I wrote recently on the topic of deploying whitelisting for your SMB in which I spoke with a couple of senior executives from whitelisting company CoreTrace, namely J.T. Keating, VP of marketing, and Greg Valentine, director of technical services. In my post, I highlighted the administrative overhead-compared to traditional, definition-based anti-virus software-inherent to whitelisting, as well as a couple of important considerations for companies considering whitelisting.
One issue that I deliberately sidestepped was whether whitelisting is a viable replacement for traditional anti-virus software. While the answer might appear to be self-explanatory when considering whitelisting as a security product, there are actually two schools of thought on this topic. Let me articulate more on both of them today.
Using Whitelisting to Replace Anti-virus
The first school of thought entails deploying whitelisting as a wholesale replacement for traditional anti-virus protection. After all, the "disable by default" protection used by whitelisting means that hostile software or Trojans never get to run in the first place, right? So why encumber system resources by running unnecessary security software?
CoreTrace had previously shared with me how its CoreTrace Software Intelligence goes beyond "dumb" whitelisting by proactively identifying known valid executable files and known bad ones. With a library of 2.5 billion hashes of "good" files as well as the hashes of millions of malware, CoreTrace believes that it offers a comprehensive solution as an anti-virus replacement.
Whitelisting with Anti-virus
The other school of thought on the deployment of whitelisting favors the use of a layered approach to achieve optimal protection. This usually involves the use of standard anti-virus (blacklist) software to pick up known bad software, with the whitelisting software filtering out new or targeted malware. The idea behind the deployment of anti-virus software is that it might be useful to proactively sieve out rootkits or exploits that piggyback on the use of existing software. This helps to filter out known threats, and also applications that exhibit suspicious behaviors using heuristic scanning techniques found in most anti-virus software.
In fact, security software vendor Faronics, which sells its Faronics Anti-Executable whitelisting software also sells its own Faronics Anti-virus software. The company clearly believes in a layered security approach to weed out threats from rootkits, unlicensed software, targeted attacks and even unauthorized system changes. In fact, I'm testing the company's Anti-Executable software right now and will soon be writing a follow-up review of my experience with it.
I also quizzed CoreTrace on this topic, and Keating noted how compliance regulations might compel some companies to continue deploying anti-virus software. On a more practical note, licenses for anti-virus solutions are usually prepaid in advance, and companies understandably loathe throwing good money away. Regardless, CoreTrace told me that its BOUNCER whitelisting solution works perfectly well with standard anti-virus software. Of course, it follows that while using whitelisting in tandem with an anti-virus solution shouldn't be a problem, you should get a written assurance-or conduct a trial deployment-prior to signing on the dotted line.
In a discussion on deploying whitelisting, the question should not be whether whitelisting can replace traditional anti-virus protection. While no sane administrator will suggest running two different anti-virus applications on the same workstation, the nature of whitelisting means that its use with anti-virus software can actually be complementary. Companies should instead strive to determine their comfort level with depending solely on whitelisting, as well as the level of security they require. In addition, while running a whitelisting solution in tandem with anti-virus software seems to be the superior solution, doing so will also incur a greater cost over the long term, which should be factored into consideration.