Application whitelisting is nothing but a technology that is created to maintain the system secure from

the unwanted software like malware. It works to keep the malware as well as other unwanted malicious
software from functioning on a computer system. NIST Special Publication 800-167, called Guide to
Application Whitelisting includes the basics of application whitelisting as well as its planning &
implementation. With the aim of making the organization which wants to stop threats, understanding
these essential concepts, here we presented a quick summary of the same.

An application whitelist is defined as the set of applications as well as application components, which are
authorized to apply in an enterprise. This technology uses whitelists to decide which applications are
allowed to execute on the host. Thereby it prevents the execution of unlicensed software, malware, and
other unauthorized software.

Application Whitelisting Basics

Basic definitions as per NIST :

Major Difference Between Application Whitelisting And Security Technologies

Types Of Application Whitelisting

Application whitelisting is based on the following types:

1. Application files and folder attributes, which can be evaluated

2. Application resources handled

3. Whitelist generation techniques

1. Files and Folder Attributes

Application whitelisting can be available according to the variability of files and folder attributes that are
listed below:

File Path

Application whitelisting based on this attribute permits the entire applications presented within a certain
file path. Here, the path requires being prevented by some strict access control otherwise there would be
a chance to allow any malicious files presented in the directory to be executed.

File Name

The application or application components are permitted based on their File Name. If a file becomes
infected or replaced, there would not be a change in the file name. Similarly, hackers could find a way to
place the malicious file with the accepted file name format. Hence, it is recommended to use this attribute
complied with other attributes.

File Size

Accepting application based on the file size includes the assumption that malicious files have different
file size as compared to the original. However, attackers can make the infected files to appear in same file
size as their benign matching part. Therefore, this attribute is generally paired with other attributes like a
file name.

Digital Signature Or Publisher

Application whitelisting are based on the digital signature provided by the publisher or the identity of the
publisher.

Cryptographic Hash

Whitelisting applications based on the strong cryptographic algorithm associated with the hash function
is almost accurate regardless of the file path, file name and its digital signature until the file is updated.

2. Application resources

Application whitelisting is often permitted or restricted based on monitoring executable. In addition,

most of these technologies also include the capability to monitor some other kinds of application
associated files like scripts, libraries, browser-plugins, macros, configuration files and application-
associated registry entries.
3. Whitelist Generation Techniques

Whitelist generation comes in two primary methods:

Method 1: Consider the vendor provided details on the known applications characteristics along with
organization generated details on the organization specific applications characteristics.

Method 2: Scanning the files on the clean host in order to form a good known reference point.

Both methods are effective on their own until the application is updated or any new application gets
installed.

Application Whitelisting Modes

Most of the application whitelisting come in two operational runtime modes:

1.Audit Mode

This mode allows whole items including those, which are not listed on the whitelist & logs their execution.
It offers data in the process of continuous monitoring and analyses.

2. Enforcement Mode

This mode automatically permits and blocks the execution of whitelisted items and blacklisted items
respectively.

Different Forms Of Enforcement Mode Are:

Whitelist Enforcement Block the execution of entire items excepts the whitelisted items.
User Prompting Depends on the user or administrators command to accept or reject the files,
which are not whitelisted or blacklisted.
Blacklist Enforcement Allows the execution of entire items excepts the blacklisted items.

Application Whitelisting Technologies Uses

In addition to the offering application access control, application whitelisting technologies can be
employed in other purposes such as:

Software Inventory This technology can maintain an inventory of the applications as well as
application versions that is installed on each host. Useful in identifying unlicensed applications,
prohibited applications, wrong version software, modified applications, malware, unknown
applications, and unauthorized applications.
File Integrity Monitoring Application whitelisting technologies perform continuous or frequent
monitoring of attempted changes to the files. Useful in preventing files changes or report file
changes.
Incident Response Whitelisting technologies check the files on the host with the characteristics
of malicious files captured after responding to an incident in order to find that they have been
compromised or not.
Data Storage Access control - Permits only the encrypted device or devices with a certain serial
number. Thereby restricts the file read, write & execution on the removable media.
Memory Protection Prevents the attacks that affect the files in the memory.
 Software Reputation Services Reviews the software that the application is bundled with, in
order to analyze for substantial security risk.
Anti-malware Technology Integration Integrate with other malware analysis product to identify
the malicious content.

Operational Environment Differences

When it comes on selecting & deploying application whitelisting, it is essential to consider the important
differences in the operational environment. They are as follows:

Standalone Or Small Office/Home Office(SOHO) Small or informal system installation, which is

used for business or home purpose. It is, the least secure one.
Managed or Enterprise Refers to the large organizational systems along with defined suites of
software and hardware configurations, generally comprising of Centrally Managed IT products.
Specialized Security-Limited Functionality (SSLF) Or Custom Includes systems in which the
degree and functionality of the security dont fit the Managed or Standalone environments. It is
a highly restrictive and secure environment.

Assessing Application Whitelisting Solution

The evaluating process includes the following steps:

1. Analysis of environment in which the hosts or the system will be functioning.

2. Consider whether a built-in application whitelisting or third-party solution are feasible

3. Test the perspective whitelisting technology in the monitoring mode to understand how it behaves

Planning And Implementation Of Application Whitelisting

For a successful planning as well as implementation of the application whitelisting, it is important to follow
the step-by-step phased approached presented below:

Initiation

The initiation phase involves to determining the current as well as future requirements for the application
whitelisting. It also aims to determine how those requirements can best be satisfied. The requirements
need to consider are:

External Requirements The enterprise may be subject to review by another enterprise, which
requires application whitelisting.
System & Network Requirements It is essential to understand the nature of these requirements
to choose compatible solutions with the vital functionality. Factors to consider are:
o Characteristics of devices, which require application whitelisting
o Technical attributes of interface systems
Requirement Analysis Outcomes

Identification of types of applications / application components.

Determination of classes of whitelisting application, which should be applied to balance usability,
maintainability and security.
Analysis of requirements documentations including performance requirements, security
capabilities, management requirements, usability and maintenance requirements and the
security of the technology.

Design

Once the requirements have been determined and the suitable technologies have been chosen, then the
next action to focus on is designing a solution, which meets those requirements. It is vital to make
accurate design decision to prevent the application whitelisting implementation to be susceptible to
compromise / failed. Major design factor to focus on are as follows:

Cryptography - It should be applied in three ways for the technologies. They are:

1. To create & verify cryptographic hashes for files & other application components

2. To evaluate digital signature

3. To protect the confidentiality & integrity of communication among the individual hosts & centralized
management.

Solution Architecture - Involves the selection of software and devices to offer application
whitelisting services & the centralized element placements within the available network
infrastructure.
Whitelist Management - Involves the establishment of trusted publishers, updaters, users, etc.

Implementation

Once the solution is designed, the consequent step is implementation & test of a design prototype.
Initially, the action of implementation and testing should be performed on the test devices or lab. Only
the application whitelisting solution in the final stage should be allowed to implement on the production
devices. The factors of the prototype solution that need evaluation comprise the following:

Application Control Functionality

Management
Logging/alerting
Performance
Security of Implementation

Deployment

The next phase that comes after testing and resolving any issues is, deployment. An enterprise should
follow gradual deployment from a small number of hosts. This will help to avoid several issues includes
loss of availability. Most of the issues that happen are possibly happen on multiple hosts; hence, it is useful
to determine such issues at the time of the testing process deploying the 1st hosts; hence those issues
can be concentrated before widespread deployment.
Management

The final stage is to ensure the long lasting. Managing an application whitelisting solution involves
functioning the deployed solution & maintaining the architecture, software, policies and other solution
components of the application whitelisting.

Some Typical Actions Are As Follows:

Updating the whitelist in order to add new / updated applications

Testing & applying patches to the whitelisting software
Deploying application whitelisting solution for additional platforms
Doing key management duties
Adopting policies as per the change in the requirements
Monitoring components for the security and operational issues
Regularly performing testing to guarantee that whitelisting is working properly
Performing regular vulnerability valuations

This article almost covers the basics of the application whitelisting and overview of the planning and
implementation of the application whitelisting which are examined in the NIST Guide.

Hack2Secure is as one of the few global vendors with capability to deliver End-to-End Information Security
programs viz Training, Certification (PearsonVUE) and Services across Information Security domains
aligned with Industry Security requirements and Best practices. Connect with us to explore more.