My firm offers a solution for the enterprise that cannot afford to enumerate all of the allowed binaries. Its a mini-white list feature from either our AppGuard or EdgeGuard security software products. They prevent unauthorized writes into Program Files and Windows directories. And, they snuff out executable launches from user-space, unless they are “guarded”. User-space is where the vast majority of the baddies are because executables can be written there whether the end-user is logged in with or without local admin rights.

BTW, user-space is desktop, My Documents, extra hard drives, etc. ‘Guarded’ refers to an executable that is allowed to run but prevented from writing into the common target areas of malware attacks.

So, snuffing-out all unguarded executable launches amounts to having a mini-white list: ‘what may run in user-space’. A legit example common in the enterprise is gotomeeting.exe. An il-legit one is limewire.exe.

A full-blown white list solution, using SHA1 hash checksums, represents extremely robust protection and control. It also requires some effort to deploy and maintain. AppGuard and EdgeGuard can be fully deployed in minutes, providing protection from the vast majority of what threatens an enterprise. Thus, if you prioritize, and focus on probabilities more so than possibilities, AppGuard or EdgeGuard represent practical, effective protection. There are solutions out there that stop a higher percentage of attack vector types. However, the reality of using those alternatives is that they their complexity results in under-utilization, particularly with host intrusion prevention system (HIPS) products.

That said, if I were going full white list, I’d go with CoreTrace. McAfee purchasing SolidCore fills me with grave doubts about McAfee’s judgement.