Whitelisting, so basically maintaining a whitelist of allowed executables on a computer system and disallowing all other executables to execute - is this a viable way to replace bloated "antivirus" software that needs to run with root permissions and will kill your conpany with a bad update?<p>Are there any good reasons why whitelisting would not work / not be enough?<p>This is not trolling, I really would like to understand why that is not the default and instead we have "anti-virus" software everywhere.
I think a major thing with viruses is access to filesystem.<p>If programs asked for permission to access folders or we gave the program their own volume to work within then they couldn't access, run or modify sensitive/important files.
This is how linux systems are used, when an higher level of security is needed.<p>The security levels look like this(lowest to highest):<p>Standard installation > AppArmor > Selinux > selinux with default-deny(everything not explicitly allowed is denied)
It's been used for years and does work. There are products that try to do this, Google experimented with it for a while. And it's actually the default on macOS of course, Apple whitelists all apps by notarizing them and you can apply custom policy on top.<p>One problem is that on Windows signing is optional and only about 30% of software is signed, but the only way to handle software updates and changes is to whitelist publishers. Or sometimes signing is done wrong, like only signing the installer but not the installed files.<p>Another is that it requires incredibly responsive IT staff. If they don't whitelist something fast enough it can slow down the entire organization.<p>Yet another is that code signing is hard to do in a leak proof manner. Any program that loads code as data, for example any interpreter, can become a code signing "hole" and whitelisting it is equivalent to whitelisting everything. A good example of problem cases: plugins.<p>Yet another is that to whitelist something requires the integrity of the whitelisted thing to be enforced otherwise malware can just be injected into it. Windows has a mechanism to do this called MSIX but not much uses it partly due to lack of good tooling. My company makes a product that fixes that to some extent but because MSIX is a package manager not an installer framework it can require re-engineering to adopt, for example, you can't customise install components or show other UI at install time.<p>Apple is slowly moving macOS towards solving all of these problems and there support for binary whitelisting is shipped out of the box, although most people don't realize it and it's not well documented. I assume there are edr vendors who have used those APIs to create products though.