Trusted Applications (Application Whitelisting) Concepts

Trying to prevent malware attacks is difficult because the malware is always changing. Anti-virus and other security products attempt to keep up with changing file signatures and behaviors, but this means they are always slightly behind because they have to analyze a new malware before they can protect against it.

An alternate approach is to use Application Whitelisting, which is a way of specifying which applications should be able to run and access files. Any process which is not on the list doesn't get to run. This will be a smaller, and most importantly, a finite set for any given computer.

PA File Sight does Application Whitelisting with a Trusted Applications approach. The system administrator defines rules that define which applications can run, and which files they can access. The second point, defining which files can be accessed, is critical as there are many applications that are perfectly safe and valid when used properly, but can also be used in nefarious ways such as Powershell, the command shell, etc. By controlling which files these trusted applications can read (to read a script file as input for example), system security can be greatly enhanced.

The Trusted Application feature of PA File Sight looks at every file access (read, write, delete, move/rename) that takes place on a computer and looks at data about:

• Attributes of the file being accessed
• Attributes of the process that is accessing the file
• The user account running the process

With these sets of information, rules can very quickly be run to determine whether the file access should succeed or not. If the rules are not met, the access is blocked, with optional alerting and logging.

PA File Sight Ultra can protect servers (both where the Central Monitoring Service and Satellites are installed) as well as client computers where the optional Endpoint is installed.

Next, read about the Trusted Lists.