An application whitelist is a list of authorized or permitted applications to install or execute on a host according to a well-defined baseline. The goal of application whitelisting technologies is to stop the execution of malware and other unauthorized applications.
Here is our list of the six best application whitelisting software:
- ThreatLocker EDITOR’S CHOICE This package of system security services is delivered from the cloud and it containerizes all software and files on your system so that malware is blocked from running, applications are given whitelisting approval, and files are protected from unauthorized access. Sign up for a demo.
- AppLocker This is a feature of Windows and it is integrated into the operating system to control access to applications and files on a computer. It allocate a suite of resources that each user account can run. Integrated into Windows 10 and above and Windows Server 2016 and above.
- Airlock Digital A networked package of units that control user access to applications and data while providing central access ot an administrator. Runs on Windows and Linux.
- ManageEngine Application Control Plus A “least privilege” package that implements the cloud concept of Zero Trust Access for on-premises endpoints. Runs on Windows Server.
- Faronics Anti-Executable This package creates multiple levels of access to executable files and enables an administrator to allocate these access rights to users. Available for Windows and macOS or as a SaaS package.
- McAfee Application Control This package prevents all but authorized applications from running on a protected device and controls which user accounts can run which applications. Runs on Windows, macOS, Android, and iOS.
The whitelisting software can distinguish between allowed and disallowed applications using various application file and folder attributes such as the file name, file path, file size, digital signature or publisher, and cryptographic hash.
Unlike application blacklisting, which blocks unwanted applications from executing, application whitelisting technologies are designed to ensure that only explicitly permitted applications run or execute. In fact, with an application whitelist, you are essentially blacklisting everything else except the applications you enable. The technologies used to enforce application whitelists are called whitelisting software.
The application of this level of control is one of the modern cybersecurity approaches to prevent several critical threats. Whitelisting is usually enforced at Layer 7 of the OSI model. The purpose of this article is to help organizations understand, evaluate, select, and implement the correct application whitelisting solution for their business.
Why is Application Whitelisting Important?
Nowadays, a signature-based approach to security is no longer considered strong enough to protect systems from modern cyber threats. This is why many organizations embrace the principles of the zero-trust security model in their security strategy. However, the recent malware statistics and cybercrime trends show that they are still a significant problem worldwide. With over 350,000 new malware discovered every day, it’s practically impossible for anti-virus applications to keep tabs on these new and emerging threats. This is where application whitelisting plays a key role.
Application whitelisting is a powerful tool deployed to defend your systems from known and unknown threats such as malware, advanced persistent threats (APTs), fileless attacks, zero-day and ransomware attacks, especially in high-risk environments where maximum security is required. If an application is found to have an unknown reputation, its execution will be denied. The default-deny policy of application whitelisting technologies makes it difficult for zero-day and ransomware attacks to execute.
The scope of application whitelisting doesn’t just end with malware protection. They also provide complete visibility into the applications and processes on your host systems and allow you to monitor changes made to those application files and could either prevent the files from being changed or alert security teams for further investigation. This helps security admins to fine-tune their security policies and update their whitelists accordingly.
So Why is Everyone Not Using Application Whitelisting?
While application whitelisting does a great job of protecting against malicious applications, it can be very restrictive. Every time the user needs to run a legitimate application that is not on the whitelist, they need to contact the admin. This can make a system difficult to use and create operational bottlenecks, inefficiency, and frustration in the workplace, especially in large organizations. In addition, the whitelisting solution can be a massive failure if end users are constantly unable to perform essential business functions on a day-to-day basis.
What Does it Take to Successfully Deploy Application Whitelisting Solution?
Application whitelisting solution implementation requires proper planning for a successful deployment. Several best practices should be adhered to during the implementation process. One such is the use of a phased implementation approach— which minimizes unforeseen issues early in the process. The U.S National Institute of Standards and Technology (NIST) framework on application whitelisting recommends the following planning and implementation phases:
Creating a comprehensive whitelist and keeping it updated can be quite a challenging and demanding task to handle for the security admin. This explains why most organizations prefer to adopt blacklisting instead of going through the headaches involved in whitelisting. But these headaches can be significantly reduced if the whitelisting solution has pre-existing policy templates or the capability for security admins to pre-approve known applications that are considered safe. Then, when users attempt to install them, it proceeds without any restrictions.
- Initiation The purpose of this phase is to identify the current and future needs for application whitelisting through requirements analysis and to determine how those needs can best be met, including a policy document that captures all of those decisions. The outcome of the requirements analysis should help in determining the types of threats the application whitelisting should protect against; the types of applications or application components (executables, libraries, registry entries, configuration files, etc.) that need to be monitored; and the types of application whitelisting that should be used to balance security, usability, and maintainability. At the end of this phase, you should identify a suitable application whitelisting technology that your organization requires.
- Design Once the needs have been identified and the appropriate application whitelisting technologies have been chosen, the next step is to design a solution that meets those needs. Some of the critical design decisions to consider include solution architecture, whitelist management, cryptography policy, and security. If these design decisions are flawed, then the application whitelisting implementation will be more vulnerable to failure.
- Testing After the solution has been designed, the next step is to test a prototype of the design solution to ensure that it meets the design requirements and solution architecture in critical areas such as functionality, management, performance, security, and usability. The testing should be carried out in a test environment before migrating to production systems or servers.
- Deployment Once the testing is completed and all issues are resolved, the next step is to deploy the application whitelisting solution. NIST recommends a gradual rollout of the solution. This provides security administrators an opportunity to measure the impact of the solution and resolve issues before enterprise-wide deployment. It also includes time for the IT staff and users to be trained and become accustomed to the operational lifecycle of the implementation.
- Management After the solution has been deployed, it is now time to manage it throughout its lifecycle. Executing the solution involves operating the application, updating the whitelist, policies, software, and other solution components. Other key activities include patch management, key management, and adapting policies as requirements change. The entire implementation process is repeated when enhancements or significant changes need to be incorporated into the solution.
Evaluating Application Whitelisting Solutions
With various application whitelisting tools out there, choosing the right one for your business and budget can be challenging. What fits perfectly from a price, feature, and functionality standpoint for one project or company may not work for another. Therefore, when evaluating and selecting an application whitelisting solution, you need to ensure that the various functionalities address your security risks and policy requirements. In addition, you don’t want to get caught up in the sales and marketing hype that tends to surround most security products.
It’s crucial to compare competencies in specific product capabilities such as desired features, integration, and product support. Appropriate application whitelisting software features will be critical to a successful deployment. According to NIST, “Organizations should consider application whitelisting technologies already built into the operating system, particularly for centrally managed hosts (desktops, laptops, servers), because of the relative ease and minimal additional cost in managing these solutions. If built-in application whitelisting capabilities are not available or are determined to be unsuitable, then the alternative is to examine third-party solutions with robust centralized management capabilities”. Other key questions to consider when evaluating the effectiveness of potential application whitelisting solutions as recommended in the NIST framework are as tabulated below:
Table 1.0 Key considerations when evaluating potential whitelisting solutions
Best Application Whitelisting solution
1. ThreatLocker (ACCESS FREE DEMO)
Our methodology for selecting application whitelisting software
We reviewed the market for application whitelisting systems and analyzed the options based on the following criteria:
- A service that can block unauthorized software
- An access control system that provides a number of levels of access
- An access rights manager that maps user accounts to access levels
- Control over access to files and other data sources
- An Administrator account that is able to set up and manage access controls and rights
- A free trial or a demo account for a risk-free assessment opportunity
- Value for money from a service that is able to both block malware and prevent intruder manipulation of authorized applications.
ThreatLocker is a platform of resource protection systems that create a Zero Trust Architecture. The Whitelisting unit is called Allowlisting. This is a method of blocking all of the software on a computer from running unless it has been specifically approved. The Allowlisting method blocks malware and ransomware by default.
Key Features:
- Blocks all software by default
- Prevents unauthorized software
- Disables ransomware
- Part of a platform of security services
The strategy behind the ThreatLocker system is that all software is prevented from running. This closed security stance means that you don’t need to worry about users installing unauthorized software or malware and ransomware sneaking onto your company’s computers. Executable files will never activate unless you list them in your ‘allowlist’.
ThreatLocker also provides a form of access rights management in its package. This can apply controls on access to resources to specific IP addresses and allow or block users from having access to USB devices.
The entire package of the ThreatLocker platform enables you to move to protecting applications rather than networks or computers. This means that those applications can be hosted anywhere, including on your site or on cloud platforms. The deactivation of all execution rights for any file on your computers means that you could accumulate quite a lot of useless dead software on your endpoints and so you will need to institute a regular admin task to clean up each device. However, it is better to have dead-weight than active ransomware on your system.
The Allowlist system includes a Learning Mode option. This process takes about a week and it lets the access control service work out by itself which software and services are regularly used on each device. Although this process is a time-saver for busy administrators, the resultant list will still need to be checked before it is accepted because the ThreatLocker system doesn’t take software license ownership into account.
ThreatLocker is a cloud service, which makes it easy to sign up for. You will need to download an agent program onto each endpoint but that process is guided and launched from the ThreatLocker dashboard. Access a demo to find out more about the ThreatLocker system.
Pros:
- Easy to implement
- Introduces automation into ZTA migration
- Allowlisting interacts with other modules
- Provides protection against ransomware attacks
- Focuses security on applications
Cons:
- Doesn’t include a full access rights manager
2. AppLocker
AppLocker is an application whitelisting technology from Microsoft. It is included with enterprise-level editions of Windows, including Windows 10 Education and Enterprise edition, and Windows Server 2008, 2012, 2012 R2, 2016, and 2019 editions. Unfortunately, AppLocker is not supported on Windows 10 Home and Professional edition.
EDITOR’S CHOICE
ThreatLocker is our top pick for an application whitelisting system because it offers an easy way to transition to Zero Trust Architecture and even includes a discovery service that works out which software your users regularly access on all of your endpoints. This system prevents any software package from executing unless you specifically approve it in a whitelist, which is called an ‘Allowlist’ in the ThreatLocker terminology.
Download: Access a demo
Official Site: https://threatlocker.com/demo-sign-up
OS: Cloud-based
- Built into Windows
- Controls operating system access
- Blocks unauthorized executables
- Automatic access permission
- Allows unrestricted access to authorized users
AppLocker allows security administrators to restrict which programs users can execute based on the program’s path, file name, publisher, or hash. As a result, AppLocker is ideal for organizations that currently use Group Policy to manage their PCs. It automatically whitelists internal Windows applications, making the user experience less complicated.
Microsoft recommends the following scenarios as ideal for the use of AppLocker:
- Your organization’s security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and restrict licensed software to authorized users.
- Your organization no longer supports an appIn addition, so you need to prevent it from being used by everyone.
- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
- The license to an app has been revoked, or it is expired in your organization, so you need to prevent it from being used by everyone.
- A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
- Specific software tools are not allowed within the organization, or only specific users should access those tools.
- A single user or small group of users needs to use a specific app that is denied for all others.
- People share some computers in your organization with different software usage needs, and you need to protect specific apps.
Notwithstanding, anyone with admin rights to their local device can be able to subvert AppLocker policies. AppLocker can also be easily bypassed using techniques such as:
- Writing an unapproved program to a whitelisted location
- Using a whitelisted program as a delegate to launch an unapproved program
- Hijacking the DLLs loaded by a trusted application in an untrusted directory
Overall added AppLocker to this list because it is built into Windows and so is integrated into the consoles that systems administrators currently use and understand. By controlling application access to the operating system, this tool can easily and efficiently block them from being run by the processor of the protected computer. This is a very effective system protection mechanism.
Free to use for Windows devices
Offers a central controller account for multiple endpoints
Ties into access rights management
Prevents users from installing software
Protects the kernel
Only operates on Windows
Can be bypassed programmatically
3. Airlock Digital
Airlock Digital is an Australian-based cybersecurity firm that is focused on addressing application whitelisting challenges. Airlock makes it easy for organizations to create and manage secure application whitelists while providing centralized visibility over all files in dynamically changing computing environments.
- Networked controls
- Blocks on intruder probes
- Emergency bypass
- Blocklisting against attacks
The Airlock Digital system imposes execution controls for all executables, application libraries, installers, and scripts.
The package includes live activity monitoring and presents tools for administrators to take temporary action over permissions to alleviate systemic seize-up or head-off attacks. This supports rapid policy management changes to buy time for longer-term analysis and policy recasting.
Exception handling (bypass) features allow administrators to temporarily exclude devices from whitelisting via Airlock One Time Pad (OTP) functionality to ensure business continuity. A blacklisting function implements predefined rules aligned with the Mitre Attack framework and Microsoft recommended block rules. It is also possible to create your own custom rules.
Administrators get control over where and how they apply trust-hash, publisher, path, or process. Unique configuration features make it difficult for malicious actors to test and validate their attacks.
- Airlock Server—Installed on servers (physical or virtual)
- Airlock Enforcement Agent—Installed on workstations and servers to provide protection
- Airlock Application Capture (optional)—Installed on a known trusted workstation or server to assist with maintaining Application Whitelisting rule sets.
You can request a personalized demo to enable you to get a feel of the software before making financial commitments.
A fully functional free 30-day trial is available for download. The licensing model is based on an annual fixed cost subscription including support or a one-time (perpetual) license fee + yearly maintenance cost (AMS).
Centralize controls over a fleet of endpoints connected to a network
Control access to the operating system for software, blocking unauthorized applications
Emergency workaround to prevent company-wide lockouts
Confounding strategies to block hackers and intruders
Control workarounds could weaken the security of the service
4. ManageEngine Application Control Plus
Application Control Plus software is an on-premises solution that combines Least Privilege and Zero Trust principles to enable organizations to automate the application whitelisting process. Controls fence applications individually, fencing them and allowing only authorized access to them and their related privileges. The Application Control Plus system is implemented in two modules, a controller (server) and an endpoint agent (client). Agents scan every endpoint within a LAN and provide a list of the applications installed in them, along with details of all their executables. This helps organizations enforce policies to control and authorize application access, prevent malware threats, and tackle productivity loss.
- Centralized controls
- Autodiscovery
- Access controls per application
Whitelists are implemented as application rules, which are set up for each authorized application rather than for the entire endpoint. The system automatically blacklists unauthorized applications because nothing outside of the application control system is allowed access to the operating system. As well as blocking users from installing their own software, this feature completely blocks malware installation attempts.
Centralized administration for all endpoints blocks local Admin accounts, removing the ability of users, intruders, or malware from getting into the controls of the device.
While one side of the system fences applications, the other aspect of access controls manages user accounts. Each account has an access level assigned to it and these specifications cannot be elevated to system privilege at will by the user.
A stop-gap status for privilege management and access rights allows short-term access to a new application under study. These can be end-dated to prevent absent-minded administrators from allowing these short-term permissions to roll on indefinitely.
The predefined rules that are available within the administrator console of Application Control Plus give a system manager a quick solution to setting up workable application controls while getting to know the system. These can be fine-tuned through customization later.
The controller for ManageEngine Application Control Plus runs on Windows Server and endpoint agents are available for Windows and macOS. There is a Free version of the software that is limited to monitoring up to 25 devices. A fully functional free 30-day trial is available for download. The licensing model is based on an annual fixed cost subscription including support or a one-time (perpetual) license fee + yearly maintenance cost (AMS).
Creates a virtualization/container for each application
Everything outside of approved applications is blocked from accessing the operating system
Autodiscovery and preset rules provide quick solutions to get application controls operating quickly
Doesn’t extend to cloud services
5. Faronics Anti-Executable
Faronics Anti-Executable is a mature whitelisting application that blocks sophisticated threats such as zero-day, APT, and ransomware attacks by ensuring only approved applications run on a computer.
The Faronics package specifically manages operating system access for program files with the .exe, .dll, .com, .scr, .jar and .bat file extensions. This is a permitted virtualization system where only managed applications get access to the operating system to launch. Thus, any software that is installed without going through the stage of being enrolled in the Anti-Executable system simply cannot be run.
- Graded permission levels
- Default permission rules
- Extensive activity logging
To prevent strict controls from preventing the business from operating, there is a graylisting option that can be applied automatically. However, use this feature with caution and only for short-term use to enable software to be assessed before it is fully approved – for example, during a free trial period before buying.
The Faronics system includes a high degree of automation to speed up the administration process. It provides automatic scanning of endpoints that compiles a list of installed software, enabling an administrator to run through the list allowing or blocking each package. This quick fix solution applies a default rule set, which buys time for detailed investigations before fully approving each package.
User access rights management can be implemented through Active Directory. Permitted applications can be allocated to groups, effectively creating a standard menu of services that can be allocated to each user group.
The system provides extensive activity logging, which includes rollback storage for console or AD changes. These records feed through to compliance reporting.
Faronics Anti-Executable comes in both standalone (on-premise) and cloud editions and is supported on MAC and Windows OS. Windows Server editions of Anti-Executable cannot be installed on a non-server OS. In contrast, non-server editions of Anti-Executable cannot be installed on a server OS. The on-premise and cloud editions are as follows:
- Standard: A single standalone computer loaded with a non-server operating system.
- Server Standard: A single standalone computer loaded with a server operating system
- Enterprise: Multiple computers loaded with non-server operating systems.
- Server Enterprise: Multiple computers loaded with server operating systems
- Faronics Anti-Executable Cloud: Machine learning-assisted application whitelisting
A fully functional free 30-day evaluation version is available for download. A valid license key is required to continue running the application afterward.
Autodiscovery and software inventory creation
Quick graylisting for short-term access allowance
Mass approvals for trusted software brands
Graylisting could be abused to defer decision making
6. McAfee Application Control
McAfee Application Control software is a centrally managed whitelisting solution that prevents zero-day and APT attacks by blocking the execution of unauthorized applications on servers, corporate desktops, and fixed-function devices such as point-of-sale (POS) and customer service terminals. McAfee Application Control uses dynamic whitelisting to ensure that only trusted applications are allowed to run. This provides IT with visibility and control over clients and helps enforce software license compliance.
- OS access only for approved software
- Automatic malware blocking
- Automated approval rules
The McAfee system examines all executable files and lists them for controls. Anything not allocated controls in the management console is excluded from the operating system. These controls extend to binaries, kernel components, DLLs, ActiveX controls, scripts, and Java components.
Time-pressed administrators will appreciate the dynamic whitelisting function in the management console. This allows certain applications to be instantly approved without manual intervention through a set of rules, for example, a business might decide not to waste time evaluating the security risk of installing Microsoft products.
Where approvals are fast-tracked, a specific default user group is permitted access to it. This privilege can be associated to specific groups, leaving the administrator the decision over whether to permit access to the new application to other groups as well.
The McAfee Application Control system will integrate with your patch manager, letting you maintain your regular patch cycles. This prevents whitelisted applications from being exploited via memory buffer overflow attacks on Windows 32- and 64-bit systems.
The McAfee system also includes an option notification system, which presents explanations to users on why they are blocked from installing software on their workstations or what steps they need to go through in order to gain access to a permitted package from which they are currently blocked.
A free trial is available for download to enable you to test drive the product.
A fast-track approvals automation stream
User information popups
Strong blocks on operating system access
Use approval automation with caution