Whitepaper Abstract
Blacklist-based antivirus products and emergency security patches have traditionally been the core elements of Endpoint Security 1.0 strategies. Endpoint Security 1.0's failures have been well documented in the headlines: data breaches, identity theft, cyberextortion, etc. However, Endpoint Security 1.0 approaches continued for one very simple reason: the absence of a superior alternative.
Fortunately, highly secure and easily updated application whitelisting is now available to provide superior endpoint security. Application whitelisting is at the core of Endpoint Security 2.0 offerings. This whitepaper explains the fundamental motivations behind the movement to Endpoint Security 2.0 and outlines a means to compare alternatives.
CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
1. applicatiOn whiteliSting: a new Security paradigm
True Endpoint Security—
A Matter of 180°
With a defense‑in‑depth strategy in place complete with an Endpoint Security v1.0
(i.e., blacklisting) antivirus solution, personal firewall, and up-to-date security patches—
endpoint security is covered, right? It shouldn’t matter that the web is the preferred
malware attack vector and that in 1Q08 a new infected webpage was discovered every five
seconds. It shouldn’t matter, but unfortunately, it still does because Endpoint Security
v1.0 is about as useful as a restraining order—seemingly proactive and affording a false
sense of security; all very nice until this essentially reactive strategy that surrenders
control to the criminal offers no protection when it counts. Endpoint Security v1.0’s failures
are well‑documented in the headlines: data breaches, identity theft, cyberextortion, etc.
It should have been game over for this flawed strategy long ago, but in the absence of a
superior alternative, Endpoint Security v1.0 was allowed to play out.
Fortunately, application whitelisting is now available to provide superior endpoint
security; however, application whitelisting solutions are not created equally. True
endpoint security is a matter of degrees—180° to be exact. BOUNCER by CoreTrace™
with its unique v2.0 revolutionary 180°‑shifted approach provides true endpoint security
from within the kernel.
cOntentS
1 Overview
1 endpOint Security v1.0 (BlackliSting)
2 endpOint Security v1.1 (90°‑Shifted whiteliSting)
3 BOuncer’S endpOint Security v2.0 (180°‑Shifted whiteliSting)
Core Tenet #1—Control What You Know
Core Tenet #2—Control at the lowest Possible level
Core Tenet #3—Control Transparently
7 Summary
Ju
ly
20
08
CoreTrace Corporation
6500 River Place Blvd., Building II, Suite 105, Austin, TX 78730
512‑592‑4100 | sales@coretrace.com | www.coretrace.com
2. BOUNCER by CoreTrace™
Overview “ To keep up with the
criminals, antivirus
With a defense-in-depth strategy in place complete with an Endpoint Security v1.0
(i.e., blacklisting) antivirus solution, personal firewall, and up-to-date security patches— companies plan
endpoint security is covered, right? It shouldn’t matter that the web is the preferred malware a major shift in
attack vector and that in 1Q 2008, a new infected webpage was discovered every 5 seconds for approach, called
an average of more than 15,000 per day (79% of these were legitimate websites); 3 times more ‘whitelisting’. As a
than in 2007.(1) It shouldn’t matter, but unfortunately, it still does because Endpoint Security vast flood of new
v1.0 is about as useful as a restraining order—seemingly proactive and affording a false sense malware threatens
of security; all very nice until this essentially reactive strategy that surrenders control to the to overwhelm
criminal offers no protection when it counts. antivirus software,
security companies
Endpoint Security v1.0’s failures are well-documented in the headlines: data breaches, identity have begun
theft, cyberextortion, etc. Blacklisting, the perpetual one-step-behind solution, tries to identify changing how their
malware and keep it out by using a reactive approach (it is dependent on timely signature programs protect
updates); therefore, it is simply unable to defeat zero-day threats. In effect, blacklisting PCs. To avoid being
surrenders control to the cybercriminals, handing them the first-strike advantage. Cybercriminals left in the dust by
know that with Endpoint Security v1.0, control of an endpoint is only a malware variant away— the crooks,
today, tomorrow, forever. It should have been game over for this flawed strategy long ago, but companies plan to
in the absence of a superior alternative, Endpoint Security v1.0 was allowed to play out. turn the tables on
them by allowing
Fortunately, a new security paradigm—application whitelisting that only allows authorized
only known good
code to execute—is available to provide superior endpoint security over traditional blacklisting
programs to run.
solutions; however, application whitelisting solutions are not created equally. True endpoint
The technique,
security is a matter of degrees—180° to be exact. BOUNCER by CoreTrace™ with its unique
known as
v2.0 revolutionary 180°-shifted approach to endpoint security fills the security gap that is the
whitelisting, could
bane of v1.0 solutions and provides true endpoint security from within the kernel.
help protect your
computer…whitelist
endpOint Security v1.0 (BlackliSting) security may be
a tool for techies
In the early days of the Internet, organizations helped keep their end users, assets, and today. But soon it’ll
information protected by implementing antivirus solutions as a part of their defense-in-depth be de rigeur in the
strategies. The premise of these solutions is simple: a security vendor detects a malicious battle against
threat and creates a signature of that threat; the signature is pulled onto the endpoints of malware.(2)
end users that have paid for protection (the timing being dependent on the update setting — Erik Larkin
on each endpoint); a scan is run and all files on the endpoint are compared against the new PC World
signature to detect the presence of the threat (the speed of which is directly correlated with the
number of files on the endpoint); and if the threat is found, the antivirus program detects it and
cleans it off the endpoint (if possible).
“ In terms of
deliberate action
Endpoint Security v1.0 blacklist solutions work best when the threats being detected are against information
infrequent and readily apparent. The Internet’s early threats fit that requirement. Viruses, the systems, hacking
Internet equivalent of graffiti, came out infrequently and with great fanfare since their authors and malcode
were driven by ego in a quest to be infamous—they wanted the program to be detected after proved to be the
causing widespread damage. Today, most malicious threats are driven by profit-seeking attack method
cybercriminals that strike quickly and oftentimes invisibly. Blacklist solutions do not provide true of choice among
endpoint security due to the following weaknesses: cybercriminals…
Ninety percent of
„ Zero‑Day Threats—The Achilles’ heel of blacklist solutions is the zero-day threat—it is known
impossible for a signature to be created for a threat that has just been released. With blacklist vulnerabilities
solutions, endpoints and end users will be impacted until the blacklist is updated.(2)(3) exploited by these
attacks had patches
available for at least
(1) Sophos; Security Threat Report; Sophos.com; Q1 2008. six months prior to
(http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html) the breach.(3)
(2) Erik Larkin; Coming: A Change in Tactics in Malware Battle; PC World; June 23, 2008.
(http://www.pcworld.com/article/147374/coming_a_change_in_tactics_in_malware_battle.html) — Wade H. Baker,
C. David Hylender,
(3) Wade H. Baker, C. David Hylender, and J. Andrew Valentine; 2008 Data Breach Investigations Report;
and J. Andrew Valentine
Verizon Business RISK Team; June 11, 2008.
Verizon Business RISK Team
(http://www.verizonbusiness.com/resources/security/databreachreport.pdf)
Application Whitelisting: A New Security Paradigm 1
3. BOUNCER by CoreTrace™
„ Targeted Attacks—Whether Trojan horses specifically designed to stealthily steal or bots
that send spam or conduct paid-for denial of service (DoS) attacks, the vast majority of
targeted threats will never be distributed widely enough to warrant their own signatures.
Since their motivation is financial, cybercriminals have every incentive to remain below the
“ I always patch my
system and run
radar. regular scans with
updated antivirus
„ Variants—The rapid retargeting of the same fundamental attack, but in a slightly different and antispyware
way presents a significant problem for security vendors that rely on signature files or scanners. But while
blacklist databases. The blacklist approach, one in which a unique signature is created for researching this
new threat variant, is simply inadequate to keep up with threats when breaking a signature story, I got hit by a
is as simple as loading a new webpage. Trojan…that was too
The rapid expansion of the number of variants of malicious code and the number of new for my antivirus
ways that malicious code can get onto an endpoint has created a problem for any program to catch.
security vendor that concerns itself with looking for things that are bad. Regardless of Whether it’s a new
whether a security technology is looking for bad files, bad behaviors, or bad executables variant on a familiar
the keeping-the-bad-guys-out approach cannot work with rapidly changing malware or foe…or a completely
attacks that are so targeted that they will never be widespread enough to have a signature new type of attack,
created. today’s threats
can leave even
„ Rogue Applications—Unauthorized, but legitimate, applications can impact an endpoint’s the most security
performance and availability, but they will never be detected by blacklist solutions that are conscious among us
designed to prevent malware. vulnerable.(4)
Endpoint Security v1.0 with its multiple layers of reactive antivirus and blacklisting databases, — Andrew Brandt
security patches, and personal firewalls (all of which slow performance and add significant cost PC World
to network operations) can’t defeat today’s threats (i.e., zero-day threats from malware, rootkits,
and buffer overflows)—let alone tomorrow’s.
endpOint Security v1.1 (90°‑Shifted whiteliSting)
Fortunately, the majority of cyberattacks can be defeated if the right approach is taken defending
the IT network—that is BOUNCER’s Endpoint Security v2.0 whose revolutionary 180°-shifted
approach starts by turning v1.0 blacklisting on its head and proceeds from there.
Note the phrase, starts by turning v1.0 blacklisting on its head and proceeds from there.
Endpoint Security v2.0 strategy is to only allow authorized code to execute (i.e., whitelisting),
“
so even if malware gains access to a system, it cannot execute and is neutralized—
that’s the short answer. For security reasons, the details in the execution of that strategy Nobody has a
are as important as adopting the strategy. full list of all
good software…
Endpoint Security v2.0 is predicated on three core tenets: control what you know, control at the
displaying a
lowest possible level, and control transparently. To be considered a true Endpoint Security v2.0
pop‑up that asks
solution, the security features shown in Table 1 must be present.
you to decide
BOUNCER does not maintain a database of size and digest information created from vendors’ whether an
original media to compare to the whitelist it creates from an endpoint. While this approach may unknown app is
produce some sense of security for known file matches, it clearly doesn’t address unknown or okay to run
undocumented ones. Updates to existing applications are constantly released and all of those ensures that
would have to be entered into the database. Many organizations have legacy or internally you’ll eventually
developed applications and others run software that would not be a part of the database. With make the wrong
this model, the whitelist database would suffer from the same shortcomings found in the blacklist call and break
antivirus model—antivirus vendors simply cannot keep it current. More importantly, the whitelist your software or
database approach is subject to database corruption by the possible inclusion of Trojanized even your system…
files in the database that would in essence become authorized software.(4)(5) And then there’s
the big question:
Who maintains
the list?(5)
(4) Andrew Brandt; The 10 Biggest Security Risks You Don’t Know About; PC World; June 22, 2006.
(http://www.pcworld.com/article/126083/the_10_biggest_security_risks_you_dont_know_about.html)
— Erik Larkin
(5) Erik Larkin; Coming: A Change in Tactics in Malware Battle; PC World; June 23, 2008. PC World
(http://www.pcworld.com/article/147374/coming_a_change_in_tactics_in_malware_battle.html)
Application Whitelisting: A New Security Paradigm 2
4. BOUNCER by CoreTrace™
Beware of any endpoint security solution claiming to be a v2.0 solution that merely exchanges
one list for another. While a whitelist-based solution is superior to a blacklist-based solution “
Companies are
wasting money
because it is proactive vs. reactive, a true Endpoint Security v2.0 solution uses a whitelist
on security
of fingerprints customized for each endpoint; thereby, limiting the entries to programs
processes—
installed on each endpoint vs. a centralized database of all programs. Additionally, a true
such as applying
Endpoint Security v2.0 solution automatically generates the customized whitelist for each
patches and using
endpoint in a controlled environment to ensure that it is not compromised. Further, a true
antivirus software—
Endpoint Security v2.0 solution provides an efficient whitelist updating capability that does not
which just do not
place a burden on the IT administrative staff.
work, according
The specious solution that has merely exchanged one list for another is only a 90°-shifted to Cisco’s chief
solution, and it has only reached v1.1—or rather, the whitelist is a behemoth one-size-fits-all- security officer
let’s-hope-the-list-isn’t-hacked centralized database of all authorized programs that somehow John Stewart…
has to be mapped to each specific endpoint. the malware
industry is moving
Walk away from these going-in-the-right-direction-but-didn’t-quite-make-it v1.1 half-solutions or
faster than the
else the weight of this solution and attendant administrative burden and security risks will come
security industry,
crashing down on your CPUs and valuable IT staff.
making it
impossible for
BOuncer’S endpOint Security v2.0 users to remain
secure…“If patching
(180°‑Shifted whiteliSting) and antivirus is
where I spend my
Cybercriminals are well armed, well skilled, and well motivated, so how can an organization money, and I’m still
protect itself? Fortunately, despite the prolific cyberattack vectors, tools, and strategies, the getting infected and
majority of cyberattacks can be stopped dead in their tracks if the right approach is taken I still have to clean
defending the IT network—that is, BOUNCER’s Endpoint Security v2.0. BOUNCER takes a up computers and
revolutionary 180°-shifted approach to endpoint security providing a unique Endpoint Security I still need to
v2.0 solution that defeats today’s, tomorrow’s, next year’s…known and unknown threats— reload them and
finally, efficiently, effectively, BOUNCER stops the madness. still have to recover
the user’s data and
To be considered a true Endpoint Security v2.0 solution, the security features shown in Table 1 I still have to
must be present. Endpoint Security v2.0 is proactive, whitelist-based, provides enforcement reinstall it, the
from within the kernel, and it is predicated on the following three core tenets: entire cost equation
„ Control what you know. of that is a waste.”
“It’s completely
„ Control at the lowest possible level. wasted money”…
“There are too many
„ Control transparently.
companies in the
BOUNCER leverages Endpoint Security v2.0’s three core tenets to provide the capabilities world that actually
listed below for PCs, servers, and embedded systems. believe infection
is just a cost of
„ Preventing unauthorized programs and processes from running.
doing business and
„ Preventing rootkit establishment. are getting used to
doing it—
„ Stopping code injected via buffer overflow from running and stopping further memory as opposed to
corruption. stopping it
„ Preventing system configuration modification by staff members, malicious insiders, and completely.
malicious outsiders. That’s dangerous”
…“I’m sick of
„ Securing the endpoint transparently to end users. blacklisted stuff.
„ Providing ease-of-use to the operational staff.(6) I’ve got to go for
whitelisted stuff—
I know what that
is because I put it
there.”(6)
— Liam Tung
(6) Liam Tung; Antivirus is completely wasted money?; ZDNet Australia; May 21, 2008. ZDNet Australia
(http://www.zdnetasia.com/news/security/0,39044215,62041561,00.htm)
Application Whitelisting: A New Security Paradigm 3
5. BOUNCER by CoreTrace™
Table 1. Endpoint Security v2.0: Security Features “
Time: The second
Tuesday of every
control month, 10:00 a.m.
From the PST. Like clockwork,
control loWeSt control Microsoft releases
Security FeatureS What you KnoW PoSSible level tranSParently
a group of security
h Only authorized programs allowed to execute patches. And like
clockwork, that
h Authorized programs fingerprinted to
create a unique three‑factor integrity check
release sets in
motion a flurry
h File digest (SHA‑1 hash) of events from
h File location (pathname)
h File size businesses,
security vendors,
h Whitelist of fingerprints customized for
the media and
each endpoint—entries limited even hackers…
to programs installed on an endpoint
an entire industry
h Automatically generates customized has grown up
whitelist in a controlled environment
around
h Ease‑of‑use whitelist updating procedure Patch Tuesday.
Businesses race to
h Digital certificates used for authentication quickly determine
h Enforcement from within the kernel which are the most
critical for their
h Entry points to the OS securely wrapped users and which
h Prevents direct kernel memory might inadvertently
read and write from user space cause more
h Monitors and reacts to memory
problems than they
modification solve. Security firms
rapidly implement
h Provides a complete IPsec infrastructure fixes to their own
systems and push
them out to users…
and hackers work
to reverse‑engineer
CORE TENET #1—CONTROl WhAT YOU KNOW the patches to
Control what you know—what else can you control? Blacklists are pursuing the flawed strategy discover and use
of trying to control that which is unknowable, and, as a result, are locked in a zero-day-threat race the vulnerabilities
they can never win and being paid well for it. Conversely, controlling what you know—that is, to their own
controlling the authorized applications used by an endpoint so that you can be indifferent to the advantage…
rest—is the principle that underpins BOUNCER’s whitelisting strategy that defeats cybercrime. Some people
derisively call this
BOUNCER creates a whitelist of authorized programs (i.e., a list of fingerprints) that it uses Exploit Wednesday
to recognize (i.e., identify and validate) an authorized program as it loads. Each authorized …A typical
program’s fingerprint is comprised of the triple play of the following integrity checks: file digest Microsoft patch
(SHA-1 hash), file location (pathname), and file size. updates only a
When an unauthorized program tries to load (e.g., a virus from an e-mail attachment, a program couple of DLL files,
copied on an endpoint by an authorized user, or a program copied on an endpoint through which is helpful
a vulnerability), BOUNCER simply does not allow it to execute, thereby defeating the vast to the bad guys
majority of threats, including preventing Trojans from overwriting authorized files. because they can
compare the
The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities two binary files
from exploitation, effectively neutralizing zero-day threats. If a vulnerability is unpatched and and find the
exploited, the malicious program or injected code is stopped anyway, so zero-day threats one difference
become a thing of the past and there is time to test all patches before they are deployed—if between
they are deployed at all.(7) the two, which is
the vulnerability.(7)
(7) Karen D. Schwartz; How Microsoft’s Patch Tuesday Affects Business Processes and Security; cio.com; July 9, 2008.
— Karen D. Schwartz
(http://www.cio.com/article/428363/How_Microsoft_s_Patch_Tuesday_Affects_Business_Processes_and_
cio.com
Security?page=1&)
Application Whitelisting: A New Security Paradigm 4
6. BOUNCER by CoreTrace™
“
BOUNCER’s leveraging of control what you know results in significant IT cost savings.
IT departments that use BOUNCER can say goodbye to the following and say hello to a little Attacks targeting
sanity: applications,
„ Zero-day threats. software, and
services were
„ Malware, Trojans, viruses/worms, bots, keyloggers, adware, and spyware. by far the most
common technique,
„ Reactive security patching (patch for features you need on your schedule and have time
representing
to fully test patches).
39 percent of all
„ Chronic signature updating. hacking activity
leading to data
„ Technology stacks, pattern matching, and behavioral heuristics (including the impact of compromise.
false positives and prolonged learning periods typical of behavioral solutions). This follows a
trend in recent years
CORE TENET #2—CONTROl AT ThE lOWEST POSSiBlE lEvEl of attacks moving
up the stack.
Most sophisticated attacks are targeted at the kernel; therefore, that is where the battle Far from passé,
lies (only security software that functions in the kernel can reliably deliver the controls that operating system,
IT requires). platform, and
server‑level attacks
BOUNCER loads into the kernel very early and performs the following functions:
accounted for a
„ Allocates resources only to authorized applications. sizable portion of
breaches.
„ Locks down the process table and keeps track of pointers.
Eighteen percent
BOUNCER leverages control at the lowest possible level to prevent rootkit establishment; of hacks exploited
stop injected code (for example, via buffer overflow) from running (even in authorized a specific known
programs); prevent system configuration modification by staff members and malicious insiders vulnerability
and outsiders; and prevent direct kernel memory read and write from user space. while 5 percent
exploited unknown
„ BOUNCER prevents rootkit establishment. A cybercriminal’s goal is to obtain and retain vulnerabilities for
control of the endpoints that they gain access to for as long as possible to maximize their which a patch was
profit margins. Once access to an endpoint is gained, cybercriminals install a rootkit to take not available at the
control of an endpoint and to retain control so they can load the software needed to carry time of the attack.
out their schemes at their convenience. Evidence of re‑entry
As soon as the operating system (OS) boots, a BOUNCER process runs within the kernel via backdoors,
and oversees all activities of every other process that runs. If a rootkit attempts to establish which enable
itself within a BOUNCER-secured kernel, this zero-day threat has zero time-to-live— prolonged access
BOUNCER will recognize it as unauthorized and it will be DOA. to and control
of compromised
Many rootkits are also Trojans masquerading as legitimate OS files. Sometimes, the systems, was found
malicious code is embedded in a legitimate OS file that still functions normally. Because in 15 percent of
BOUNCER’s whitelist is based on a fingerprint comprised of a triple play of integrity hacking‑related
checks—file digest (SHA-1 hash), file location (pathname), and file size—Trojans are breaches. The
revealed as unauthorized and are not permitted to run. attractiveness of
Once established, rootkits are very difficult to detect because they use the administrator this to criminals
capability that the rootkit provides to cover up traces of their activities (hiding themselves desiring large
from endpoint utilities that list files and provide information about running processes), and quantities of
to hide other programs they plant on the endpoint. Some rootkits are known and may be information is
detected by a scanning program; however, this defense does not work for a newly written obvious.(8)
rootkit. Typically, established rootkits are detected by a file comparison between a suspect — Wade H. Baker,
endpoint and a clean endpoint with full administrator rights. This is difficult to organize and C. David Hylender,
carry out while an endpoint is running. If a rootkit is established on an endpoint (i.e., prior and J. Andrew Valentine
Verizon Business RISK Team
to being protected by BOUNCER), to completely eradicate the rootkit, the best practice is
to reimage the endpoint with a known clean image. The better practice is to use BOUNCER
to prevent rootkit establishment.(8)
(8) Wade H. Baker, C. David Hylender, and J. Andrew Valentine; 2008 Data Breach Investigations Report;
Verizon Business RISK Team; June 11, 2008.
(http://www.verizonbusiness.com/resources/security/databreachreport.pdf)
Application Whitelisting: A New Security Paradigm 5
7. BOUNCER by CoreTrace™
„ BOUNCER stops injected code (for example, via buffer overflow) from running
(even in authorized programs). Injected code (for example, via buffer overflow) is
not loaded through normal file access means; therefore, defeating this threat requires
“ In fact there is
no need at all for
monitoring the code image in memory to detect changes and, when detected, to terminate AV once you have
the process. whitelisting…
Because BOUNCER has control at the lowest possible level, it is capable of defeating we’ll never stop the
buffer overflows; furthermore, because BOUNCER’s whitelisting technology has created a global virus plague
controlled environment, even if the injected code manages to run for a few seconds, it will until AV becomes
not be able to run any new programs, and it is only able to access whatever the program it defunct…
injected itself into was able to access. Given BOUNCER’s unique approach to whitelisting, Actually there are
buffer overflows can be stopped—even in applications that are on the whitelist. a whole series of
network issues
„ BOUNCER prevents system configuration modification by staff members and that require the
malicious insiders and outsiders. Endpoint users unknowingly, and in the case of a management of a
malicious insider, knowingly, weaken and sometimes corrupt an endpoint’s security list of valid
configuration by installing rogue applications (i.e., legitimate but unauthorized programs). executables
BOUNCER’s self-protection mechanisms that prevent such system configuration including
modifications include the following: software license
¾ BOUNCER runs in the OS kernel and cannot be tampered with by the end user, even management,
if the end user has administrator, or root, access on the endpoint. software usage
auditing,
¾ BOUNCER’s whitelist is encrypted. software
BOUNCER helps to keep an endpoint compliant by maintaining its desired state throughout provisioning and
its lifecycle with the following measures: so on.
AV technology
¾ BOUNCER’s whitelisting technology ensures that an endpoint’s performance will not never had much
degrade due to typical configuration drift or cyberattack. to say about this
issue. To be honest
¾ BOUNCER can periodically scan the endpoint and remove unauthorized programs
it was always
copied onto the system (i.e., all programs that are not on the whitelist). The system
PC software in spirit
logs the deleted files providing a record of activity on each protected endpoint.
and AV companies
„ BOUNCER prevents direct kernel memory read and write from user space. BOUNCER tended not to think
securely wraps entry points to the OS by intercepting system calls from user space and of their technology
packets coming from the network card which are processed according to file policy or as part of an
network filter rules, respectively. end‑to‑end security
solution…So even if
AV technology was
CORE TENET #3—CONTROl TRANSPARENTlY capable of stopping
BOUNCER leverages control transparently to secure the endpoint transparently to end users, viruses effectively,
and to provide ease-of-use to operational staff. which it isn’t,
it would have no
Endpoint Security v1.0 blacklists are bloated (typically containing millions of entries per contribution to make
endpoint) and are plagued by exponential and constant growth due to the rampant proliferation to the management
of malware. Blacklists require a large footprint in memory and on the hard drive, and negatively of executables.
impact the CPU—blacklist scans have a significant negative performance impact noticeable to Whitelisting
end users. software does
BOUNCER’s Endpoint Security v2.0 whitelist is lean (typically containing only a few thousand because, aside from
entries per endpoint) and it is immune to the effects and onslaughts of cybercrime. BOUNCER’s stopping all malware
whitelist requires a very small footprint in memory and on the hard drive, and has a negligible stone dead, it can
impact on the CPU—BOUNCER is transparent to end users. prevent the use
of old versions of
BOUNCER allows IT departments to set up an endpoint and know that it is configuration-drift software or software
free and secure—no need to continually update signature files or reactively patch the endpoint. that violates
BOUNCER affords the piece of mind that an endpoint is running exactly as intended—without corporate policy.(9)
rogue applications and safe from malicious code.(9)
— Robin Bloor
The Register
(9) Robin Bloor; The decline of antivirus and the rise of whitelisting; The Register; June 27, 2007;
(http://www.theregister.co.uk/2007/06/27/whitelisting_v_antivirus/)
Application Whitelisting: A New Security Paradigm 6
8. BOUNCER by CoreTrace™
Summary
Sometimes a shift in perspective is all that is necessary to solve a seemingly intractable problem.
The shift from Endpoint Security v1.0’s ineffective, flawed blacklisting solutions to whitelisting
“ Blacklisting—
where vendors
solutions is inevitable. The demise of blacklisting solutions is merely a matter of time; however, compile lists of
the implementation of true endpoint security via application whitelisting is a matter of degrees— known malware—
BOUNCER’s Endpoint Security v2.0 180°-shifted approach to be exact.(10) has become
technically
unfeasible…
When you’re
doubling the
amount of malware
you’re getting
on a daily basis,
eventually a
blacklisting model
ultimately could run
out of architectural
scalability…
As blacklisting
becomes
increasingly
difficult…
Whitelisting looks
like it has
an architectural
promise that could
be very strong.(10)
— Liam Tungn
ZDNet Australia
(10) Liam Tung; McAfee CEO: Adware is killing antivirus blacklisting; ZDNet Australia; June 16, 2008.
(http://www.zdnetasia.com/news/security/0,39044215,62042651,00.htm)
Application Whitelisting: A New Security Paradigm 7