I understand that application whitelisting is better and more accurate than black listing. However, my question is, if you whitelist a directory, won't the malware also be able execute in that directory? So what use is application whitelisting in this respect?
Asked
Active
Viewed 1,163 times
5
-
1I don't think you are understanding how application whitelisting works. Why are you whitelisting a directory? – schroeder Apr 13 '15 at 03:36
-
Hi. Thanks. Don't we have to whitelist for example, `C:\program Files`, if I want all legitimate programs inside this directory to run? Or do i have to do it one by one?thanks. – Pang Ser Lark Apr 13 '15 at 03:57
-
Your question is not clear. In which context is the white listing done? Being able to execute files in a specific directory? – Jeroen Apr 13 '15 at 04:24
-
Hi, I am more concern that if I whitelist one application, and if this application makes use of other types of files, eg dlls, then I might as well whitelist the whole directory that contains the dlls? – Pang Ser Lark Apr 13 '15 at 06:15
2 Answers
4
If you whitelist a directory, then sure, any malware in that directory can run.
That's why you don't whitelist directories. Instead, you whitelist programs, and you take precautions to ensure those progrms aren't modified. For example, instead of whitelisting "c:\Program Files\Internet Explorer", you whitelist "c:\Program Files\Internet Explorer\iexplore.exe with SHA-256 checksum c09bc04058f1e2d4eae481490b998381486311e02ff782e99383c16d77c1b3bc".
Mark
- 34,390
- 9
- 85
- 134
-
Hi, thanks. In your example, say, iexplore.exe uses other files such as dlls in the same directory or in System32 and I didn't whitelist c:\windows\system32, would iexplore still run? – Pang Ser Lark Apr 13 '15 at 06:13
-
1You whitelist the needed DLLs, taking the same precautions against modification that you take for executables. – Mark Apr 13 '15 at 06:19
-
1Have you ever actually seen or worked on a system that does this? This sounds like well meaning advice lacking practical experience, and you should at least add a disclaimer. – paj28 May 22 '15 at 11:10
-
@paj28, never done it on Windows, but this is how (give or take implementation details) Gatekeeper on MacOSX works. I believe the current incarnation of Google Chrome extensions also work like this, and many years ago, I used a personal firewall that used checksums to verify which programs were trying to access the Internet. – Mark May 22 '15 at 11:17
-
1@Mark - you hit the nail on the head with "many years ago" - not much current software does it, because it's so difficult to keep up with software updates. Gatekeeper is based on signatures not hashes. The signature includes a hash, sure, but that architecture avoids having to maintain the list of whitelisted hashes which is the biggest problem. BTW, application signing is coming to Windows 10 as part of Device Guard. Until then whitelisting directories using AppLocker is the only practical way. – paj28 May 22 '15 at 11:24
2
In a corporate environment the purpose of whitelisting is that an administrator can authorise programs to run, but a regular user cannot.
In that case it is ok to whitelist a directory that a regular user does not have write access to. In fact, there is a standard AppLocker profile that allows execution from C:\Program Files and C:\Windows, but excludes user-writeable directories. It is rare to see this in practice, but I think it is an excellent security control. In particular, it stops a user downloading an exe file from the Internet, and running it.
The approach Mark mentions of hashing individual exe and dll files, while nice in thoery, has been generally discredited as impossible to implement in practice.
I can imagine your follow-up question: what if malware does privilege escalation and writes itself into a whitelisted directory? Well, clearly that malware will then run again in future. AppLocker white listing does not protect against that. In fact, very few protections work against malware that has escalated privileges to root/administrator. Whitelisting is a useful technique - but it is not a silver bullet.
paj28
- 32,736
- 8
- 92
- 130