Strong Security from the Enterprise to the Edge

Products

Contact Us
Contact Me
Notify Me of New Articles and Solutions
Anonymous Feedback

Email: (optional)

Comments/Questions:

User Space White List Application Control

Problem: Block Zero-Day Malware and Unauthorized Software

Zero-day malware attacks and unauthorized software installed by enterprise end-users jeopardize sensitive data and dramatically drive up support costs.  Denying end-users local admin rights reduces risks and costs, but falls far short of eliminating them.

User-Space White List Application Control Solution

  • Featured in both AppGuard Enterprise and EdgeGuardendpoint security products
  • Focused on user-space, where over 90% of the problems are
  • Blocks Rootkit implantation and zero-day malware attacks
  • Prevents changes to System and Application Space by malware attacks
  • Aborts unauthorized software
  • Deployed with a fraction of the effort of a white list product
  • Delivers higher level of PC protection than white list products
  • Background and comparisons made below

Anti-Virus/Spyware Security Software Fails to Stop Young Virus, Worms, and Other Zero-Day Malware

  • Anti-Virus/Spyware software excels at stopping malware over a month old
  • However, vendors take a month to discover, develop, and distribute new signatures
  • Malware makers create new variants daily, even making old ones new again
  • Over 50% of new malware samples are retired by their makers within 48 hours to frustrate the signature vendors efforts
  • Anti-Virus/Spyware products failed to detect over 90% of Zero-Day Malware samples developed and tested in-house by security intelligence company Secunia
  • The malware found in the wild is consequently getting younger on average as more cyber criminals use specialized software suites to systematically generate new malware

Enterprise End-users Routinely Install Unauthorized “Rogue” Software

  • User-install software, which may be vulnerable or malicious, undermines enterprise security
  • End-users without local admin rights can only install software in user-Space
  • And they do, our article on users installing software without local admin rights has been one of the most Googled posts on our blog for the last year
  • Unauthorized software also drives up IT support costs
  • Unlicensed software exposes organizations to copyright violations

White List Application Control: Concept

  • A White list defines what Applications may run
  • Virus, worms, Trojans, and unauthorized software excluded from white list, cannot run
  • White lists are much smaller than Black lists, which define what may NOT run
  • Black list example: Anti-Virus/spyware signatures  

White List Application Control: Operationally Burdensome

  • Must enumerate allowed executable, library, and parameter files allowed on all endpoints
  • All computer variations must be covered: applications, versions, patches, hash checksums, etc.
  • Endpoints change, so the white list must be kept up-to-date for all PCs
  • Vendor white list libraries consist of over 4 billion entries
  • White list ‘shoppers’ dazzled with details, but administrators are dazed by details

White List Application Control: Too Risky for PCs Running with Local Admin Rights

  • Running PCs with local admin rights means that attacked applications can implant Rootkits
  • White listing does not prevent a hijacked, white listed application from implanting a Rootkit
  • Once Rootkit infected, a white list product cannot reliably detect it because when the white list product asks the operating system for the name and details of something to compare to its white list, but the Rootkit answers instead
  • This is why 3rd generation Rootkit based malware is practically undetectable
  • Preventing Rootkit malware implantation is paramount
  • AppGuard Enterprise and EdgeGuard block Rootkit insertions, even by ‘friendly’ applications

White List Application Control: Misplaced Priorities

  • Over 90% of malware attacks occur in user-space
  • But defining the White List for the operating system and applications represents over 99% of white list deployment effort
  • End-users without local admin rights can only install unauthorized software in user-space
  • But defining allowed applications in user-space is less than 1% of the effort
  • Over 90% of the benefit of application control is in regulating user-space
  • White lists products are not focused on the key problem

Far Less Effort, Far More Effective

  • Deployed in fraction of the time of a white list product
  • Focused on user-space, where over 90% of the problems are
  • Blocks Rootkit implantation, white list products do not
  • Stops Zero-Day Malware (i.e., drive-by download) attacks
  • Aborts unauthorized or “rogue” software run by end-users
  • User Space White List Application Control is a feature included in both AppGuard Enterprise and EdgeGuard
  AppGuard Enterprise or EdgeGuard White List Application Control Product
Location of Most Malware Attacks User Space
Location Where Users Without Local Admin Rights Can Install Software User Space
White List Definition Effort    
   User Space 100% <1%
   Operating System and Applications 0% >99%
Prevent Harms by White Listed or Guarded Applications    
   Rootkit Implantation Yes No
   Malware-Caused Data Leaks Yes No
   Ransom Attacks Yes No
Stop Drive-by Download Attacks Yes Yes
Mandatory Policy Update Following Patches/Updates No Yes
Policy Variations per Windows Operating System Minor, if Any Extensive
Dependence on Vendor White List Library in Out-Years None Extensive