Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV?

I had always been wondering if it is a good idea allow whitelisting of certain third party application and folders at anti-malware platform so that it can run smoothly without interference from AV scanning.  With whitelisting a requirement for the solarwind onion platform, whitelisting would had prevented the anti-malware from detecting malicious activities originating from the compromise software.  So should be put a stop to all such whitelisting?  Is there a good reason and guidelines to allow whitelisting safely?

4 Replies
Advocate I

Not necessarily. I put many of these types of software on a bit higher scrutiny. WAF, outer ring before the next protection zone, higher degree of logging etc. as a matter of best practice beginning after the Target fiasco. Have I found the magic bad packet? No, eventually I will or someone will get lazy and miss something stupid.


I am just waiting for the final forensics on this and FireEye before jumping to any conclusions, though.


Happy reading!




Early this week, FireEye said that the hackers were infecting targets using Orion, a widely used network management tool from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.

Influencer II

Definitely an important question. Whitelisting should be done carefully,
particularly with applications which require pervasive permissions, and, in this
case, it still would have been extemely difficult to detect the attack, since it was
properly signed and authenticated.

====================== (quote inserted randomly by Pegasus Mailer)
Great spirits have always encountered violent opposition from
mediocre minds. - Albert Einstein


Other posts:

This message may or may not be governed by the terms of or
Viewer II

Very valid question, the direction is Zero Trust and SDP.