how is binary whitelisting a better option than antivirus software

How does antivirus software work?

For years, dwelling house and business users have installed antivirus software in order to protect their computers from malware.  There are many different products, simply most of them practise the same thing: they protect against known threats past comparison files on a system confronting a listing of known threats stored in virus definition files. In general, this blazon of protection is known equally "blacklisting".  With a blacklisting approach, everything only what is in the blacklist is typically allowed.  In the instance of antivirus products, they will generally allow all applications to execute if they are not identified as malware in the virus definitions. Nearly antivirus products also use behavior-based detection equally well, which allows the product to detect and stop potentially, malicious behavior from applications, even if those applications are non considered malware according to the virus definitions.  Behavior-based detection is not perfect, but it provides an added layer of protection for unknown malware.

How does whitelisting software piece of work?

Whitelisting software sometimes referred to as application whitelisting or application control, uses the contrary methodology from blacklisting: information technology only allows items that are explicitly allowed by the organization administrators that configured the software.  This is sometimes referred to as a "default deny" methodology.  For instance, consider a computer being used in a warehouse.  Let's assume that this computer is intended to be used for inventory management only.  System administrators could install and configure the whitelisting software to but allow the necessary inventory management software and the system applications required for the operating system to function.  This approach prevents employees from installing other software, or even opening existing software on the organization that is not relevant to their job duties.  Whitelisting software can utilise multiple methods to identify what software is allowed; typically yous define the path to the immune applications, but additional integrity checks (such as hashing) are often used to ensure a malicious program hasn't overwritten the awarding.  This prevents a user or assailant from replacing a whitelisted awarding with a different one, as the cryptographic hash of the new file will non friction match the hash of the file when it was originally added to the whitelist.

Shortcomings of a traditional antivirus software

1 of the most important things to note about antivirus software is that a blacklisting approach only protects y'all against known threats.  Ignoring beliefs-based detection for a moment, this means that an antivirus product can merely protect confronting malware that has been previously detected, reported to the antivirus vendor, analyzed, and added to the virus definitions.  Even behavior-based detection is not perfect.  There are many ways to evade detection, and not all malicious applications will exhibit behavior that is considered malicious past a behavior-based detection engine.  For instance, if I were to write an application that simply looks for and deletes a specific binder, about behavior-based detection engines would not consider this an upshot.  Nonetheless, if I were able to convince a specific user to run this awarding, and the folder it was designed to delete is a folder containing critical fiscal data (which that user has read/write access to), it would be performing a malicious action that will most probable not be detected by an antivirus application.  This is a situation where a whitelisting solution would smooth; if my application was not added to the whitelist, the user would not exist able to run it, preventing the loss of data.

Shortcomings of whitelisting software

While the default deny approach used past whitelisting software is in many ways superior to a blacklisting arroyo, it is not perfect.  As mentioned before, many whitelisting applications utilize a cryptographic hash to perform integrity checking against applications in the whitelist.  A cryptographic hash is a ane-way function that generates a fixed length cord based on the contents of a file.  It is nearly incommunicable to generate two different applications with the aforementioned cryptographic hash (at that place are exceptions, especially with weaker hash algorithms like MD5), as changing a unmarried bit in an application will issue in a completely different hash that no longer resembles the original hash.  This also means that when an awarding is updated or patched, its hash is no longer the same as it was when information technology was added to the whitelist.  This means that system administrators demand to be vigilant almost updating the whitelist each fourth dimension an application is patched, otherwise, users may be unable to use the whitelisted application until the whitelist has been updated.  Another potential shortcoming of whitelisting software is that a whitelisted application may have flaws that allow it to be used in malicious ways.  In many cases, whitelisting software alone volition non be able to protect against this exploit, only antivirus software that utilizes beliefs-based detection may exist able to practice so.

Which should you lot use: antivirus or whitelisting?

Despite its shortcomings, a properly configured whitelisting solution will likely offer more security than a traditional antivirus solution, even with behavior-based detection.  That being said, there are situations where whitelisting becomes prohibitive.  For example, if someone's job requires them to test new applications all the time, a whitelisting solution would make their task more difficult, as they would have to contact their system administrator to get approval for each new application.  In this situation, whitelisting may not be the ideal solution, but antivirus would still exist very useful.  I personally would take additional precautions such as isolating that person'due south computer from the rest of the network to reduce the risk of infecting other computers on the network, just in case the user does download malware unwittingly and the antivirus software does not catch it. In environments that must comply with the N American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, each system inside the Electronic Security Perimeter should simply perform a specific fix of functions, and whitelisting tin exist configured to simply allow the applications required for those functions.  When software updates are necessary, they should be performed in a test surroundings beginning, not only to validate that software updates don't break disquisitional applications but to ensure the whitelisting solution can be configured to allow the updated applications to run.  This process should ensure a successful rollout of software updates and whitelisting configuration updates in the live environment. Both antivirus and whitelisting take their advantages and disadvantages, so why not apply both?  Each type of application offers protections that are complementary to the other, and using both can be a good defense force-in-depth approach to securing a organization.

Source: https://foxguardsolutions.com/antivirus-vs-whitelisting-which-should-you-use/

Posted by: wilsonothem1991.blogspot.com

Share this post