Application Whitelisting Guide and the Best Whitelisting Software

Application Whitelisting is a technology created to keep computer systems safe from potentially harmful applications

An application whitelist is a list of authorized or permitted applications to install or execute on a host according to a well-defined baseline. The goal of application whitelisting technologies is to stop the execution of malware and other unauthorized applications.

Unlike application blacklisting, which blocks unwanted applications from executing, application whitelisting technologies are designed to ensure that only explicitly permitted applications run or execute. In fact, with an application whitelist, you are essentially blacklisting everything else except the applications you enable. The technologies used to enforce application whitelists are called whitelisting software.

The whitelisting software can distinguish between allowed and disallowed applications using various application file and folder attributes such as the file name, file path,  file size, digital signature or publisher, and cryptographic hash.

The application of this level of control is one of the modern cybersecurity approaches to prevent several critical threats. Whitelisting is usually enforced at Layer 7 of the OSI model. The purpose of this article is to help organizations understand, evaluate, select, and implement the correct application whitelisting solution for their business.

Why is Application Whitelisting Important?

Nowadays, a signature-based approach to security is no longer considered strong enough to protect systems from modern cyber threats. This is why many organizations embrace the principles of the zero-trust security model in their security strategy. However, the recent malware statistics and cybercrime trends show that they are still a significant problem worldwide. With over 350,000 new malware discovered every day, it’s practically impossible for anti-virus applications to keep tabs on these new and emerging threats. This is where application whitelisting plays a key role.

Application whitelisting is a powerful tool deployed to defend your systems from known and unknown threats such as malware, advanced persistent threats (APTs), fileless attacks, zero-day and ransomware attacks, especially in high-risk environments where maximum security is required. If an application is found to have an unknown reputation, its execution will be denied. The default-deny policy of application whitelisting technologies makes it difficult for zero-day and ransomware attacks to execute.

The scope of application whitelisting doesn’t just end with malware protection. They also provide complete visibility into the applications and processes on your host systems and allow you to monitor changes made to those application files and could either prevent the files from being changed or alert security teams for further investigation. This helps security admins to fine-tune their security policies and update their whitelists accordingly.

So Why is Everyone Not Using Application Whitelisting?

While application whitelisting does a great job of protecting against malicious applications, it can be very restrictive. Every time the user needs to run a legitimate application that is not on the whitelist, they need to contact the admin. This can make a system difficult to use and create operational bottlenecks, inefficiency, and frustration in the workplace, especially in large organizations. In addition, the whitelisting solution can be a massive failure if end users are constantly unable to perform essential business functions on a day-to-day basis.

Creating a comprehensive whitelist and keeping it updated can be quite a challenging and demanding task to handle for the security admin. This explains why most organizations prefer to adopt blacklisting instead of going through the headaches involved in whitelisting. But these headaches can be significantly reduced if the whitelisting solution has pre-existing policy templates or the capability for security admins to pre-approve known applications that are considered safe. Then, when users attempt to install them, it proceeds without any restrictions.

What Does it Take to Successfully Deploy Application Whitelisting Solution?

Application whitelisting solution implementation requires proper planning for a successful deployment. Several best practices should be adhered to during the implementation process. One such is the use of a phased implementation approach— which minimizes unforeseen issues early in the process. The U.S National Institute of Standards and Technology (NIST) framework on application whitelisting recommends the following planning and implementation phases:

  • Initiation The purpose of this phase is to identify the current and future needs for application whitelisting through requirements analysis and to determine how those needs can best be met, including a policy document that captures all of those decisions. The outcome of the requirements analysis should help in determining the types of threats the application whitelisting should protect against; the types of applications or application components (executables, libraries, registry entries, configuration files, etc.) that need to be monitored; and the types of application whitelisting that should be used to balance security, usability, and maintainability. At the end of this phase, you should identify a suitable application whitelisting technology that your organization requires.
  • Design Once the needs have been identified and the appropriate application whitelisting technologies have been chosen, the next step is to design a solution that meets those needs. Some of the critical design decisions to consider include solution architecture, whitelist management, cryptography policy, and security. If these design decisions are flawed, then the application whitelisting implementation will be more vulnerable to failure.
  • Testing After the solution has been designed, the next step is to test a prototype of the design solution to ensure that it meets the design requirements and solution architecture in critical areas such as functionality, management, performance, security, and usability. The testing should be carried out in a test environment before migrating to production systems or servers.
  • Deployment Once the testing is completed and all issues are resolved, the next step is to deploy the application whitelisting solution. NIST recommends a gradual rollout of the solution. This provides security administrators an opportunity to measure the impact of the solution and resolve issues before enterprise-wide deployment. It also includes time for the IT staff and users to be trained and become accustomed to the operational lifecycle of the implementation.
  • Management After the solution has been deployed, it is now time to manage it throughout its lifecycle. Executing the solution involves operating the application, updating the whitelist, policies, software, and other solution components. Other key activities include patch management, key management, and adapting policies as requirements change. The entire implementation process is repeated when enhancements or significant changes need to be incorporated into the solution.

Evaluating Application Whitelisting Solutions

With various application whitelisting tools out there, choosing the right one for your business and budget can be challenging. What fits perfectly from a price, feature, and functionality standpoint for one project or company may not work for another. Therefore, when evaluating and selecting an application whitelisting solution, you need to ensure that the various functionalities address your security risks and policy requirements. In addition, you don’t want to get caught up in the sales and marketing hype that tends to surround most security products.

It’s crucial to compare competencies in specific product capabilities such as desired features, integration, and product support. Appropriate application whitelisting software features will be critical to a successful deployment. According to NIST, “Organizations should consider application whitelisting technologies already built into the operating system, particularly for centrally managed hosts (desktops, laptops, servers), because of the relative ease and minimal additional cost in managing these solutions. If built-in application whitelisting capabilities are not available or are determined to be unsuitable, then the alternative is to examine third-party solutions with robust centralized management capabilities”. Other key questions to consider when evaluating the effectiveness of potential application whitelisting solutions as recommended in the NIST framework are as tabulated below:

Key Questions to ConsiderRemark
How easily can a solution be bypassed?A solution that can be easily bypassed will make it easier to run unauthorized software, which opens the door to malware
How complex is a solution (hash-based versus signature-based, etc.)?The more complex the solutions, the more challenging for an attacker to circumvent. The downside is that complex solutions may have higher administrative and maintenance overhead
What are the relative costs of a solution?This should include both implementation costs and operational costs of a solution
What impact does the solution have on standard performance? The solution can be a massive failure if the end-users are constantly unable to perform essential business functions on a day to day basis
What impact does the solution have on business/mission?Consider the impact of risk associated with false positives and false negatives
How usable is the solution for both users and administrators?A great solution will strike a balance between usability and security while balancing the budget
What are the long-term maintenance demands for running the solution?This is important, considering the significant costs associated with maintenance. The amount of maintenance needed must be balanced with the effectiveness of the solution.

Table 1.0 Key considerations when evaluating potential whitelisting solutions

Best Application Whitelisting solution

1. AppLocker

AppLocker
Figure 1.0 | Screenshot showing the AppLocker container in a Windows GPO

AppLocker is an application whitelisting technology from Microsoft. It is included with enterprise-level editions of Windows, including Windows 10 Education and Enterprise edition, and Windows Server 2008, 2012, 2012 R2, 2016, and 2019 editions. Unfortunately, AppLocker is not supported on Windows 10 Home and Professional edition.

AppLocker allows security administrators to restrict which programs users can execute based on the program’s path, file name, publisher, or hash. As a result, AppLocker is ideal for organizations that currently use Group Policy to manage their PCs. It automatically whitelists internal Windows applications, making the user experience less complicated.

Microsoft recommends the following scenarios as ideal for the use of  AppLocker:

  • Your organization’s security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and restrict licensed software to authorized users.
  • Your organization no longer supports an appIn addition, so you need to prevent it from being used by everyone.
  • The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
  • The license to an app has been revoked, or it is expired in your organization, so you need to prevent it from being used by everyone.
  • A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
  • Specific software tools are not allowed within the organization, or only specific users should access those tools.
  • A single user or small group of users needs to use a specific app that is denied for all others.
  • People share some computers in your organization with different software usage needs, and you need to protect specific apps.

Notwithstanding, anyone with admin rights to their local device can be able to subvert AppLocker policies. AppLocker can also be easily bypassed using techniques such as:

  • Writing an unapproved program to a whitelisted location
  • Using a whitelisted program as a delegate to launch an unapproved program
  • Hijacking the DLLs loaded by a trusted application in an untrusted directory

2. Airlock Digital

Airlock Digital
Figure 2.0 | Screenshot showing Airlock admin dashboard

Airlock Digital is an Australian-based cybersecurity firm that is focused on addressing application whitelisting challenges. Airlock makes it easy for organizations to create and manage secure application whitelists while providing centralized visibility over all files in dynamically changing computing environments. Some of the key features and capabilities include:

  • Access to real-time execution data enables rapid policy management for minimal business disruption.
  • Administrators control where and how they apply trust-hash, publisher, path, or process.
  • Unique configurations features make it difficult for malicious actors to test and validate their attacks.
  • Exception Handling (Bypass) features allow administrators to temporarily exclude devices from whitelisting via Airlock One Time Pad (OTP) functionality to ensure business continuity.
  • Support for blocklisting—implement predefined rules aligned with the Mitre Attack framework, Microsoft recommended block rules, or create your own custom rules.
  • Execution control for all executables, application libraries, installers, and scripts.

Airlock is supported on Windows 10, Windows Server 2003, 2008, 2008R2, 2012, 2012R2, 2016, 2019 (including 32bit and 64bit versions), CentOS, and Red Hat Enterprise Linux. The application can be deployed on-premise or in the cloud and consist of the following key components:

  • Airlock Server—Installed on servers (physical or virtual)
  • Airlock Enforcement Agent—Installed on workstations and servers to provide protection
  • Airlock Application Capture (optional)—Installed on a known trusted workstation or server to assist with maintaining Application Whitelisting rule sets.

You can request a personalized demo to enable you to get a feel of the software before making financial commitments.

Table 2.0 | Comparison of Application Control Plus editions

A fully functional free 30-day trial is available for download. The licensing model is based on an annual fixed cost subscription including support or a one-time (perpetual) license fee + yearly maintenance cost (AMS).

3. ManageEngine Application Control Plus

ManageEngine Application Control Plus
Figure 3.0 | Screenshot showing ManageEngine Application Control Plus dashboard

Application Control Plus software is an on-premises solution that combines Least Privilege and Zero Trust principles to enable organizations to automate the application whitelisting process by allowing only authorized access to applications and their related privileges. In addition, application Control Plus’ agents scan every endpoint within a LAN and provide a list of the applications installed in them, along with details of all their executables. This helps organizations enforce policies to control and authorize application access, prevent malware threats and tackle productivity loss.

Application Control Plus comes in two editions, as shown in Table 2.0 below. It is supported on Windows (Windows 10, Windows Server 2012, 2016, and 2019) and MAC operating systems. Key features and capabilities include:

  • Whitelists applications by specifying your prerequisites in the form of application control rules.
  • Blacklist applications by blocking non-business applications and malicious executables.
  • Prevent privilege elevation attacks by assigning need-based application-specific privileged access.
  • Discover and categorize all running applications, and remove excessively distributed local admin rights from one central location.
  • Handle interim user needs by enabling temporary application and privileged access automatically revoked after a set period.
  • Simplify application control list creation and management by using predefined rules.
  • Manage and resolve greylisted applications.
FeaturesFreeProfessional
Targeted atSMBsMedium to large organization
Monitor up to25 computersUnlimited
Annual subscription licenseFree995USD per 100 computers and one admin (supported included)
Perpetual (one-time) licenseFree2,487USD per 100 computers and one admin + 498USD for AMS

Table 2.0 | Comparison of Application Control Plus editions

A fully functional free 30-day trial is available for download. The licensing model is based on an annual fixed cost subscription including support or a one-time (perpetual) license fee + yearly maintenance cost (AMS).

4. Faronics Anti-Executable

Faronics Anti-Executable
Figure 4.0 | Screenshot showing Faronics Anti-Executable dashboard

Faronics Anti-Executable is a mature whitelisting application that blocks sophisticated threats such as zero-day, APT, and ransomware attacks by ensuring only approved applications run on a computer. Some of the key features and capabilities are as follows:

  • Prevents the execution of .exe, .dll, .com, .scr, .jar and .bat files.
  • Multiple levels of control for various publishers and user types
  • Automatic creation and maintenance of application control lists and policies.
  • Supports discrete and stealth mode operation
  • On-premise or hosted central management
  • Reporting and real-time Logging
  • Active Directory Integration
  • Network Level Blocking

Faronics Anti-Executable comes in both standalone (on-premise) and cloud editions and is supported on MAC and Windows OS. However, Windows Server editions of Anti-Executable cannot be installed on a non-server OS. In contrast, non-server editions of Anti-Executable cannot be installed on a server OS. The on-premise and cloud editions are as follows:

  • Standard: A single standalone computer loaded with a non-server operating system.
  • Server Standard: A single standalone computer loaded with a server operating system
  • Enterprise: Multiple computers loaded with non-server operating systems.
  • Server Enterprise: Multiple computers loaded with server operating systems
  • Faronics Anti-Executable Cloud: Machine learning assisted application whitelisting

A fully functional free 30-day evaluation version is available for download. A valid license key is required to continue running the application afterward.

5. McAfee Application Control

McAfee Application Control
Figure 5.0 | Screenshot showing McAfee Application Control inventory

McAfee Application Control software is a centrally managed whitelisting solution that prevents zero-day and APT attacks by blocking the execution of unauthorized applications on servers, corporate desktops, and fixed-function devices such as point-of-sale (POS) and customer service terminals. In addition, McAfee Application Control uses dynamic whitelisting to ensure that only trusted applications are allowed to run. This provides IT with visibility and control over clients and helps enforce software license compliance.

Some of the key features and benefits include:

  • Reduce risks from unauthorized applications and code: Only trusted applications and codes (binaries, kernel components, DLLs, ActiveX controls, scripts, or Java components) are allowed to run on your endpoints, servers, and fixed-function devices.
  • Save time and lower costs with dynamic whitelisting: Administrator efficiency is maximized using a dynamic trust model that does not require signature updates or labor-intensive list management.
  • Reduce patch cycles: Maintain your regular patch cycles and prevent whitelisted applications from being exploited via memory buffer overflow attacks on Windows 32- and 64-bit systems.
  • Inform and empower users with user-friendly notifications (optional): Educate desktop users about non-permitted applications with informative pop-up messages that can prompt them to seek approvals from security admins.

A free trial is available for download to enable you to test drive the product.