A method to control what applications have permission to run on a system is application whitelisting. This method uses the logic that only what is permitted and trusted can run on the system; so if malicious software is installed on the system, it will not be able to execute. This model is closer to the trust model presented in Chapter 2, Security Architectures. Once trust is established for the applications on a system their behavior is either permitted or denied. This approach can be more effective than FIM, and with some solutions managing billions of hash baselines for trusted applications, false positives are rare.

Application whitelisting is a proactive approach to malware mitigation on end point systems such as desktops, laptops, and servers. This tool can also prevent unapproved application installs where a system user or owner may inadvertently introduce risk. If the application is not preapproved, the installation can be blocked, and if the installation is successful, the tool can block the application from running.

Due to the proactive nature of this technology, it could possibly replace an anti-virus solution and complement other advanced tools in the network such as advanced persistent threat tools and NGFW to provide a layered mitigation implementation. This protection can occur not only at the OS and application tier, but also on USB drives, and other common sources of malware can be blocked. Though this method is common in data loss prevention tools, this tool category does not analyze data type to decide what is blocked.