What is application control and why is it better than having an anti-virus?
02 Jun, 2021 9 min read
Businesses use application control software to keep their computer systems secure. In simple terms, application control only permits trusted applications to be installed and launched on a computer system (known as allow-listing). Programs that are not on an allow-list will be stopped from running. The alternative is deny-listing which is a technique used by most (if not all) anti-virus products available in the market. What’s important to know is that the way allow-lists (application control) and deny-lists (anti-virus software) work are very different:
How anti-virus software works?
The way anti-virus software works are it checks files against every known virus or malware. If it finds a match in its threat database or blacklist, it will flag it as a virus, and the appropriate steps are done to minimize or hopefully prevent any damage at all. This is usually achieved by either deleting the infected file or sending it to quarantine.
This sounds good in theory, however, relying on deny-listing alone cannot stop zero-day attacks and allow-listing needs to be intuitive, not manual.
This sounds good in theory, however, relying on deny-listing alone cannot stop zero-day attacks and allow-listing needs to be intuitive, not manual.
How application control works?
Application control, on the other hand, doesn't depend on a continually growing database of threats, it blocks anything that is not flagged as safe until the user or administrator adds it to the allow-list.
But, before things get too complicated, let’s take a step back and look at how different application control solutions work, and the advantages and disadvantages of each so you can find out what works best for you.
But, before things get too complicated, let’s take a step back and look at how different application control solutions work, and the advantages and disadvantages of each so you can find out what works best for you.
Types of application control software - same, same, but VERY different
You might be thinking - hasn’t application control been around for years in the corporate computing space? Indeed it has. Windows offers several types of application control, but sadly they’re not foolproof and different variations suit different users.
Windows Operating System built-in allow listing tools
The Pro and Enterprise editions of the Windows operating system actually have built-in allow listing tools that are accessible through the ‘Local Security Policy Editor’. The problem is, they’re not easy to use. While it's possible to configure the LSPE to automatically deny new programs, allow-listing still needs to be done manually which is a time consuming, and therefore costly endeavour for any company. It’s a particular challenge however for small businesses who don’t have dedicated in-house IT teams to focus on manually updating allow-lists.
Windows AppLocker tool
The ‘Windows AppLocker’ tool is another deny-listing tool that comes in top-tier versions of Windows 8.1 and below. This tool does take things a step further by stopping any new installations on a system, depending on the user type -i.e privileged users implement AppLocker on the non-privileged users’ devices. While AppLocker can block .exe, DLL, and Windows Store app installations, and it does reduce the chance of malicious software being able to run, it’s only available on the Enterprise editions of Windows, and it’s not available to home users.
User Account Control
Another basic security feature called User Account Control, or UAC is available in modern Windows versions (7, 8.1 and 10). This security feature asks for the user’s permission whenever a program tries to run as an administrator on the system. However, when a program runs with elevated permissions, it has much deeper access to the operating system. This means there’s a higher chance that malicious software can delete files, programs and vital system resources, causing a loss of data to users.
In fact, several sites have reported the ease of bypass techniques that can open the door to attacks on targeted systems. In 2016, ThreatPost reported a UAC bypass technique on Windows 10 systems which doesn’t raise red flags because it doesn’t rely on a privileged file copy or code injection. More recently, in 2020, Bleeping Computer reported that TrickBot had begun using a Windows 10 UAC bypass that utilises the legitimate Microsoft fodhelper.exe program. Later ReaQta found out that TrickBot switched to a different UAC bypass that uses another legitimate Windows program, the Wsreset.exe program, to reset the Windows Store cache.
In fact, several sites have reported the ease of bypass techniques that can open the door to attacks on targeted systems. In 2016, ThreatPost reported a UAC bypass technique on Windows 10 systems which doesn’t raise red flags because it doesn’t rely on a privileged file copy or code injection. More recently, in 2020, Bleeping Computer reported that TrickBot had begun using a Windows 10 UAC bypass that utilises the legitimate Microsoft fodhelper.exe program. Later ReaQta found out that TrickBot switched to a different UAC bypass that uses another legitimate Windows program, the Wsreset.exe program, to reset the Windows Store cache.
As you can see, everyday users are still at risk as they do not have access to these security features - the majority of retail computers come with Windows 10 Home edition. Sadly, many of these users end up resorting to traditional anti-virus software that provides deny-listing, thinking that the advertised 99% detection rates are strong enough. However, this misconception is putting more and more home devices at risk - a particular threat in the era of remote working.
Why is anti-virus (deny-listing) on its own isn’t good enough?
Traditional anti-virus solutions offer deny-listing features which do indeed provide some protection from malware. The problem is, it’s unable to stop zero-day threats (essentially fresh malware that nobody else knows about) as most zero-day attacks are undetectable during the first few hours since their release to the wild. Some will even elude detection for longer periods. While staple software makers usually patch any vulnerabilities exploited by zero-day attacks, the point of the matter is that in those undetected hours, considerable damage may have already been made.
The reason why traditional anti-virus software cannot stop zero-day threats is that deny-listing relies on using previous observations to determine whether a file is safe or not. This is a concern because according to studies by the AV-Test Institute, over 350,000 new malicious programs are registered in their systems each day across Windows, macOS, iOS and Android operating systems. When isolating this data to Windows, over 14 million threats were detected in 2018 alone. With such a high number of zero-day threats, malicious software is bound to slip through.
That means even the very best ‘enterprise standard’ AI-powered threat detection rates of 99% in commonly known anti-virus solutions, still, leave home devices vulnerable to a degree of unknown malware. With advanced ransomware threats causing so much irreparable damage in such a short time, relying on the reactive approach of deny-listing is not advisable.
By incorporating allow-listing however, zero-day malware will always be blocked which means even the most dangerous malware can do nothing if it’s not allowed to run. Allow-listing does not block threats based on whether it's known, it blocks threats based on whether they are on the allow list or not. As a result, zero-day threats will be blocked because by virtue that it's fresh malware in which case it’s unlikely that it will be on anyone's allow-list.
Read to learn why having anti-virus software isn't enough, and how you can get 100% protection.
The reason why traditional anti-virus software cannot stop zero-day threats is that deny-listing relies on using previous observations to determine whether a file is safe or not. This is a concern because according to studies by the AV-Test Institute, over 350,000 new malicious programs are registered in their systems each day across Windows, macOS, iOS and Android operating systems. When isolating this data to Windows, over 14 million threats were detected in 2018 alone. With such a high number of zero-day threats, malicious software is bound to slip through.
That means even the very best ‘enterprise standard’ AI-powered threat detection rates of 99% in commonly known anti-virus solutions, still, leave home devices vulnerable to a degree of unknown malware. With advanced ransomware threats causing so much irreparable damage in such a short time, relying on the reactive approach of deny-listing is not advisable.
By incorporating allow-listing however, zero-day malware will always be blocked which means even the most dangerous malware can do nothing if it’s not allowed to run. Allow-listing does not block threats based on whether it's known, it blocks threats based on whether they are on the allow list or not. As a result, zero-day threats will be blocked because by virtue that it's fresh malware in which case it’s unlikely that it will be on anyone's allow-list.
Read to learn why having anti-virus software isn't enough, and how you can get 100% protection.
The business case for application control
The most obvious benefit for enterprises is that application control prevents unintended applications from running. And this is important because let’s face it, people will always be taking their chances when it comes to installing software. No matter what policy the company tries to enforce, when presented with a dire need, employees will not be able to resist using the software beyond what they are provided. This, however, may prove detrimental as unapproved software may have vulnerabilities that malware can exploit. There’s also the risk of legal repercussions for deploying improper or unlicensed software in an enterprise environment.
Using allow-listing however, can prevent these issues and ensure that all running applications are approved before they can be installed or run. This level of control can also mean a more productive workforce as without approval by the IT administrator, distracting software such as games can be avoided or monitored.
The other less-known benefit is application control actually reduces IT expenses. With so many dangers lurking about in the digital space, most notably from the internet, it’s tough to limit the amount of damage an open environment presents if left by itself. With application control, the IT administrator can lock down any unauthorized application use. With this in effect, machines remain more stable for more extended periods, and efficiency remains at ideal ranges. Any undesired incompatibilities are quickly resolved and this reduces the amount of unnecessary work for the IT department.
Another great thing about deploying allow-listing lies in its integrated memory protection. With Application Control, recently initiated processes are always validated which effectively protects the system against memory injection attacks.
Using allow-listing however, can prevent these issues and ensure that all running applications are approved before they can be installed or run. This level of control can also mean a more productive workforce as without approval by the IT administrator, distracting software such as games can be avoided or monitored.
The other less-known benefit is application control actually reduces IT expenses. With so many dangers lurking about in the digital space, most notably from the internet, it’s tough to limit the amount of damage an open environment presents if left by itself. With application control, the IT administrator can lock down any unauthorized application use. With this in effect, machines remain more stable for more extended periods, and efficiency remains at ideal ranges. Any undesired incompatibilities are quickly resolved and this reduces the amount of unnecessary work for the IT department.
Another great thing about deploying allow-listing lies in its integrated memory protection. With Application Control, recently initiated processes are always validated which effectively protects the system against memory injection attacks.
The disadvantages of manual allow-listing
That being said, for all the promises of allow-listing there are some shortcomings with manual allow-listing software that you should be aware of. While IT Administrators are used to monitoring and making security decisions on their systems, manually updating allow-lists can be a daunting task for businesses without dedicated IT teams.
Some application allow-listing software will require you to actively authorize each program you install, adding extra steps to the installation process. For those that simply want to click ‘install’ and go, this may be off-putting. This is the only main disadvantage with application allow-listing, however, modern-day application control software, such as CatchPulse, streamlines this process.
Some application allow-listing software will require you to actively authorize each program you install, adding extra steps to the installation process. For those that simply want to click ‘install’ and go, this may be off-putting. This is the only main disadvantage with application allow-listing, however, modern-day application control software, such as CatchPulse, streamlines this process.
Introducing CatchPulse - intuitive application control
There’s no denying that application control is the best way of securing your organisation. It’s particularly important because as we’ve seen, traditional anti-virus solutions are slow to respond to zero-day threats. Since the majority of virulent threats are packed into programs, blocking them from running is an excellent way of protecting your data.
CatchPulse is an intuitive and AI-powered security solution for both home and enterprise users. It includes both application allow-listing and deny-listing functions, it’s compatible with Windows 7 and above, and for anyone who is deeply attached to their anti-virus, CatchPulse can run alongside any other anti-virus software and anti-malware programs.
This solution is upping the ante on traditional endpoint protection platforms as it’s powered by an intelligent AI engine and can be managed by a centralised dashboard. It deploys various cloud anti-virus scanners to protect and inform without interfering with existing systems or employee processes. Home users can finally get automatic and personalised protection as well as protection from unknown threats - a few of the shortcomings of traditional anti-virus solutions.
CatchPulse is an intuitive and AI-powered security solution for both home and enterprise users. It includes both application allow-listing and deny-listing functions, it’s compatible with Windows 7 and above, and for anyone who is deeply attached to their anti-virus, CatchPulse can run alongside any other anti-virus software and anti-malware programs.
This solution is upping the ante on traditional endpoint protection platforms as it’s powered by an intelligent AI engine and can be managed by a centralised dashboard. It deploys various cloud anti-virus scanners to protect and inform without interfering with existing systems or employee processes. Home users can finally get automatic and personalised protection as well as protection from unknown threats - a few of the shortcomings of traditional anti-virus solutions.
Final thoughts
As you can see, Application Control is the most effective way of securing your devices. Not only is it light on system resources, but it also automates the allow-listing of new programs, takes a block-first approach, and simplifies security for all users, a win-win-win.
For an enterprise endpoint protection version, visit CatchPulse Pro page to learn more and get a free 60-day trial.
If you are looking for home malware protection to secure your personal Windows computer and laptop, visit our CatchPulse page to learn more.
For an enterprise endpoint protection version, visit CatchPulse Pro page to learn more and get a free 60-day trial.
If you are looking for home malware protection to secure your personal Windows computer and laptop, visit our CatchPulse page to learn more.