Application whitelisting is a viable option when you can leverage software signing

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Thirty years ago IBM launched the XT5160 -- the first hard drive DOS-based PC. But the computer virus, nowadays so seemingly tied to the PC, actually appeared almost a decade earlier. It took until 1986 for these two threads to come together and the first PC virus, Brain, was born. By 2000, networks we spreading and so were worms like ILOVEYOU, which was considered one of the most damaging.

Today we still fight viruses and worms, but the scale of the problem has changed (some efforts are backed by nation-states) and many attacks are now targeted at specific companies, machines, types of infrastructure or geography. Luckily application whitelisting tools that leverage software signing can help contend with the evolved threat.

MORE: Whitelisting pushing out antivirus at some security-minded retailers

ROUNDTABLE DISCUSSION: See it, protect it, control it

While virtually all companies today use antivirus programs, these tools rely on a snapshot of the signatures of the bad stuff, so they don't know what they don't know. When there is a new threat with no known signature, it will be allowed to run. This is why some targeted attacks are so successful.

Application whitelisting tools, on the other hand, have two parts. Firstly a snapshot of the computer is made which will contain signatures for all the programs, operating system elements, drivers, etc. Second, an agent is installed which checks everything just before it runs to make sure it was in the original snapshot. Even though this technique still uses signatures, it has the major advantage of being able to block unknown code and prevent what is now know as "zero-day threats."

Application whitelisting

So why so we still have to put up with antivirus tools when we have application whitelisting? Both techniques use signatures (in part) and signatures need to be generated and managed, a fact that has gotten increasingly onerous.

The amount of bad stuff grows daily, and some antivirus signature files today contain in the region of 20 million signatures. And when it comes to taking a snapshot of a PC for whitelisting, a signature file for a standard operating system such as Windows XP Professional will contain something like 50,000 signatures.

By solving the problem of signature management, so that systems can be controlled by an organization's own signature files and those of trusted third parties, much of the administrative overhead is removed and we solve the problem of why application whitelisting is not as widely adopted as logic would suggest it should be.

Most companies hope they never see any bad stuff and have no expertise in the dark science of understanding them. So it is sensible that both the generation and updating of antivirus signatures be "outsourced" to the experts, and that is how the industry has developed.

Application whitelisting appears to require the opposite approach. Because PCs are unique to every organization, then the organization itself would be required to both generate and update the signatures of the good stuff. This might take quite a lot of time and effort -- and appears counter to the current trend of increasing amounts of IT outsourcing. There is also the issue of diversity to handle as well. With antivirus the same signature file can be applied to every machine, but with application whitelisting the worst-case scenario might be that the signature file of every PC is different.

Luckily, whitelisting tools can leverage the concept of software signing, which is becoming commonplace. These signatures contain metadata such as the software author, a checksum to verify that the object has not been altered and versioning information.

Signing involves a process using a pair of keys, similar to SSL or SSH sessions. The private key used to sign the code is unique to a developer or company. These keys can be sel-generated or obtained from a trusted certificate authority (CA). When the public key used to authenticate the code signature can be traced back to a trusted root authority CA using secure public key infrastructure (PKI), then you know that the code is genuine.

TECH ARGUMENT: SSL certificate authorities vs. ???

We see this most commonly today in environments where the source of a given piece of code may not be immediately evident -- for example a Java Web Start application accessed from your browser.

In the context of application whitelisting, the most interesting use of signed code is to provide updates and patches for software. Most OS manufacturers now provide signed updates to ensure that bad stuff cannot be distributed via the patching system.

This same signing process can now be used by application whitelisting solutions. The agent which checks everything just before it runs clearly trusts the signatures generated for that PC in the first place (especially if they have been signed in a way similar to the above). But the trust model can be extended to include other signing authorities.

This means it would now be possible to have a Windows PC which has the trust model extended to include, say, Microsoft, Adobe and a whitelisting supplier, so it can now self-update without any need to manage the signatures in-house. Effectively the management of the signatures of the good stuff has now been outsourced in much the same way as for antivirus.

With certificate-based application whitelisting we have a way of replacing antivirus without imposing a significant time/management overhead.

The Cryptzone Group is a technology innovator of proactive controls to mitigate IT security risk. We bring together the people, processes and technology to mitigate information security risks identified in the key areas of Policy Compliance, Content Security, Secure Access and Endpoint Security. Headquartered in Sweden, the company has offices in the UK, USA and Poland, as well as an extensive partner network with more than 150 global partners. For more information about the company and its solutions, visit

Read more about software in Network World's Software section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jamie Bodley-Scott, account director, systems integrators, Cryptzone

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place