Is whitelisting a practical final line of malware defense?

Yeah, who needs default-deny when you have virtualization? I have Sandboxie, IF you somehow manage to run (I tweak the run/internet options so it isn't likely), you won't run for long.

 

Free Anti-Executable

 

unfortunately in my case I don't have system resources to run Virtualization (ie. VMware, Virtualbox),
Sandboxie is good, but both are not really my cup of tea.

 

I do I do
I use default deny, LUA, AND Sandboxie

 

Cool, thanks
Do they open up all drives for execution? I only want to open up C:

There is another better option. Before install, I set enforcement to only LUA accounts, and after install set enforcement to all. Any bat files for that?

 

I didn't mean every trustworthy app would need whitelisted, only the common ones from each and every software category.
I imagine this whitelist would serve the majority pretty well and it'd be a small fraction of the size of the average blacklist. The average blacklist right now is what, 3 million or so sigs in size?
I'm confident the type to run the more obscure apps are perfectly capable of giving the green light on their own.
Definitely agree with the potential for favoritism argument.

 

A good product using Whitelisting and Blacklisting for very much effective protection is BluePoint Security.

 

i think comodo is doing this i guez

 

Final = no

First = yes

Essential i would say from experience, can't beat it =

 

@Kernelwars

whitelisting does not mean default-deny approach.
so to answer your question... NO.

Default-deny is always FIRST line in my setup.
for FINAL line, BACKUP strategy is still the best for me!

 

In itself whitelisting is a good line of defense, wheter it is practical depends on the usage profile of the person or persons using the computer.

There are several ways to implement whitelisting, based on executable footprint data base (e.g. AE, Spyware Terminator), based on signing, trusted vendors (e.g. Applocker, Online Armor) and on location (e.g. LUA with SRP).

Regards

 

I tested ProcessGuard with the same code above running as bat file(autorun is disabled in my set up). True enough,PG can be configured to block rundll32.exe from executing early on.

But against those 2 POC's: the link type vulnerability's and the DLL load hijacking; PG failed in intercepting dll loading on both accounts. But what can a malicious dll loading do, load a driver? PG can block it. But it can't block low level disk access.

It's already known before as documented in CastleCopsWiki's "HIPS - Comparison", that PG has no control on dll loading.

 

Agree with you, that not the final one... But for me its First and final both.

Though i also have back-up strategies too, but i mostly rely on Default-Deny...

 

Thanks for that comment. When I wrote the above, I recalled someone in that long thread posting a screen shot of PG intercepting the DLL loading. I must have misinterpreted what was going on.

I don't know if I can find that particular post - I think is was by Cloneranger.

-rich

 

No problem. Taking that aside...
Wonderful postings as ever. Thanks!

Addendum/Erratum to my previous post(offtopic): Can the last version of abandonware PG prevent loading of drivers of some rootkits? As this thread showed oldversion PG can't... https://www.wilderssecurity.com/showthread.php?t=174012

 

Practical? Depends on who is sitting in front of the PC...
Final line of malware defense? Depends on your overall setup...it can be the 1st line too

But if you were to ask this instead:

Yes it is...

 

absolutely love your post..