5 Years, 500 Million Good Files and Counting

Trend Micro has recently reached an important milestone: we have vetted our 500 millionth "good file" towards the end of 2014. This means that we have a strong and vast repository of files to competently decide whether any given file is non-malicious or otherwise. Securing Single-Purpose Systems Whitelisting is increasingly being seen as a key component of modern solutions to dealing with today's threat landscape. Recent attacks on PLCs (ICS/SCADA) and PoS systems demonstrate how effective locking down systems (enabled via application control) can be. In these kinds of systems, the functions that need to be enabled are very limited and specific. Because of this, it is relatively easy to specify the exact files that need to pass through any whitelisting filters. In addition, the damage that can be inflicted if these systems are compromised is significant. Air gapping systems may be an option in some cases, but frequently employees end up bypassing any air gaps anyway (via USB disks), and sometimes it may not even be possible (other design requirements may require connectivity.) At the same time, we also know that targeted attacks use highly customized malware that are tested against known blacklists before being deployed to specific targets. It is becoming more and more apparent that blacklisting is no longer sufficient by itself to protect networks. With the increasing acceptance of whitelisting and application control solutions for current digital threats, building a database of catalogued and whitelisted files is a crucial ingredient in providing up-to-date protection and solutions to end users. Risk Management through Application Control What else can whitelisting offer? In addition to protecting against both known and unknown threats, it also offers substantial benefits to IT administrators. When major unpatched vulnerabilities are disclosed, the information can be used to quickly determine what an organization's risks are. It can also be used to control and classify the apps that employees do use. This allows an organization to save valuable time, resources, and money. To help with this, we have been building a centralized file whitelist database, which we call the Goodware Resource Information Database (GRID). When integrated into our products, the GRID service is called Trend Micro Certified Safe Software Service (TMCSSS). We have collected more than more than 570 million non-malicious files over five years. This includes the applications that users are more likely to encounter in their day-to-day usage. The collection of files that GRID represents is also used to generate valuable intelligence about legitimate files. File properties are extracted and normalized to ensure that applications, vendors, and software publishers are correctly recorded. Functional categories, resource usage, vulnerability information, and overall risk ratings are also generated and stored, which can be used for research and analysis purposes. Application Control in Endpoint Clients GRID has been used to enhance various Trend Micro products, systems, and processes. Product features such as file integrity monitoring and application control are made possible via the database of known clean files the GRID represents. Endpoint products regularly query GRID to improve their performance and accuracy. Today's new threats demand new solutions, and whitelisting is an incredibly valuable tool. Technologies such as GRID helps power whitelisting and improve its utility to network administrators, making managing threats easier, more effective, and less painful.