Application Allowlisting (Whitelisting)
What is Application Allowlisting (Whitelisting)?
Application Allowlisting (Whitelisting)A defensive control that permits only explicitly approved executables, scripts, and libraries to run on an endpoint, blocking everything else by default.
Application allowlisting (formerly whitelisting) flips the default-allow model of antivirus: only executables, DLLs, scripts, and installers that match an approved policy — by hash, publisher signature, or path — are permitted to run, and everything else is blocked. Microsoft AppLocker and Windows Defender Application Control (WDAC), Linux fapolicyd, macOS notarization gates, and standalone products like Airlock Digital and ThreatLocker implement the pattern. NIST SP 800-167 (Guide to Application Whitelisting) documents the architecture, and the US CISA / NSA / FBI Essential Eight ranks it as the single most effective mitigation against targeted intrusions. The control is highly effective against fileless attacks and unsigned ransomware, but requires disciplined change management because every new tool needs an approval workflow.
● Examples
- 01
A Windows server using WDAC to allow only Microsoft-signed binaries plus a small set of approved internal tools.
- 02
Airlock Digital blocking an unsigned PowerShell script that downloads a Cobalt Strike beacon.
● Frequently asked questions
What is Application Allowlisting (Whitelisting)?
A defensive control that permits only explicitly approved executables, scripts, and libraries to run on an endpoint, blocking everything else by default. It belongs to the Defense & Operations category of cybersecurity.
What does Application Allowlisting (Whitelisting) mean?
A defensive control that permits only explicitly approved executables, scripts, and libraries to run on an endpoint, blocking everything else by default.
How does Application Allowlisting (Whitelisting) work?
Application allowlisting (formerly whitelisting) flips the default-allow model of antivirus: only executables, DLLs, scripts, and installers that match an approved policy — by hash, publisher signature, or path — are permitted to run, and everything else is blocked. Microsoft AppLocker and Windows Defender Application Control (WDAC), Linux fapolicyd, macOS notarization gates, and standalone products like Airlock Digital and ThreatLocker implement the pattern. NIST SP 800-167 (Guide to Application Whitelisting) documents the architecture, and the US CISA / NSA / FBI Essential Eight ranks it as the single most effective mitigation against targeted intrusions. The control is highly effective against fileless attacks and unsigned ransomware, but requires disciplined change management because every new tool needs an approval workflow.
How do you defend against Application Allowlisting (Whitelisting)?
Defences for Application Allowlisting (Whitelisting) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Application Allowlisting (Whitelisting)?
Common alternative names include: Application allowlisting, Software allowlisting, Whitelisting.
● Related terms
- defense-ops№ 050
Antivirus (AV)
Endpoint software that detects and removes malicious files using signature databases, file scanning, and basic heuristics — the historical foundation of endpoint security.
- defense-ops№ 725
Next-Generation Antivirus (NGAV)
Endpoint protection that augments signature scanning with machine-learning models, behavioral analytics, and exploit prevention to stop unknown and fileless threats.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.