attacks, using never before seen code, which will manage to elude most anti-virus programs, as the code is not recognised by the virus definition database.
Application whitelisting causes CPU overload
Actually, it is the traditional blacklisting programs that demand the most CPU resources, as each file must be compared to the thousands of malicious files in the virus definition database, every time it wishes to open, but with whitelisting, the file is only looked at once. If a computer has an anti-virus program running, it will constantly demand resources, as it scans the database for comparisons to files that wish to execute.
Application whitelisting is recognised as being the best way to prevent malicious code attacks, and with the latest software solutions, it is easy to use, and does not inhibit the user.