notabot

Level 15
ESET LiveGrid maintains a whitelist, which is used to auto-allow, a blacklist, which is used to auto-block and whatever is not in either is analyzed.
I was wondering, can ESET be configured to block everything that's not on the LiveGrid whitelist ? This way ESET's LiveGrid would effectively be turned into a cloud whitelisting solution.
 

Robbie

Level 29
Verified
Content Creator
Malware Tester
Which AVs have something equivalent ?
Kaspersky Application Control does what you need. They have a vendors list, and can be configured to execute only what is digitally signed. As en extra option, can be tweaked to trust ONLY digitally signed files by a trusted vendor (according to their vendor lists). In this scenario, only files digitally signed by a Kaspersky Trusted Vendor will be allowed to lauch. All the rest will be blocked upon execution. Even if you don't like a trusted vendor, you can manually block it.
 

notabot

Level 15
Kaspersky Application Control does what you need. They have a vendors list, and can be configured to execute only what is digitally signed. As en extra option, can be tweaked to trust ONLY digitally signed files by a trusted vendor (according to their vendor lists). In this scenario, only files digitally signed by a Kaspersky Trusted Vendor will be allowed to lauch. All the rest will be blocked upon execution. Even if you don't like a trusted vendor, you can manually block it.
Windows can do that too ( presumably Kaspersky may manage the trusted certificate list more tightly ) but I'm looking beyond that, to not allow any executable whose hash is not whitelisted (so even signed malware doesn't get to run).

With Defender this would be done by both allowing only signed executables to run + BAFS + ASR rule on age prevelance etc, other AV vendors must have something like this as well.
 

Azure

Level 24
Verified
Content Creator
Windows can do that too ( presumably Kaspersky may manage the trusted certificate list more tightly ) but I'm looking beyond that, to not allow any executable whose hash is not whitelisted (so even signed malware doesn't get to run).

With Defender this would be done by both allowing only signed executables to run + BAFS + ASR rule on age prevelance etc, other AV vendors must have something like this as well.
@harlan4096 would be able to give you more details but you should be able to disable trust by certificate.
 

Robbie

Level 29
Verified
Content Creator
Malware Tester
Windows can do that too ( presumably Kaspersky may manage the trusted certificate list more tightly ) but I'm looking beyond that, to not allow any executable whose hash is not whitelisted (so even signed malware doesn't get to run).

With Defender this would be done by both allowing only signed executables to run + BAFS + ASR rule on age prevelance etc, other AV vendors must have something like this as well.
Then what you're looking for is default-deny solutions. Check VS, ERP, etc.