Application whitelisting (AWL) as a real-world practice isn’t widely used. While it does have some drawbacks, they’re mainly nuisance items rather than problems that may leave you open to a virus.

Application whitelisting technologies base themselves on the ability to protect end users from ransomware and other executable files by identifying what is safe in real time. It’s baffling why this method of cybersecurity isn’t more widely adopted by antivirus and cybersecurity companies around the world.

Application whitelisting is the process of only allowing files known to be good to execute. AWL protects endpoints, which could mean your computer, tablet, smartphone, or other internet-connected devices. While this sometimes leads to good programs being blocked (known as a false positive), it’s usually easy to whitelist those programs quickly and without hassle.

What is application whitelisting?

Application whitelisting is the practice of allowing known good files to run. This type of endpoint security is also termed default-deny (where the default option is to deny entry), zero-trust, and zero-day architecture. A whitelist is an extensive (although not exhaustive) list of programs from all over the world that are known to be good.

The act of whitelisting those programs, applications, and developer signatures allows your computer or laptop to be protected from cyberthreats, cyberattacks, vulnerabilities, malware attacks, ransomware attacks, and malicious programs, even if they’ve never been seen before. By blocking potentially malicious software in high-risk environments, application whitelisting tools stop malicious applications from running on your computer system.

Whitelisting vs. blacklisting

Think of cybersecurity and antivirus software like a giant gate around the castle that is your computer. Antivirus programs work by stationing guards at your computer’s gate. Application blacklisting programs tell the guards to let everyone through but if they notice a criminal, they should block the entrance.

On the other hand, application whitelisting works by giving those guards a list of all the people who are known to NOT be criminals. Only those people are allowed through the gate.

You may worry that a program or download you know is good might not be allowed to run on your computer. While these false positives do happen, you need to remember that cybersecurity companies using this technology see more of the internet cross their servers in one day than you may see in an entire year. If it’s available to the public, it’s probably already been whitelisted. And if by chance it does get blocked, most companies allow you to whitelist directly from your machine.

How does application whitelisting work?

Application whitelisting creates an impenetrable wall that bars anything unknown from executing on a machine. For example, you may receive a phishing email from a fake Amazon account telling you a receipt for your purchase is attached. When you look at the email, the purchase is usually very expensive. You must open the attachment if you want to cancel the purchase.

If you opened the attachment without an antivirus program running, it would download malware onto your computer. Even if you’re using traditional blacklist software, like Norton or McAfee, malware that is new enough could still be allowed to download (also called executing). With application whitelisting, the malware would be blocked, no matter how new. Your whitelist antivirus software doesn’t recognize it as good or bad, so it contains the file until it knows how to classify it.

File size

Some files are named after legitimate applications like COM Surrogate or MSASCuiL.exe, which are both essential functions for your computer to run. By knowing what size these files are supposed to be, application whitelisting software can block fakes that usually have much larger file sizes.

File name

A file name may be designed to look similar to a legitimate program. Since a character or symbol might be changed slightly to look like the original, this occasionally works for letting viruses through. Whitelisting a file name means any small derivations will be blocked.

File path

The file path is where certain processes are supposed to live on your computer. Think of it like saving a Word document to a certain folder. Whitelisting a file path means the whitelist knows that the file belongs only to that certain location. If a file with that name tries to install in a different location, it will be blocked. This is particularly useful with malware that spoofs legitimate programs.

Digital signature/publisher

Large software companies like Microsoft, Apple, Google, and others sign their software with their unique signature. This signature is encrypted and unable to be duplicated. They sign their software so you don’t have to worry about patches and updates being blocked when they’re rolled out to your device. By whitelisting these signatures, you can easily keep your software up to date without worrying about a false positive.

Cryptographic hash

A cryptographic hash, also known as a file hash, is a piece of information inside a file that’s unique to that file and version. Whitelisting hashes allows for an additional layer of security because your antivirus is breaking executables into pieces and examining them completely. This helps protect your computer against spoofed malware that may change one or two small parts of a legitimate program as a way to mask itself from traditional blacklist antivirus.

Why use application whitelisting?

Whitelisting programs are more secure than traditional antivirus programs. It’s so secure that the National Institute of Standards and Technology (NIST) recommends it as a best practice for government agencies. They even created a guide to application whitelisting that’s published and available on their website.

The reason it is the more secure choice is the nature of how it detects and stops unknowns. With a traditional antivirus, there’s always a chance you could come into contact with a brand-new piece of malware.

In fact, antivirus companies are logging everything passing through your computer and checking to see if it’s listed on their blacklist. When a new malicious code comes through, they may even let it run on your computer so they see how it works and if it’s bad. Using application whitelisting removes you from being a guinea pig.

It also allows IT directors at places like schools and large corporations to manage networks more efficiently. When large numbers of people access the internet from the same system, it increases the chance that one of them will let through a virus that could take down the entire network. This makes your data, like Social Security numbers, more secure when it is stored on a shared server like work or school.

What are the challenges of application whitelisting?

Like anything else, application whitelisting isn’t without its challenges. When running software that works on an allowlist, there are bound to be false positives. This means that the antivirus might block legitimate, safe programs from running. This can hamper productivity and create unwanted downtime at home or work. Usually, you can locally whitelist, which means you’ll allow the blocked program to run on your computer while the antivirus checks to make sure this program is good and allowed on the global whitelist.

The setup time may take a little longer when first installing an antivirus program that runs on application whitelisting. There may be a 24-hour test period where the program gathers all of the applications the user is executing while it makes a list of what is allowed to create a baseline. This means that, at least on a large scale, application whitelisting software might not be usable for at least a day. This can hinder workflow while waiting on the new application to run such long diagnostics and configuration files.

A final challenge is finding a good piece of software that runs on AWL and is also meant for consumers. Right now all of the application whitelisting developers are fighting for space in the business world. As technology in our own homes becomes more advanced, consumers need access to this technology as well.

Best practices for application whitelisting

As a consumer, there are aspects of application whitelisting that are out of your control. The whitelist is usually created, maintained, and updated by your software provider. Since it’s such a powerful tool for staying safe online, it’s worth learning a little more. However, there are things you can do to make sure you’re getting the most out of your product and not creating room for human error.

Know how your product works

Make sure you understand how the product initiates, collects data, protects your machine, and updates its own lists. If you aren’t sure about a process, contact the support team for your product. It’s better to wait than to accidentally allow malware.

Be suspicious of files that don’t run

If your AWL product catches unauthorized applications while you’re browsing the web or checking your email, don’t automatically whitelist it locally. If your software has a reporting tool, send it to the developers and researchers who maintain the software’s whitelist and let them research it. It might take a few hours, but it’s better than getting a computer virus.

Run scans

Even if you have your AWL antivirus software set to scan automatically, you should still run a manual scan once a week. There may be performance-enhancing tools that can make your experience better. Running a manual scan can also clue you to malware removal practices and keep you better informed.

Keep patches up-to-date

Setting your product to automatically update patch management is a great way to keep yourself protected. If you still want to manually install patches, make sure you know when your software company rolls out updates and be sure to install them immediately.

Let the product do what it’s meant to do

Application whitelisting software works differently than what you’re used to with traditional blacklist antivirus software. It may “look funny” when you first install it. Let the product run the way it's intended to run and follow the instructions that come from the manufacturer. Human error is the leading cause of infections with AWL software.

Recommended whitelisting applications

While application whitelisting is still an underutilized technology, there are companies adopting it into their software. The recommendations below are outperforming their competitors. Even if you aren’t sure about using AWL, you can take a look at the advantages of this tech through these applications.

Applocker

This whitelisting solution is a Windows proprietary application and can be configured using a guide. It’s a little difficult to set up and you need to maintain it yourself, but it’s a solid tool once it’s running.

Threatlocker

Threatlocker is a powerful AWL tool used mostly for businesses or larger home networks. It’s easy to install and use and it has great ratings. A system administrator may find these types of applications especially useful when having to manage a host operating system on multiple computers, laptops, and mobile devices across a large area.

Airlock Digital

Airlock Digital is another new software tool aimed more at businesses or larger groups. This Australian-based company is really putting itself on the map for its whitelisting process.

McAfee Application Control

This is a mature whitelist (i.e., it’s been around a while and it’s seen some things) that’s centrally controlled — they maintain it for you. This takes the pressure off the user to know the intricacies of AWL management. It’s offered through Trellix.

PC Matic

PC Matic may be the only application whitelisting software that was started with an aim at consumers. The user interface is a little dated and some of the specifics might be confusing, but they have a truly pleasant customer support experience and the software itself is possibly the best in the industry.

Application whitelisting FAQs

Bottom line

Application whitelisting software is the future of antivirus and cybersecurity. The default-deny, zero-day approach used is so much more effective than current blacklist antivirus software that it’s even recommended by the federal government. By only recognizing and allowing good programs to run, it eliminates the chance of being the first victim of a new piece of malware. This may lead to some headaches, but it’s definitely more protection than your traditional cybersecurity suite.

If you need to disable your current antivirus, whether it's to test a new product or make sure a file downloads correctly, you can follow our guide on how to turn off your antivirus. This can be especially useful if you want to turn off your current antivirus to test application whitelisting software.

As the technology is still being adopted, there may be some bumps along the way for consumers and home users. By being patient and working with your provider, you can make sure the AWL product you use is protecting your machines.

5.0

Save $105 on your first year of McAfee+ Premium

Learn More

On McAfee's website

---

McAfee

• All-in-one protection for your personal info and privacy
• Excellent antivirus protection
• Additional features like a file shredder and parental controls
• Multiple pop-ups for text notifications can be annoying

Author Details

Mary James

About the Author

Mary lives in Los Angeles and has been a cybersecurity writer for over five years. With a B.S. in Liberal Arts from Clarion University and an M.F.A. in Creative Writing from Point Park University in Pittsburgh, her career in online security began in sales and content creation for a private cybersecurity firm.