Home

Application Whitelisting Support Guide for IT HelpDesk

Peter Gubarevich 07-Jan-2019

General Considerations

1. With a purpose of lowering malware infection and unwanted software execution risks, most of Company’s Servers and Workstations are Application Whitelisting (AWL)-enabled.
2. Based on some particular features, some systems are AWL-enabled via Software Restriction Policies (SRP), others — via AppLocker.
3. This Guide is targeted to assist IT HelpDesk staff supporting Users running AWL-enabled computers.

How it works

1. Whitelisting does not perform executable analysis for embedded malware; it is not any kind of antivirus scanning system. AWL policy controls launching of executable software by allowing or denying each single file execution. When configured in Whitelisting mode, AWL only allows execution of software that was previously considered safe to run, blocking everything else by default. An Administrator decides on which software is allowed, and configures the policy appropriately.

2. By the moment when a User tries to launch any executable, or some running program tries to load an additional module from a file, AWL makes a decision if this file is allowed to run by checking its pre-defined Rules. If no Rule applies, an execution is blocked.

3. AWL implements the following Rule types:

• Path rules check the Name and Path of the required file against a pre-defined list of allowed paths (like C:\Program Files*, \Server\Data*.exe, %Temp%\fb??.dll and so on);

• Hash rules calculate SHA256 and MD5 hashes of the requested file, and compare them with a pre-defined list of allowed hashes;

• Certificate rules compare a certificate of the required file’s Digital signature with a pre-defined list of allowed Certificates;

4. The detailed list of Extensions that are considered to be Executables: BAS COM HLP ISP MST REG VB

BAT CPL HTA MSC OCX SCR WSC

CHM CRT INF MSI PCD SHS

CMD EXE INS MSP PIF URL

Note that some other extensions such as PS1 may be processed in an implicit non-configurable way.

5. AWL does not affect:

• MS Word/Excel, Adobe PDF and other document type processing, including Macros;
• E-mail messages, Sound, Video, Picture processing;
• Internet page surfing experience (with exception of some User-defined plug-ins);
• SQL, MySQL, Oracle, MS Access database connections;
• File copying/moving/renaming/deleting operations, including Removable Drives;
• Security group membership, NTFS and Registry Permissions;
• SYSTEM user account (background Services, Windows Update, SCCM deployments, etc).

Indications of Blocking Executables

1. Application Whitelisting prevents Executables from launching in the following scenarios:

• A user inserts USB stick, and launches executable from it; this can be a virus. AWL checks its rules and blocks the execution because USB drive letter (e.g. F:) should not be listed as a trusted path;

• A user receives an e-mail message, then opens an attachment, which could be a zipped virus executable. AWL prevents execution because it was launched from %Temp% folder, which should not be listed as a trusted path;

• A user clicks some link on a webpage, which tries to execute malware dropper. AWL prevents execution from %Temporary Internet Files% folder, which should not be listed as a trusted path;

• A user has downloaded, and tries to install unwanted software like uTorrent or CCleaner from their Desktop. AWL blocks this action because %Desktop% should not be listed as a trusted path;

• A user tries to run some legitimate program from untrusted source folder like %Desktop%. AWL prevents execution. The user could try solving the issue themselves by moving files to a previously declared safe folder such as C:\Applications;

• Some legitimate software such as Cisco WebEx drops an additional executable module under User’s %Temp% folder, and fails to launch it. To resolve this issue, an Administrator should extend the policy to include the required module by using one of the supported rule types.