application whitelisting (was RE: Active Directory Question)

From: John LaCour (
Date: 01/14/04

  • Next message: "Re: application whitelisting (was RE: Active Directory Question)"
    Date: Wed, 14 Jan 2004 09:15:14 -0800
    To: "Kayne Ian (Softlab)" <>, <>

    Hash: SHA1

    > From: Kayne Ian (Softlab) []
    > A better way (for example) would be to write an app that
    > hooks kernel calls to load a process, then compare a checksum
    > of the process in question to a "whitelist" of allowed
    > application checksums - if a match is found, the call is
    > allowed. If not, the call is denied. Bear in mind that you
    > need to checksum the loaded process, not the exe file on disk
    > otherwise any packer (UPX etc) would effectively allow a bad
    > app to slip by. That somewhat raises the skill required to bypass
    > it.

    This is generally what ZoneAlarm, ZoneAlarm Pro, and Integrity
    products do. Other Endpoint Security/Desktop Firewall software
    do similar things as well.

    An md5-like hash of the application is saved (in a protected file)
    along with the network access permissions associated with that

    UPX cannot be used to defeat this*. If you have a malicious program
    that has a hash not on your whitelist, UPX-ing it isn't going to
    chance that.

    The most significant risk to this approach is people having bad
    about what is whitelisted or what whitelisted programs are permitted
    to do.

    *Ok, there is some really small possibility of a hash collision.

    - -John
    - --
    John LaCour
    Zone Labs Security Services

    Version: PGP 8.0.2

    -----END PGP SIGNATURE-----


  • Next message: "Re: application whitelisting (was RE: Active Directory Question)"