Jack

Level 85
Verified
Staff member
Many security technologies rely on blacklisting malicious or suspicious files or applications in order to prevent users from running them. But that approach can have its limitations, and theidea of whitelisting applications and safe files has taken hold recently. In this video, Vladimir Zapolyansky talks about the benefits of application whitelisting, the way that the technology works and how it can help users protect their PCs more effectively.

Lab Matters - Are we up to a brighter future?
Uploaded by Securelist on Sep 27, 2011
 
Last edited:

Littlebits

Retired Staff
I still believe blacklisting is the best way to go.

Whitelisting has many disadvantages.

Whitelising on works on digitally signed files-
many vendors don't sign all of their files especially open-source freeware. Therefore these files always get flagged as false positives. Even Microsoft don't digitally sign all of their files.

A lot of drivers for video graphics, sound cards and other third-parties don't digitally sign their files either.

So why wouldn't vendors sign all of their files? because it costs money to do so.
The files have to be digitally signed each time the files update to new versions.

Whitelisting is better for paid software but bad for freeware.

Freeware vendors like NirSoft and many vendors on Sourceforge have had so many problems with security software flagging their products as malware because of whitelisting.

Yes whitelisting offers better security but at a disadvantage to free software developers and novice users who don't know how to tell the difference between real malware and false positives.

This could also cause an increase in prices for paid products and slower development for freeware because vendors would feel obligated to take more time making sure their files were digitally signed to avoid detection of security products.

It is also impossible to keep an updated whitelists since it will have to be much larger than the blacklists. There are more safe files than malware files.

Good concept, but I don't think it will benefit in the long run.

Thanks.:D
 

HeffeD

New Member
Littlebits said:
Whitelising on works on digitally signed files-
Applications don't need to be digitally signed to be whitelisted. All you need is the file hash.

If an application has been tested and found safe, the file hash of this application can be added to a cloud database. Then if a user encounters this application and the hash sent to the cloud matches the hash in the database, you can be sure this application has not been tampered with and is safe for the user to run. No need for a digital signature.

Blacklisting is a bottomless pit. If you have to try and blacklist every piece of malware that is discovered, the database will become ungainly pretty quick. Generic signatures help quite a bit towards detecting a family virus variants instead of needing a signature for each variation, but it's still a losing battle. (as can be attested by the poor zero-day performance of any signature dependent AV)

Whitelisting on the other hand, is a much more manageable proposition. These days the scale is leaning heavily towards more malicious applications than safe ones. It's far easier (not to mention less resource intensive...) to just say, is this program safe? And check it against the smaller whitelist database. If you get a match, you're done. No need to scan it against the much larger blacklist database.

It's the default deny principle.

It may be easier to visualize if you think of spam and your email account. There are a lot more spammers than people that are your friends. If you set your email application to only accept mail from your friends, you can virtually guarantee* that you will have no unsolicited spam in your inbox.

*Sure, one of your acquaintances could become part of a botnot due to lack of security at their end, but I think you get the idea... :p
 

jamescv7

Level 61
Verified
Trusted
Well having digitally signed files means it was signed by the publisher so it doesn't mean digitally signed the file was safe, some malicious file were digitally signed to like adware.
 

Littlebits

Retired Staff
jamescv7 said:
Well having digitally signed files means it was signed by the publisher so it doesn't mean digitally signed the file was safe, some malicious file were digitally signed to like adware.
If you want to define "Safe", anything that has the ability to connect to the web is not safe.
It is true that some adware publishers are starting to digitally sign their files, but these files are NOT malicious. These adware files usually are related to privacy issues or open up security holes. Malicious files are never digitally signed.

Back to the blacklisting vs. whitelisting.

I know a lot of you might think the majority of files that are released on the web are malicious malware. But the simple facts are that most files are safe, only a small fraction are considered malware and even a much smaller are malicious.

Now giving that info, apply that concept to blacklisting and whitelisting.
Which would one would be more effective for all users?
A blacklist (which is only a small fraction compared to a whitelist).
Or a extremely large Whitelist (which will have to be updated much more frequently to be effective).

Whitelisting can use file hash as well as digital signatures. But most security products rely more on the digital signatures. It can take weeks to update a file hash to the whitelist by that time that same file could update several times and still be flagged as malware. It is much more difficult to go by file hashes because they change with every update whereas digital signatures remain the same after the files update.

The default deny policy never will work in the real world. It is only for advanced and expert users.

Thanks.:D
 

HeffeD

New Member
Littlebits said:
I know a lot of you might think the majority of files that are released on the web are malicious malware. But the simple facts are that most files are safe, only a small fraction are considered malware and even a much smaller are malicious.
Look at the hundreds of files added daily to malware tracking sites... Granted, some of these may be taken care of by generic signatures, but each one of these needs to be blacklisted.

Security companies tend to not give out details about their whitelists, but they tend to brag about their blacklists. I'm willing to bet that nobodies whitelist has millions of applications listed, yet even the smallest blacklists have millions of signatures. Some blacklists have thousands of signatures added to their blacklists daily.

Littlebits said:
It is much more difficult to go by file hashes because they change with every update whereas digital signatures remain the same after the files update.
File hashes can not be forged. Digital signatures can and have been. It's still much easier to update a file hash when an application has been released than try to blacklist all the variants of a particular piece of malware. Even if you create a generic signature to accommodate the variants, it's more labor intensive than the few seconds it takes to calculate a file hash.

Littlebits said:
The default deny policy never will work in the real world. It is only for advanced and expert users.
Sure it can. Steps can be taken to mediate between applications on the whitelist and unrecognized applications. Things such as a sandbox. If it's not whitelisted, it's virtualized. Requires zero brain power to use. ;)