Blacklisting and Whitelisting

Traditionally, the IT industry has relied on perimeter security strategies to protect its most valuable resources like user data and intellectual property. These security strategies involved using firewalls and other network-based tools to inspect and validate users going into and out of the network. However, a network perimeter is no longer sufficient to prevent the malware and other malicious software from attacking your data. By introducing the Blacklisting and Whitelisting technologies, it allows who can or who can’t access or modify your sensitive files.

Blacklisting is the action of a group or authority compiling a blacklist (or black list) of people, countries or other entities to be avoided or distrusted as being deemed unacceptable to those making the list. If someone is on a blacklist, they are seen by a government or other organization as being one of a number of people who cannot be trusted or who is considered to have done something wrong. As a verb, blacklist can mean to put an individual or entity on such a list.

Whitelisting is a concept used in cybersecurity to explain the method of recognizing and allowing secure information. Whitelisting is based on principles of “zero trust,” which means it denies everything and only allows what is absolutely essential. Zero trust is a framework that assumes a complex network’s security is always at risk to external and internal threats. It helps organize and strategize a thorough approach to counter those threats.

A whitelist, allow list, or pass list is a mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition i.e. it is a list of things allowed when everything is denied by default. It is the opposite of a blacklist, which is a list of things denied when everything is allowed by default.

Blacklisting Vs Whitelisting

Blacklisting Whitelisting
It is used to block unwanted entries It is used to give access to preapproved apps, emails, etc.
It involves creating a list of all the files that might pose a threat to the network It involves creating a list of all the applications, emails, and IP addresses that can have access to the network
Threat-centric method Trust-centric method
Easy implementation & maintenance Complex implementation & maintenance
Poses a risk of allowing malicious traffic Poses a risk of blocking access to important traffic
Eliminates admin efforts Provides maximum security
Old approach New approach

How to Implement the Blacklisting and Whitelisting?

EaseFilter File Control Filter Driver provides you a simple way to implement the Blacklisting and Whitelisting, it allows you to control the file I/O operations with the filter rule configuration by setting the whitelist and blacklist processes or users, you can allow or block the specific file I/O operation to the specific process or user, you can control who can read your file, allow or block the file modification, prevent your important file from being deleted, renamed.

To implement the Blacklisting, you can setup the filter rule with the default maximum access rights, by default all the processes or users can have the maximum access rights to the files inside the filter rule. You can setup the blacklist for the filter rule, to remove the specific access rights to specific processes or users, so the processes or users who are in the blacklist don’t have the specific access rights to the files.

Here is the code snippet how to setup blacklist:

1. Setup the filter rule without the encryption enabled, setup the maximum access rights as the default access rights for the filter rule, it meant by default all files can be accessed, only the processes who are from the blacklist can’t access the files.

2. Setup the filter rule with the encryption enabled, setup the maximum access rights as the default access rights for the filter rule, it meant by default all files can be accessed and the encrypted files can be decrypted, only the processes who are from the blacklist can’t decrypt the encrypted files, only will read the raw encrypted data.

int _tmain(int argc, _TCHAR* argv[])
{
  DWORD threadCount = 5;
  DWORD connectionTimeout = 20; //SECONDS
  ULONG filterType = FILE_SYSTEM_CONTROL|FILE_SYSTEM_ENCRYPTION;
  
  //create a filter control instance
	FilterControl* filterControl = FilterControl::GetSingleInstance();

	//setup the filter rule for folder 'c:\\secureSandbox1'
	fileFilterMask = L"c:\\secureSandbox1\\*";
	//create this filter rule with the file filter mask.
	FileFilterRule fileFilterRule1(fileFilterMask);
	//setup the maximum access rights for the filter rule as default access right.
	fileFilterRule1.AccessFlag = ALLOW_MAX_RIGHT_ACCESS;
  //setup blacklist processes, remove the rename and delete access rights to the process 'cmd'
	fileFilterRule1.AddAccessRightsToProcessName(L"cmd.exe", ALLOW_MAX_RIGHT_ACCESS & (~(ALLOW_FILE_RENAME|ALLOW_FILE_DELETE)));

	//add the filter rules to the filter control.
	filterControl->AddFileFilter(fileFilterRule1);

  //setup the filter rule for folder 'c:\\secureSandbox2'
	fileFilterMask = L"c:\\secureSandbox2\\*";
	//create this filter rule with the file filter mask.
	FileFilterRule fileFilterRule2(fileFilterMask);
	//setup the maximum access rights for the filter rule as default access right.
	//and enable the encryption for this filter rule.
	fileFilterRule2.AccessFlag = ALLOW_MAX_RIGHT_ACCESS|ENABLE_FILE_ENCRYPTION_RULE;
	//if you have a master key, you can set it here, or if you want to get the encryption key from the callback function then don't set the key here.
	//256 bit,32bytes encrytpion key
	unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
	if(!fileFilterRule2.set_EncryptionKey(key,sizeof(key)))
	{
		goto Exit;
	}

	//setup blacklist processes, remove the decryption right to the process 'explorer', 'explorer' only can read the raw encrytped data, 
	//so when you copy the encrypted file with explorer, the new file will the data encrypted.
	fileFilterRule2.AddAccessRightsToProcessName(L"explorer.exe", ALLOW_MAX_RIGHT_ACCESS & (~ALLOW_READ_ENCRYPTED_FILES));

	//add the filter rules to the filter control.
	filterControl->AddFileFilter(fileFilterRule2);


	//start the filter driver service.
	filterControl->StartFilter(filterType,threadCount,connectionTimeout,registerKey);

  getchar();	

Exit:

	filterControl->StopFilter();
	delete filterControl;

	return 0;
}

To implement the Whitelisting, you can setup the filter rule with the default minimum access rights, by default all the processes or users don’t have the access to the files inside the filter rule, it is zero trust to all processes and users. You can setup the whitelist for the filter rule, to add the specific access rights to specific processes or users, so the processes or users who are in the whitelist can have the specific access rights to the files.

Here is the code snippet how to setup whitelist:

1. Setup the filter rule without the encryption enabled, setup the least privilege access rights as the default access rights for the filter rule, it meant by default all files can’t be accessed, only the processes who are from the whitelist can access the files.

2. Setup the filter rule with the encryption enabled, setup the maximum privilege access rights except the decryption as the default access rights for the filter rule, it meant by default all files can be accessed but can’t be decrypted, only the processes who are from the whitelist can decrypt the encrypted files.

int _tmain(int argc, _TCHAR* argv[])
{
  DWORD threadCount = 5;
  DWORD connectionTimeout = 20; //SECONDS
  ULONG filterType = FILE_SYSTEM_CONTROL|FILE_SYSTEM_ENCRYPTION;
  
  //create a filter control instance
	FilterControl* filterControl = FilterControl::GetSingleInstance();

	//setup the filter rule for folder 'c:\\secureSandbox1'
	fileFilterMask = L"c:\\secureSandbox1\\*";
	//create this filter rule with the file filter mask.
	FileFilterRule fileFilterRule1(fileFilterMask);
	//setup the least access rights for the filter rule as default access right.
	fileFilterRule.AccessFlag = LEAST_ACCESS_FLAG;
	
	//setup whitelist processes, add the maximum access rights to the process from Windows system folder. 
	fileFilterRule1.AddAccessRightsToProcessName(L"c:\\windows\\*.exe", ALLOW_MAX_RIGHT_ACCESS);

  //setup whitelist processes, add the maximum access rights to the your custom trusted process.
	fileFilterRule1.AddAccessRightsToProcessName(L"c:\\mytrustedfolder\\myfile.exe", ALLOW_MAX_RIGHT_ACCESS & (~(ALLOW_FILE_RENAME|ALLOW_FILE_DELETE)));
	//add the filter rules to the filter control.
	filterControl->AddFileFilter(fileFilterRule1);

  //setup whitelist example for encryption filter rule2.
	//setup the filter rule for folder 'c:\\secureSandbox2'
	fileFilterMask = L"c:\\secureSandbox2\\*";
	//create this filter rule with the file filter mask.
	FileFilterRule fileFilterRule2(fileFilterMask);
	//Enable the encryption for this filter rule, by default no process or user can decrypt the file,
  //all processes or users will get the raw encrypted data.
	fileFilterRule.AccessFlag = (ALLOW_MAX_RIGHT_ACCESS|ENABLE_FILE_ENCRYPTION_RULE) & (~ALLOW_READ_ENCRYPTED_FILES);
	//if you have a master key, you can set it here, or if you want to get the encryption key from the callback function then don't set the key here.
	//256 bit,32bytes encrytpion key
	unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
	if(!fileFilterRule2.set_EncryptionKey(key,sizeof(key)))
	{
		 goto Exit;
	}

	//setup whitelist processes, allows the trusted processes to read the encrypted files, or other processes can't read the decrypted data.
	fileFilterRule2.AddAccessRightsToProcessName(L"c:\\trustedFolder\\whitelistprocess.exe", ALLOW_MAX_RIGHT_ACCESS);
	fileFilterRule2.AddAccessRightsToProcessName(L"notepad.exe", ALLOW_MAX_RIGHT_ACCESS);
	//add the filter rules to the filter control.
	filterControl->AddFileFilter(fileFilterRule2);
	//start the filter driver service.
	filterControl->StartFilter(filterType,threadCount,connectionTimeout,registerKey);

  getchar();	

Exit:

	filterControl->StopFilter();
	delete filterControl;

	return 0;
}

For more example how to use the filter driver to control the file access, you can go to our FileProtector demo page.