{"id":4168,"date":"2014-10-17T10:00:31","date_gmt":"2014-10-17T14:00:31","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4168"},"modified":"2020-02-26T18:59:06","modified_gmt":"2020-02-26T14:59:06","slug":"wonders_of_whitelisting","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/wonders_of_whitelisting\/4168\/","title":{"rendered":"The Wonders of Whitelisting (as Opposed to Blacklisting)"},"content":{"rendered":"<p>As it\u2019s most popularly understood, malware protection relies upon signature detection. However, detecting malicious software is only one side of the antivirus coin. In fact, some would say signature-based detection \u2013 essentially a form of blacklisting \u2013 is the less significant side of that coin. On the other side there is whitelisting, or the pre-approval of harmless software as opposed to the blocking of harmful software.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/10\/05111708\/KIS-Fortifying-your-PC-1-1024x683.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6368\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/10\/05111708\/KIS-Fortifying-your-PC-1-1024x683.png\" alt=\"KIS-Fortifying-your-PC\" width=\"1200\" height=\"800\"><\/a><\/p>\n<p><strong>What is Blacklisting?<\/strong><\/p>\n<p>Allow me to explain this through the prism of specific Kaspersky technology: <a href=\"http:\/\/ksn.kaspersky.com\/\" target=\"_blank\" rel=\"noopener nofollow\">the Kaspersky Security Network<\/a> (KSN). When users install certain Kaspersky Lab products, they are offered the opportunity to willingly join the KSN. Should they decide to opt-in, they become part of a distributed infrastructure dedicated to processing cybersecurity-related information. If an opted-in user in India becomes infected with a new type of malware, Kaspersky Lab creates a signature to detect that malware, and then adds that <a href=\"https:\/\/www.kaspersky.com\/blog\/the-wonders-of-hashing\/\" target=\"_blank\" rel=\"noopener nofollow\">signature<\/a> to its database so that no other Kaspersky user will become infected with that malware.<\/p>\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/xZy_SG9ZBWo?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span>\n<p>Simply put, this is how Blacklisting works. We make lists of things that are hurtful, and we keep those things off of your computer. Blacklisting works great when it\u2019s 99.9 percent effective and there were only 10,000 new malicious families of software emerging each year, but it\u2019s not quite good enough at 99.9 percent effective when there are 10,000,000 new families of malware emerging each year.<\/p>\n<p><strong>What is Whitelisting?<\/strong><\/p>\n<p>Again, I\u2019ll use Kaspersky technology and industry terminology to explain how whitelisting works. In this case, we are talking about a process called \u201cDefault Deny.\u201d Under this principle, a security product would block all applications and software by default unless they were explicitly allowed. Thus, you have a whitelist of pre-approved applications.<\/p>\n<p>Problematically, this sort of default deny whitelisting is primarily used in corporate environments where a central authority can exhibit more control over what users need. It\u2019s relatively easy to say that certain apps are needed for work and all others can be ignored. Furthermore, in a business environment, the list of approved apps is likely to be fairly static over time. On the consumer level, there are some obvious pitfalls, which is to say, it\u2019s hard to know exactly what the consumer will need or want at any given time.<\/p>\n<p><strong>Default Deny Via Trusted Applications<\/strong><\/p>\n<p>Of course, <a href=\"https:\/\/securelist.com\/\" target=\"_blank\" rel=\"noopener\">our researcher friends<\/a> here at Kaspersky Lab managed to come up with a way to apply the principles of default deny to the consumer crowd with a technology called \u201cTrusted Applications.\u201d In essence, trusted applications represent a dynamically updated whitelist of applications based on a set of trust criteria tested against various data points acquired from the KSN.<\/p>\n<p>In other words, our consumer-ready, dynamic whitelist is an extensive and constantly updated knowledge base of existing applications. The database contains information on about one billion unique files, covering the overwhelming majority of popular applications, such as office packages, browsers, image viewers and nearly everything else you or I could imagine.<\/p>\n<div class=\"pullquote\">In essence, trusted applications represent a dynamically updated whitelist of applications based on a set of trust criteria tested against various data points acquired from the KSN.<\/div>\n<p>Utilizing the input of nearly 450 partners, predominately organizations that develop software, the database minimizes the occurrence of false-positives by knowing about the contents of vendor-implemented updates before they happen.<\/p>\n<p><strong>The Trust Chain<\/strong><\/p>\n<p>What about the apps we don\u2019t know about? Certain apps and processes spawn new apps and it would be impossible for our whitelist to have a working knowledge of all of these programs. For example, in order to download an update, a program may have to launch a specialized module, which will connect to the software vendor\u2019s server and download a new version of the program. In effect, the update module is a new application created by the original program and there may be no data on it in the whitelisting database. However, since this application was created and launched by a trusted program, it is regarded as trusted. This mechanism is called the \u201cTrust Chain.\u201d<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Whitelisting is the pre-approval of harmless content as opposed to the blocking of harmful content<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fse3F&amp;text=%23Whitelisting+is+the+pre-approval+of+harmless+content+as+opposed+to+the+blocking+of+harmful+content\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Similarly, if a new update is downloaded automatically and it is different from the old app in ways the whitelist does not recognize, it can be approved by secondary means, such as verifying its digital signature or <a href=\"https:\/\/www.kaspersky.com\/blog\/digital-certificates-httpss\/\" target=\"_blank\" rel=\"noopener nofollow\">certificate<\/a>. A third failsafe method kicks in if an app unexpectedly changes and is also unsigned. In this case, the trust chain can run the download domain against a list of trusted domains, which generally belong to well-known software vendors. If a domain is trusted, so too is the new app. If a domain is used to distribute malware at any time, it is removed from the trust chain.<\/p>\n<p><strong>Last But Not Least<\/strong><\/p>\n<p>As you well know, attackers are hip to nearly everything we do on the protection end. In part because of this, they often like to find vulnerabilities in popular programs and exploit them in order to circumvent the very protections described above by having malicious acts originate from trusted programs.<\/p>\n<p>To combat that, our researchers have developed a system known as the \u201cSecurity Corridor.\u201d The security corridor supplements our dynamic whitelist by making sure that approved software and applications perform only the actions that they are supposed to perform.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/10\/05102738\/whitelisting-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6370\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/10\/05102738\/whitelisting-1.jpg\" alt=\"whitelisting (1)\" width=\"700\" height=\"374\"><\/a><\/p>\n<p>\u201cFor instance, a browser\u2019s working logic is to display webpages and download files,\u201d explained Andrey Ladikov of Kaspersky Lab\u2019s whitelisting and cloud infrastructure research team. \u201cActions such as changing system files or disk sectors are inherently alien to the browser. A text editor is designed to open and save text documents on a disk, but not to save new applications onto the disk and launch them.\u201d In this way, if your favorite paint application starts using your microphone, the application will be flagged.<\/p>\n<p><strong>Whose Computers are Fortified?<\/strong><\/p>\n<p>This dynamic whitelisting technology isn\u2019t available for everyone. Only users of <a href=\"https:\/\/www.kaspersky.com\/products\/home\/internet-security\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a>, <a href=\"https:\/\/www.kaspersky.com\/advert\/free-trials\/multi-device-security?redef=1&amp;THRU&amp;reseller=blog_en-global\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security Multi-Device<\/a> and <a href=\"https:\/\/www.kaspersky.com\/products\/home\/pure\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Pure<\/a> enjoy this level of protection.<\/p>\n<p><strong>Additional Reading<\/strong><\/p>\n<p>Our researcher friends here have written <a href=\"https:\/\/securelist.com\/analysis\/publications\/36746\/application-control-the-key-to-a-secure-network-part-1\/\" target=\"_blank\" rel=\"noopener\">not one<\/a>, <a href=\"https:\/\/securelist.com\/analysis\/publications\/36897\/application-control-the-key-to-a-secure-network-part-2\/\" target=\"_blank\" rel=\"noopener\">not two<\/a> but <a href=\"https:\/\/securelist.com\/analysis\/publications\/57882\/computing-securely-the-trusted-environment-concept\/\" target=\"_blank\" rel=\"noopener\">three more technical articles on the science of whitelisting<\/a>. Follow those links if you\u2019re interested in digging deeper.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Antivirus protection is often perceived as a process of simply blocking what is bad. However, it&#8217;s as much a process of approving what is good.<\/p>\n","protected":false},"author":219,"featured_media":4169,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9],"tags":[820,1062,819,36,192,818],"class_list":{"0":"post-4168","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tips","8":"tag-antimalware","9":"tag-antivirus","10":"tag-blacklist","11":"tag-malware-2","12":"tag-protection","13":"tag-whitelist"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/wonders_of_whitelisting\/4168\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/wonders_of_whitelisting\/4255\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/wonders_of_whitelisting\/4688\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/wonders_of_whitelisting\/5111\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/antimalware\/","name":"antimalware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/219"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4168"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4168\/revisions"}],"predecessor-version":[{"id":15929,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4168\/revisions\/15929"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/4169"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}