One Size Does Not Fit All

It is important that application whitelist approaches make allowances for differences in individual PCs. Each device is slightly different – it is very unlikely that a “one size fits all” approach will be pragmatic.

I mention this because I often hear the misperception that application whitelist vendors maintain a master list of every published software executable in the world, can query that database to validate the integrity of any given program, and that there is great value in this clearinghouse capability. The value of this master database is dubious as whitelists have to be customized for each endpoint and application whitelisting products need to minimize the size of the whitelist to ensure performance and reduce management overhead. Rather, it is a better idea to federate authentication of executables to trusted sources.
First, let’s look at three things that are all wrong about the master clearinghouse concept:

1. Will generate false negatives.  Organizations may have thousands of in-house developed applications that are essential for the business, but these applications will not appear in an independent clearinghouse of published software. A rejection by the clearinghouse may only mean that the code is custom built, is software under test by an approved vendor, or is released from a vendor that the clearinghouse does not recognize.
2. Can generate false positives. Software from trusted sources in the master database of published code may still be unauthorized for the user’s machine. For instance, a device driver that checks out against the clearinghouse may be a total mis-match for a device’s given hardware configuration and could cause damage. Furthermore, software that IT does not support, perhaps out of date, in need of upgrade or patches, or functionality that IT does not embrace should not pass a validation test.
3. Repeats the failure of the AV model to limit signature growth. The list of published software forever grows, and with patches that bloat quickly becomes difficult to manage and ensure integrity. For instance, a single piece of software that has been patched only 10 times explodes to as many as 3,628,800 variants! We know from anti-virus experiences, a brute force approach to listing every possible object that a computer is exposed to will ultimately suffer from integrity gaps and performance issues.

The concept of a master clearinghouse of software published from all recognized trusted sources is a concept that has very limited value to a dynamic security program. In fact, a better way to learn about suspicious executables or services would be to start with your favorite browser-based search engine, and then query the trusted source directly to check that the file has not been modified by malware. It is way better than trying to amass a database that could have over a billion entries, most of which will be misleading to security teams.