Is whitelisting a practical final line of malware defense?

I would like to know what the security minded ppl here think.. If you think whitelisting is the way to go plz provide what kind of whitelisting products you recommend...

 

you mean default-deny? yes it is the best!!

I use Standard User/SRP: Disallowed by default and UAC.
Windows 7 two-way firewall.

 

IMO Default Deny is the only final line of malware defense .... But for me its the Front/First line of defense, i mostly rely on my AppLocker policy .. I can;t imagine my system without it ....

 

Practical? I think that depends completely on what the user wants/needs to do. For me, practical isn't even close. But, I don't even like LUA, so that should say something, lol. In all seriousness, yes, it's effective, and if you can put up with it, I suggest it. If you're the type that prefers to tell your machine what to do, and not the other way around, well, it may not be a very fun experience for you, good security or not. I choose usability over security, and go figure, I've never been hit with anything my "weak and useless" (to some folks) AV couldn't handle.

 

Whitelisting is very good security approach but becomes more effective with blacklisting.

 

+1

 

There is whitelisting which is simply not practical in its purest form, there is blacklisting, which offers limited protection. And that leaves a very long tail of "unknowns". The problem is described in the video

http://community.norton.com/t5/Nort...tection-Reputation-based-security/ba-p/126699

Start at 52 seconds into the video.

Shane.

 

For me, default-deny or whitelisting has been completely effective and practical. Whether it's a viable option for you depends on how you use your PC, how many others use it, and what you want them to be able to do. The whole purpose of default-deny is to keep your system the way it is. If your PC is equipped the way that you want it and does all you need, default-deny might be a viable option. If you're one who tries out new apps regularly or likes to change things on a regular basis, whielisting would be a major inconvenience. Default-deny will usually make auto-updating of AVs, applications, or Windows itself difficult or impossible. If you want updating to be done automatically, it's not an option you'll like.

The strength of whitelisting or default-deny is that only what you specify is allowed to run. Anything not approved by you isn't allowed to execute or will require administrative approval. The primary weakness of default-deny is the exact same thing. You have to specify what is allowed to run. That requires you to know what has to run to perform the tasks you want this PC to do. It also requires that you know which system executables you don't want to run during normal, non-administrative uses. How well default-deny works is completely dependent on you and how well you understand the working of your system.

 

I agree, I could'nt imagine my system without a strong, classical HIPS ", default deny and allow for except ".

 

agree about Default Deny for all of you who thinks it's the way to go you are correct

 

Great explanation that shows why default-deny is NOT the way to go for at LEAST 90% of home users. I say this often to people, but I think these solutions are more dangerous to have and not know how to use, than to not have them at all.

 

dave i have a friend who always ask me every wekend to go to clean his pc,and he has good stuff like avira,avast,mbam pro etc etc and always endded up infected but when i set appranger to load his trusted software and denny new programs he was happy and never got infected again

 

I wouldn't dismiss it as too complicated or too bothersome for most.
Maybe most of today's approaches, but how hard could it be to make the manual whitelisting process a little less painful, especially with the inclusion of a lengthy and updatable whitelist (trusted apps/vendors).

 

Well, when you enable SRP, it automatically creates path rules to allow everything in Program Files, System32 directories etc.
Thus SRP wont break the system by itself.

A smart default-deny implementation is just awesome

 

It's evidently difficult because nobody so far is doing it. I'll hear "Comodo" shortly for saying that, but my experience shows they may make it the most complicated. It doesn't help that Comodo has some "selective memory" syndrome that requires you to remind it often that "hey, I told you this was safe file yesterday". Perhaps it just depends on the program and not necessarily the "complication" of SRP. It's become very obvious that a lot of programs don't like SRP. So maybe its the devs of these programs that need to step it up. I won't hold my breath, I'd be dead years before they'd change. Though HIPS may be slightly different than SRP-type default deny, I've never seen anyone make those any simpler either. Going back to apps, some make it even more complicated by doing things in a way that isn't necessarily malicious, but that cause alarms to go off in HIPS.

I don't see any simple solution here. HIPS and SRP can be made "simpler" but if programs continue to do legit things in a suspicious way, it won't help. Both whitelisting and the way programs behave have to make changes before they are as simple as installing an AV/AM and being on your way, IMHO.

 

SRP can be complicated, it can be very simple. What programs dont like SRP? Malware?
I just use the default SRP rules...when I want to install something, I add C: to the path rule list, when installation is done, I remove the C: rule.
Never had a problem.

 

Man I've run into so many programs throwing fits when they are "limited" in any way, lol. But see, you gave an example of an issue, I am not going to sit there and add/remove rules and paths to something just to install, let's say, a freakin media player, browser, game, whatever. I don't have the patience or type of mindset to consider that a "good thing". Now, I'll defend myself by saying that I don't purposefully go around installing anything and everything that looks "neat". But I install and change enough stuff that screwing around with rules and prompts is going to tick me off real quick.

 

Its really not that much: open up SRP via start menu->admin tools, add C:, install program, remove C:, done! No prompts, nothing. Programs can be run as usual after that.

(if in LUA, also do right click ->run as admin via SuRun; for opening up SRP and to install program)

 

For me, White Listing has always been a very simple concept: Every executable file on the system is put onto a White List and no other executable file can run without permission. That is, it is Denied by Default when attempting to run.

This means you don't have to be concerned about a trusted application being fooled into running a non-authorized executable.

Good examples are the two recent DLL exploits, where a malicious DLL could be loaded. Some were worried about how to control rundll32.exe. To lock it down (black list), of course would break a number of functions that depend on that file.

But any malicious DLL would be blocked from loading by a simple White List product, such as ProcessGuard or Anti-Executable v.2.

I set up a little test, where the hmmapi.dll is called to start Windows Live. This is the code used in the autorun.inf file:

Code:

shellexecute=rundll32.exe hmmapi.dll,MailToProtocolHandler %1

Then I substituted a different version of the DLL --not on my White List:



You see, AE does not care what rundll32.exe does, as long as the DLL it wants to load is on the White List.

This is protection against any remote code execution exploit that attempts to install a binary executable. I like it because

1) there is nothing for me to have an inexperienced user to configure, once the software is installed, and

2) it is Default-Deny.

To install new software requires a password and 3 clicks from the icon that runs in the Sys Tray.

Finally, to echo a previous poster, for me, this, (along with the Firewall) is the front line rather than the final line.

----
rich

 

You can make a bat file to do this without loading up Local Security.

Off

Code:

REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ /v DefaultLevel /t REG_DWORD /d 0x00040000 /f

On

Code:

REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ /v DefaultLevel /t REG_DWORD /d 0x00000000 /f

 

Building and maintaining that lengthy whitelist of trusted apps and vendors would be just as bad as keeping a complete blacklist of all the malicious code, if not worse. The number of apps would be huge. By the time you included all the versions of all the executables and DLLs, along with their installers, it would be many times larger than any blacklist. Who would maintain this? If the whitelist is based on "trusted vendors", Open Source, software from small vendors, and apps like P2P or Torrent software will have trouble getting "approved". Such a list would give its maintainer too much control over what users could install and would favor the big companies. This is the last thing we need, fewer choices.

There's another reason most vendors won't develop or market a true default-deny security package. It cuts into their profits. Security app vendors favor apps that keep you dependent on them for updates, as does Microsoft. Microsoft stops patching old system so that they'll become vulnerable, coercing the user to buy a new one. A default-deny based security package interferes with planned obsolescense and the profits it brings. Several of the small vendors who produced security apps that could apply a default-deny security policy to an older system have gone broke. It's hard to build a sustainable business with a product that's a one time sale, especially when it bucks a system that does the opposite. System Safety Monitor is one example.

Unfortunately, you are correct. For 90% of the home users, setting up a whitelist on their own is not the way to go, not when over 90% of them don't know how to do much more with a PC than turn it on and get it infected. The average car driver can't overhaul or modify their car engine either. Both are examples of things that only a small percentage should be doing. The problem is simple. The average user is by default the administrator of a computer they don't know the first thing about. There is no easy answer for them.

For those of us who took the time to learn how our systems work and enjoy tweaking, modifying, and improving them, default-deny is completely viable. I've used it for going on 5 years now on all versions of Windows from 98 FE thru XP. Default-deny makes the majority of exploitable vulnerabilities worthless when malicious payloads that are introduced through them can't run. It can seriously reduce the need for constant updating and the unwanted changes to your system settings that these updates often bring.

If you're one who likes trying new software or changing things, you have another option. Install virtualization software like Virtualbox or VPC. Default-deny protect the host and do as you please on the guest systems. You can have it both ways. I'm posting with an unprotected virtual Win2000 system running on a default-deny protected 98SE host. So what if it gets compromised. When I reboot the guest, it'll be just like it was before I started.

 

bahh.. to each their own!
different strokes for different folks.

 

i personally prefer to use a default-denny

 

same here buddy

 

good choice