In the fight against malware and viruses, there are number of different defensive security approaches. One popular approach is to block all the bad incoming items from a known bad domain, sometimes referred to as blacklisting. This is a common approach used by anti-virus vendors. Another approach is to provide a list of applications that are actually allowed access, which is referred to as whitelisting.
A new release from application whitelisting vendor CoreTrace aims to provide an alternative to blacklist antivirus solutions. CoreTrace’s Bouncer 5.0 release includes new capabilities to secure PCs from security threats. The solution now has memory protection as well as an updated mechanism for keeping the whitelist up to date.
The CoreTrace solution could represent a potential threat to traditional anti-virus vendors, though the solutions could also be complementary as well. The CoreTrace release comes as Microsoft is set to shake up the anti-virus market with its free Morro product.
“People have realized that application whitelisting is a great concept but its strength is also its weakness,” Toney Jennings, president and CEO of CoreTrace told InternetNews.com. “I got to lock down a box, but then I need to make a change how do I do that?”
Jennings noted that if an IT administrator needs to manually make an update to the allowed applications list (whitelist) every time a user wants to add or update a tool, there will end up being too much management overhead.
“At CoreTrace, we’re trying to break that paradigm giving users the benefits of applications whitelisting and the ability to change easily with something called trusted change,” Jennings explained. “The goal of which is to allow change to happen from trusted sources in a way that lets users transparently change there systems while still maintaining a locked down secure system.”
Bouncer starts by analyzing all the known applications on a user’s PCs to create the initial whitelist of allowed applications. The Trusted Change mechanism then enables users to update their PCs if they are connecting to trusted sources which could include trusted sites, users, network shares or digital signatures. Compliance and reporting for Bouncer 5 has also been improved to provide per-PC policies.
Since Bouncer only allows whitelisted applications to run, viruses and other non-authorized executables are blocked. Wes Miller, director of product manager at CoreTrace, commented that since antivirus product have historically been signature-based, they can fall behind and be at risk from executables that aren’t on their lists.
CoreTrace has also included new technology in Bouncer 5 to protect users against memory-borne attacks, those are attacks that are just occurring in memory and have not necessary put a payload onto a user’s physical system. Typically those sort of attacks come by way of a DLL
“We built a mechanism so any process that gets infected by a DLL that comes from somewhere other than on the local disk, the process will be killed,” Miller said. “So if someone comes along and tries to insert a DLL into Adobe Acrobat, we’ll kill Acrobat and you won’t be hit by the compromise.”
Though Bouncer can prevent many non-desired items from running on a users’ PC, it does have some limitations. For one, Bouncer is not an antispyware solution for browser based cookies.
“Our barrier is a privacy-based issue,” Miller said. “We won’t help today if it’s something born in the browser itself but as soon as it breaks out we’ll stop it.”
Whitelisting isn’t also necessarily a technology that needs to be separate from anti-virus solutions, either. According to Jennings, whitelisting and antivirus can complement each other.
“There was an expectation early on the people might not need to run Bouncer side-by-side with a blacklist anti-virus solution and in some cases that is true,” Jennings said. “You can argue over time whether whitelisting will replace blacklisting, in some cases it will and in some cases we’ll co-exist side by side. Fortunately for us, if every end point has anti-virus and application whitelisting that’s ok, it’s a big market for us.”