All it takes is for one person in a company to click on a link in a spearfishing email that launches a program to infect the PC with a persistent threat virus. From that one lapse in security, your company could end up being the next Sony Pictures. Windows UAC (User Account Control) is no help. That initial virus could probably do all it needs to do (collect intel for a future attack) with the user-level privileges. Windows might ask if you're sure you want to executed a file that isn't signed by a known publisher, but are you sure that your user won't just click OK?

I would think IT departments have told employees until they're blue in the face about not clicking on links in emails. You can't even trust links from an email address known to you, thanks to the From: field in email being trivial to fake.

Whitelisting to the rescue?

And so it goes on. No, we can't go on like this. It’s time to make the whitelisting of executables a normal policy on PCs. People seem to be OK with whitelisting on tablets and smartphones (though there is wiggle room on Android to run arbitrary code), why not on their PCs? Companies will be the first to adopt whitelisting policies, and of course many have already. Microsoft offers a feature called AppLocker on business grade versions of the Windows client and server. The headache of course is dealing with requests from users who get upset when they can't run a particular program.

One policy is to simply refuse them to run unverified programs on a networked PC. If they really want to run the program, do it on an isolated PC, not connected to the corporate network. That's fair enough, but can we do better?

Manageable whitelisting

I've been using the Sysinternals tool Process Explorer recently as an alternative to the Windows Task Manager. Task Manager is OK for a quick check on what your system is doing, but Process Explorer allows you to go for a really deep dive into your system.

A recently added feature to Process Explorer is the ability to check every running process against's database. The VirusTotal service combines the results of around 56 different anti-virus vendors and you can add a column to Process Explorer to display how many of these think a process is malware. So instead of relying on a single vendor, such as Microsoft itself, you can build up a picture of what the antivirus industry think. A score for 1 or 2, and it probably isn't anything to worry about. More than 5 and there might be an issue.

There are other signs that a process might be malware:

  • No company name in the image.
  • Not signed by a verified signer.
  • The process is compacted (which a process might do to hide it's on disk contents).
  • It's missing from the old Task Manager and is trying to hide (I found one like this recently).

So you could combine these and other signals into an intelligent whitelist system, which would make a considered decision as to whether the user should run a certain program.

Such a system would take the pressure off the IT department, freeing them from dealing with trivial requests to run well known and signed programs. If the system detects that the user is trying to run suspect malware, the IT department can be notify and investigate further. If the program is found to be malware, it could then be added to a blacklist, which is then updated on all client machines.

Whitelisting at home

For the home user, there is a whitelisting system built into Windows 8 and installable on Windows 7. There is one large drawback though. It's designed for the use case of a parent stopping their child from running any programs they like. Not ideal. It's called Family Safety if you want to check it out. How-To Geek has a good guide on it. I might give it a go, though I suspect the security of Family Safety isn't as good as AppLocker. Could some malware trick Family Safety into allowing it to run?