Javascript must be enabled to download our products and perform other essential functions on the website.

Buy Now Download Free Trial

Trusted Applications (Application Whitelisting) Concepts

Trying to prevent malware attacks is difficult because the malware is always changing. Anti-virus and other security products attempt to keep up with changing file signatures and behaviors, but this means they are always slightly behind because they have to analyze a new malware before they can protect against it.

An alternate approach is to use Application Whitelisting, which is a way of specifying which applications should be able to run and access files. Any process which is not on the list doesn't get to run. This will be a smaller, and most importantly, a finite set for any given computer.

PA File Sight does Application Whitelisting with a Trusted Applications approach. The system administrator defines rules that define which applications can run, and which files they can access. The second point, defining which files can be accessed, is critical as there are many applications that are perfectly safe and valid when used properly, but can also be used in nefarious ways such as Powershell, the command shell, etc. By controlling which files these trusted applications can read (to read a script file as input for example), system security can be greatly enhanced.

The Trusted Application feature of PA File Sight looks at every file access (read, write, delete, move/rename) that takes place on a computer and looks at data about:

  • Attributes of the file being accessed
  • Attributes of the process that is accessing the file
  • The user account running the process

With these sets of information, rules can very quickly be run to determine whether the file access should succeed or not. If the rules are not met, the access is blocked, with optional alerting and logging.

An important concept to understand is that before a process starts, it is initially read into memory as a file (by whatever process is staring the new process). So the FILE_xxx statements will first be applied to it, and then once it is running, the PROCESS_xxx statements will apply as the process reads in additional files.

For example, double-clicking Notepad.exe from Explorer.exe will cause:

Explorer.exe (process) to read Notepad.exe (file) as part of loading and starting the Notepad.exe process
... then ...
Notepad.exe (process) will read additional files

Stopping a process before it starts is usually done by blocking Reads of the process file with FILE_xxx rules.

PA File Sight Ultra can protect servers (both where the Central Monitoring Service and Satellites are installed) as well as client computers where the optional Endpoint is installed.

Next, read about the Trusted Lists.

PA File Sight

Help Map