The document discusses the application whitelisting (AWL) concept as a critical strategy for preventing malware infections, highlighting its advantages over traditional antivirus blacklisting. It addresses common implementation challenges related to cultural, process, and technical readiness, emphasizing the need for support from management and clear communication. Additionally, it provides practical steps for configuring software restriction policies in an Active Directory environment.

1. Preventing Malware Infection
using Application Whitelisting
Presented by Peter Gubarevich
MCT, MVP: Enterprise Security
CCSI, CEH

2. Agenda
 Application Whitelisting (AWL) Concept
 Common AWL Implementation Challenges
 Implementing Application Whitelisting in Enterprise
 Q&A
2

3. Ransomware Execution Scenario3
You don’t want to see this in your PC, do you?

4. Let’s try to open some documents from
your USB storage***
4
*** Can be delivered by any other transport, be it E-mail or Skype

5. Eventually, you will end up with this5
No, it was not a document. And antivirus has failed to detect this.

6. Application Whitelisting Concept6
#1 recommendation in NSA IAD’s Top 10 Mitigation Strategies

7. A surprising number of administrators consider
simply installing antivirus software to be enough to
provide reliable protection from a malware.
Unfortunately, defenses such as antivirus programs are
often ineffective because of “blacklisting” technology used.
7

8. In fact, Blacklisting and Whitelisting are both
designed to prevent malware from running
Blacklisting
 Considers everything is allowed to
be launched by default
 Only prevents known threats to be
launched
 Example: Antivirus Software
Whitelisting
 Considers everything is prevented
from launching by default
 Only permits launching previously
approved software
 Example: AppLocker Policies
8

9. Application Whitelisting
Configuration Example
 Everything from Windows folder is
permitted for launching
 Everything from Program Files is
permitted for launching
 Everything signed by Microsoft or
Adobe is permitted for launching
 Three Line-Of-Business Application
hashes are permitted for launching
 Everything else is prohibited
9

10. What Application Whitelisting really is
and what it is not?
 It prevents viruses and trojans from being launched from hard disk or
USB flash drives, but neither stops you from saving virus to a disk, nor
searches for or removes viruses from it;
 It prevents viral modules from launching automatically from a user
profile, but does not prevent exploiting scripts from within the legitimate
software, such as Microsoft Excel;
 It prevents exploits from being launched from a disk, but does not stop
an attacker from exploiting unpatched flaws in your system;
 It prevents unlisted software from running, but does not stop you from
manually adding malware to a whitelist;
 It prevents unwanted software from being launched by a user, but does
not stop him from downloading it.
10

11. AWL Implementation Challenges
Most of them are not technical, though
11

12. Challenge #1: Cultural Readiness
 Management Engagement. The senior leaders must see the value of AWL
as a core doctrine, not an additional security restriction;
 Many companies do not restrict individuals from installing software. AWL
limits who can install programs. Be ready for complaints and requests for
exclusions from users;
 Many companies do not limit what software can be installed. Not all the
software that users find useful or convenient will be allowed. Many of
users may want to keep their status quo because of that;
 In most cases, AWL represents a cultural shift and new operational
realities for IT workforce. AWL requires a particular level of discipline for
IT enforced.
12

13. Challenge #2: Process Readiness
 Company is required to maintain a reasonably accurate software
inventory, and have a knowledge of specialized applications, network
processes and operational requirements;
 A standardized application authoring procedure should be established.
Then, existing OS image and application distribution framework may get
involved;
 AWL requires an ability and experience to implement and rollback
changes incrementally across the enterprise;
 Clear communication mechanisms between users, IT support and AWL
project managers must be established.
13

14. Challenge #3: Technical Readiness
 A company must have enough resources to manage project
implementation in a timely manner. AWL requires skilled IT Pro
workforce availability;
 Seamless AWL implementation requires preparation such as reasonably
long auditing of currently used applications, especially ones which are
rarely executed;
 An appropriate AWL methodology must be chosen taking into account
supported OSs and application feature requirements;
 Additional licensing costs for third-party solutions may be applied.
14

15. Configuring Application Whitelisting
Software Restriction Policies (SRP) in an Active Directory domain
15

16. 16 Demo #1: Configuring SRP Auditing
Steps performed:
 Configuring SRP Verbose Auditing Policies
 Deploying SRP Log Rotation PowerShell Script
 Collecting SRP Logs
 [Optional] Analyzing SRP Logs using third-party tools

17. 17 Demo #2: Configuring Whitelisting
Steps performed:
 Configuring SRP Whitelisting Policies
 Deploying SRP Event Notification PowerShell Script
 Testing Application Whitelisting
 [Optional] Testing SRP in a real AWL-Enabled Enterprise

18. 18 Addendum: PowerShell Scripts
Download PowerShell Scripts and other files used in this
presentation from the following sources:
 http://blog.windowsnt.lv or https://srp.windowsnt.lv
 peter@optimalsolutions.lv or peter@windowsnt.lv
Send AWL-related questions or comments to:

19. Q&A19