Whitelisting Community Preview: MalwareShield

MalwareShield Whitelisting Anti-malwareYou have heard me talk about whitelisting the last few years. Well I have some news! You may not know that most of us here at KnowBe4 are ex-antivirus people who came from the Sunbelt Software VIPRE antivirus team. Well, we have been very busy the last few years working on the next wave in malware protection.

We're at a point we need (early version) testers for our new product called MalwareShield. This first version is focused on stand-alone workstations or servers that contain high-value data and/or need to block -any- installation of malware; the PC of your CFO, a file server that holds the company crown jewels and needs to be locked down, or some XP SP3 machines that you cannot get rid of yet but need to be secured since there are no more updates from Redmond.

How It Works

1) Install MalwareShield. Two drivers get loaded. Reboot.
2) MalwareShield scans the hard disk(s) once using super low CPU and creates a local exe whitelist. Depending on the size of the disks, this could take a while, but normal operation can continue.
3) It turns itself on. The machine is now protected.

Under The Hood

1) The first driver starts a scan which creates a hash for any executable it finds and creates a local whitelist. From that point forward, any executable that is not on the local whitelist and tries to run gets checked in the cloud and gets blocked if not known to be good. You have three options:

  1. No Block Notification
  2. Display Only
  3. Prompt for override (recommended)

If you choose the override, a popop bottom right will show which exe was blocked and why,
with a check box for you to allow it to run or not. We do have an extensive real-time cloud-based exe whitelist that constantly gets added to when new versions or patches come out.

2) The second driver is a network filter that looks at URL requests. If a URL is not on our "known-good" real-time cloud whitelist, a block screen will pop up in the browser with two options: "get me outta here" and "ignore".

- For a server it's not a good idea to have a browser enabled in the first place, but in the unlikely event that malware makes it through, this will block the malware from "calling home" when it tries to reach the domain where its command & control server lives.
- For a workstation, having a block screen in place that reminds the user of the risks involved is yet another layer of your defense-in-depth.

An enterprise console that will drive multiple machines is in the works and will be released a bit later. For the enterprise, this is offered as an additional layer of security and the product has no known incompatibilities with any existing antivirus product, including the free "Defender" AV in Windows 8.

This is the preliminary consumer website. For consumers, the product is positioned as an "extra security" add-on to the free Microsoft Defender:

Here is the MalwareShield enterprise webpage where you can request the Community
Preview (beta) Fill out the survey at the bottom of the page to get the beta

Topics: Malware, IT Security

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews