Application Whitelisting for Windows

The problem with antivirus is that it only protects you against known threats. Someone gets infected with a virus that was previously unknown, uploads a sample to an antivirus vendor (or they catch it in a honeypot) and they make a detection signature for that particular virus. This may leave hours or even days before protections are pushed out to your client.

The problem with users is that they are uncontrollable. You have no idea how many times I've removed a program for printing "coupons" from workstations.

The Easy Answer: Application Whitelisting

There's one easy answer that helps protect against both issues. Application whitelisting is the process of generating a known-good list of programs that a given computer or group of computers are allowed to execute. If you attempt to run a new program, say that latest browser toolbar your user just downloaded, the code is blocked and you're asked for a special administrator password if you want to try to allow it to run.

In Windows, I use Landesk. Landesk does a lot of things for me including antivirus, but one of the major features is that I can easily implement an application whitelist, and assign different lists to different groups of computers on my network. This means if you're working with more sensitive systems, you're not allowed to run some things that perhaps an IT administrator might get to run.

It doesn't protect you from everything, but it does help prevent infections spread by email. It also helps ensure my users aren't bogging down their systems by installing crap from the Internet.