CISSP · Question #502
Which of the following technologies would provide the BEST alternative to anti-malware software?
The correct answer is B. Application whitelisting. Application whitelisting is the best alternative to anti-malware because it prevents unauthorized code from executing entirely, rather than detecting known threats after the fact.
Question
Options
- AHost-based Intrusion Detection Systems (HIDS)
- BApplication whitelisting
- CHost-based firewalls
- DApplication sandboxing
How the community answered
(43 responses)- A5% (2)
- B81% (35)
- C2% (1)
- D12% (5)
Why each option
Application whitelisting is the best alternative to anti-malware because it prevents unauthorized code from executing entirely, rather than detecting known threats after the fact.
HIDS monitors system activity and alerts on suspicious behavior or policy violations, but it is a detection mechanism - it does not inherently prevent malware from executing in the first place.
Application whitelisting enforces a policy where only explicitly approved, trusted applications are permitted to execute on a host, blocking all unauthorized or unknown executables by default. This approach is fundamentally superior to traditional anti-malware, which relies on signature databases or heuristics to detect known threats and can miss zero-day or novel malware. By denying execution of anything not on the approved list, whitelisting stops malware before it can run, regardless of whether it is recognized as malicious.
Host-based firewalls control inbound and outbound network traffic based on rules, but they do not inspect or block the execution of malicious files or code already resident on the host.
Application sandboxing isolates a running application to limit the damage it can cause, but it still allows the potentially malicious application to execute; it does not prevent the malware from running as whitelisting does.
Concept tested: Application whitelisting as proactive malware prevention control
Source: https://csrc.nist.gov/publications/detail/sp/800-167/final
Topics
Community Discussion
No community discussion yet for this question.