It's not a question of whitelist or AV (blacklist). Both are necessary. Whitelisting is very effective at controlling what exe, dll, com, etc. are allowed to run. But, malware can also exist as malformed data files such as pdf, jpeg, mp3. For these, blacklisting is needed since its extremely impractical to whitelist every data file you'd like to open.
The analogy I like is home access. It's pretty impractical to maintain a list of criminals that you won't allow into your house. It's much easier to keep a mental list of friends and family who are welcome to come in. In that sense, you're whitelisting access to your house. But, even though Uncle Louie may be on the whitelist, if he comes over drunk one night and starts swinging a bat at my wife, I'm not gonna let him stick around just because he's been whitelisted. My failsafe blacklist of unacceptable behavior is going to dictate that I kick him out. From: Stu Sjouwerman [mailto:[email protected]] Sent: Tuesday, November 15, 2011 1:19 PM To: NT System Admin Issues Subject: Would you drop AV for Whitelisting / Application Control? So I'm asking a bunch of questions here, because I'm looking at writing this story from a few different angles. If the ratio Malware to good code is 80 - 20 (which it is +/- at the moment) why not drop AV all together and lock down those workstations and only allow good code to run? Saves budget. Your view? Input? Stu From: Stu Sjouwerman Sent: Tuesday, November 15, 2011 2:10 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros & Cons? Oh, this an acquisition, that is why it's having such a high score! LOL From: Doug Hampshire [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, November 15, 2011 1:13 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros & Cons? Clearly these results are flawed if McAfee Anything gets higher than a -3 in any category. :-) On Mon, Nov 14, 2011 at 5:16 PM, Stu Sjouwerman <[email protected]<mailto:[email protected]>> wrote: Thanks Micheal. Anyone experience with any of the Whitelisting products in this InfoWorld Review? http://www.infoworld.com/d/security-central/test-center-review-whitelisting-security-offers-salvation-835? Bit9 Parity Suite 5.01 10 8 9 9 10 9.4 EXCELLENT 30% 15% 25% 10% 20% CoreTrace Bouncer 5 9 9 9 8 9 8.9 VERY GOOD 30% 15% 25% 10% 20% Lumension Application Control 8 9 8 9 9 8.5 VERY GOOD 30% 15% 25% 10% 20% McAfee Application Control 5.0 9 9 9 8 8 8.7 VERY GOOD 30% 15% 25% 10% 20% SignaCert Enterprise Trust Services 3.0 From: Micheal Espinola Jr [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, November 14, 2011 5:10 PM To: NT System Admin Issues Subject: Re: Whitelisting Pros & Cons? Whitelisting is the future IMHO. You cant trust anything anymore. Faith doesnt cut it. You have to protect yourself and your assets, and whitelisting is the best way to do it. -- Espi On Mon, Nov 14, 2011 at 8:48 AM, Stu Sjouwerman <[email protected]<mailto:[email protected]>> wrote: I'm referring to Whitelisting in the context of security. About 10 years ago, the ratio "Good code" versus malware was perhaps 90 good 10 bad. In that scenario, it makes sense to keep the bad code out. But over the last 10 years, with automated malware variant generation, the tables have turned, and there is actually more malware than good code out there. So in -that- scenario it might make sense to only allow "good code" and implement application control. Only that which is allowed, will run. I'd like your feedback - input - discussion on this ! Warm regards, Stu -----Original Message----- From: Matthew W. Ross [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, November 14, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Whitelisting Pros & Cons? Are you asking about web content filtering, email filtering, or some other type of "whitelisting?" --Matt Ross Ephrata School District ----- Original Message ----- From: Stu Sjouwerman [mailto:[email protected]<mailto:[email protected]>] To: NT System Admin Issues [mailto:[email protected]<mailto:[email protected]>] Sent: Mon, 14 Nov 2011 08:14:57 -0800 Subject: Whitelisting Pros & Cons? > Guys, I am writing an article for WServerNews, and would like your > public input. > > What is your experience with Whitelisting, which products you > tried/use, and what experience you are having with this, likes and hates are > all welcome !! > > Warm regards, > > Stu > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
