Is whitelisting a practical final line of malware defense?

Discussion in 'other anti-malware software' started by Kernelwars, Sep 4, 2010.

Thread Status:
Not open for further replies.
  1. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    I would like to know what the security minded ppl here think.. If you think whitelisting is the way to go plz provide what kind of whitelisting products you recommend...:thumb:
     
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    you mean default-deny? yes it is the best!! :D

    I use Standard User/SRP: Disallowed by default and UAC.
    Windows 7 two-way firewall. :thumb:
     
  3. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    IMO Default Deny is the only final line of malware defense .... But for me its the Front/First line of defense, i mostly rely on my AppLocker policy .. I can;t imagine my system without it .... :)
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Practical? I think that depends completely on what the user wants/needs to do. For me, practical isn't even close. But, I don't even like LUA, so that should say something, lol. In all seriousness, yes, it's effective, and if you can put up with it, I suggest it. If you're the type that prefers to tell your machine what to do, and not the other way around, well, it may not be a very fun experience for you, good security or not. I choose usability over security, and go figure, I've never been hit with anything my "weak and useless" (to some folks) AV couldn't handle.
     
  5. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Whitelisting is very good security approach but becomes more effective with blacklisting.
     
  6. Morro

    Morro Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    353
    Location:
    Netherlands
    +1 :thumb:
     
  7. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    For me, default-deny or whitelisting has been completely effective and practical. Whether it's a viable option for you depends on how you use your PC, how many others use it, and what you want them to be able to do. The whole purpose of default-deny is to keep your system the way it is. If your PC is equipped the way that you want it and does all you need, default-deny might be a viable option. If you're one who tries out new apps regularly or likes to change things on a regular basis, whielisting would be a major inconvenience. Default-deny will usually make auto-updating of AVs, applications, or Windows itself difficult or impossible. If you want updating to be done automatically, it's not an option you'll like.

    The strength of whitelisting or default-deny is that only what you specify is allowed to run. Anything not approved by you isn't allowed to execute or will require administrative approval. The primary weakness of default-deny is the exact same thing. You have to specify what is allowed to run. That requires you to know what has to run to perform the tasks you want this PC to do. It also requires that you know which system executables you don't want to run during normal, non-administrative uses. How well default-deny works is completely dependent on you and how well you understand the working of your system.
     
  9. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe

    I agree, I could'nt imagine my system without a strong, classical HIPS ", default deny and allow for except ".
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    agree about Default Deny for all of you who thinks it's the way to go you are correct;)
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    Great explanation that shows why default-deny is NOT the way to go for at LEAST 90% of home users. I say this often to people, but I think these solutions are more dangerous to have and not know how to use, than to not have them at all.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    dave i have a friend who always ask me every wekend to go to clean his pc,and he has good stuff like avira,avast,mbam pro etc etc and always endded up infected :D but when i set appranger to load his trusted software and denny new programs he was happy and never got infected again:thumb:
     
  13. ALookingInView

    ALookingInView Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    365
    I wouldn't dismiss it as too complicated or too bothersome for most.
    Maybe most of today's approaches, but how hard could it be to make the manual whitelisting process a little less painful, especially with the inclusion of a lengthy and updatable whitelist (trusted apps/vendors).
     
  14. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Well, when you enable SRP, it automatically creates path rules to allow everything in Program Files, System32 directories etc.
    Thus SRP wont break the system by itself.

    A smart default-deny implementation is just awesome :)
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It's evidently difficult because nobody so far is doing it. I'll hear "Comodo" shortly for saying that, but my experience shows they may make it the most complicated. It doesn't help that Comodo has some "selective memory" syndrome that requires you to remind it often that "hey, I told you this was safe file yesterday". Perhaps it just depends on the program and not necessarily the "complication" of SRP. It's become very obvious that a lot of programs don't like SRP. So maybe its the devs of these programs that need to step it up. I won't hold my breath, I'd be dead years before they'd change. Though HIPS may be slightly different than SRP-type default deny, I've never seen anyone make those any simpler either. Going back to apps, some make it even more complicated by doing things in a way that isn't necessarily malicious, but that cause alarms to go off in HIPS.

    I don't see any simple solution here. HIPS and SRP can be made "simpler" but if programs continue to do legit things in a suspicious way, it won't help. Both whitelisting and the way programs behave have to make changes before they are as simple as installing an AV/AM and being on your way, IMHO.
     
  16. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    SRP can be complicated, it can be very simple. What programs dont like SRP? Malware? :argh:
    I just use the default SRP rules...when I want to install something, I add C: to the path rule list, when installation is done, I remove the C: rule.
    Never had a problem.
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Man I've run into so many programs throwing fits when they are "limited" in any way, lol. But see, you gave an example of an issue, I am not going to sit there and add/remove rules and paths to something just to install, let's say, a freakin media player, browser, game, whatever. I don't have the patience or type of mindset to consider that a "good thing". Now, I'll defend myself by saying that I don't purposefully go around installing anything and everything that looks "neat". But I install and change enough stuff that screwing around with rules and prompts is going to tick me off real quick.
     
  18. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Its really not that much: open up SRP via start menu->admin tools, add C:, install program, remove C:, done! No prompts, nothing. Programs can be run as usual after that.

    (if in LUA, also do right click ->run as admin via SuRun; for opening up SRP and to install program) :D
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For me, White Listing has always been a very simple concept: Every executable file on the system is put onto a White List and no other executable file can run without permission. That is, it is Denied by Default when attempting to run.

    This means you don't have to be concerned about a trusted application being fooled into running a non-authorized executable.

    Good examples are the two recent DLL exploits, where a malicious DLL could be loaded. Some were worried about how to control rundll32.exe. To lock it down (black list), of course would break a number of functions that depend on that file.

    But any malicious DLL would be blocked from loading by a simple White List product, such as ProcessGuard or Anti-Executable v.2.

    I set up a little test, where the hmmapi.dll is called to start Windows Live. This is the code used in the autorun.inf file:

    Code:
    shellexecute=rundll32.exe hmmapi.dll,MailToProtocolHandler %1
    [​IMG]

    Then I substituted a different version of the DLL --not on my White List:

    [​IMG]

    You see, AE does not care what rundll32.exe does, as long as the DLL it wants to load is on the White List.

    This is protection against any remote code execution exploit that attempts to install a binary executable. I like it because

    1) there is nothing for me to have an inexperienced user to configure, once the software is installed, and

    2) it is Default-Deny.

    To install new software requires a password and 3 clicks from the icon that runs in the Sys Tray.

    Finally, to echo a previous poster, for me, this, (along with the Firewall) is the front line rather than the final line.

    ----
    rich
     
  20. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    You can make a bat file to do this without loading up Local Security.

    Off
    Code:
    REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ /v DefaultLevel /t REG_DWORD /d 0x00040000 /f
    On
    Code:
    REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ /v DefaultLevel /t REG_DWORD /d 0x00000000 /f
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Building and maintaining that lengthy whitelist of trusted apps and vendors would be just as bad as keeping a complete blacklist of all the malicious code, if not worse. The number of apps would be huge. By the time you included all the versions of all the executables and DLLs, along with their installers, it would be many times larger than any blacklist. Who would maintain this? If the whitelist is based on "trusted vendors", Open Source, software from small vendors, and apps like P2P or Torrent software will have trouble getting "approved". Such a list would give its maintainer too much control over what users could install and would favor the big companies. This is the last thing we need, fewer choices.

    There's another reason most vendors won't develop or market a true default-deny security package. It cuts into their profits. Security app vendors favor apps that keep you dependent on them for updates, as does Microsoft. Microsoft stops patching old system so that they'll become vulnerable, coercing the user to buy a new one. A default-deny based security package interferes with planned obsolescense and the profits it brings. Several of the small vendors who produced security apps that could apply a default-deny security policy to an older system have gone broke. It's hard to build a sustainable business with a product that's a one time sale, especially when it bucks a system that does the opposite. System Safety Monitor is one example.
    Unfortunately, you are correct. For 90% of the home users, setting up a whitelist on their own is not the way to go, not when over 90% of them don't know how to do much more with a PC than turn it on and get it infected. The average car driver can't overhaul or modify their car engine either. Both are examples of things that only a small percentage should be doing. The problem is simple. The average user is by default the administrator of a computer they don't know the first thing about. There is no easy answer for them.

    For those of us who took the time to learn how our systems work and enjoy tweaking, modifying, and improving them, default-deny is completely viable. I've used it for going on 5 years now on all versions of Windows from 98 FE thru XP. Default-deny makes the majority of exploitable vulnerabilities worthless when malicious payloads that are introduced through them can't run. It can seriously reduce the need for constant updating and the unwanted changes to your system settings that these updates often bring.

    If you're one who likes trying new software or changing things, you have another option. Install virtualization software like Virtualbox or VPC. Default-deny protect the host and do as you please on the guest systems. You can have it both ways. I'm posting with an unprotected virtual Win2000 system running on a default-deny protected 98SE host. So what if it gets compromised. When I reboot the guest, it'll be just like it was before I started.
     
    Last edited: Sep 4, 2010
  22. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    bahh.. to each their own!
    different strokes for different folks. :D
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i personally prefer to use a default-denny:thumb: :thumb:
     
  24. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    same here buddy ;)
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    good choice;)
     
Loading...
Thread Status:
Not open for further replies.