Applications White List by ISC/NIST

In security, when you have to restrict access to “resources” (websites, files, IP addresses, ports, etc), you can deploy while or black lists. The term “white list” refers to a list of resources which are allowed or granted. At the opposite, a black list refers to resources which are denied or unrecognized.

Both methods have pro and cons. While implementing a white list, the default action will be to deny access to all unknown resources. This imposes a strong management of your white list(s). Otherwise, your users could have their access to required or valid information denied or applications prohibited to access some valid resources.

In case of a black list, everything is allowed by default and access is restricted on a case by case. Your users or applications will always have access to their resources but also to potential dangerous ones. Management of a black list will be easier but you will always be “behind the times” to block malicious resources. Which one if the best between the two access methods? A best practice is  use the “least privilege” principle to restrict access to resources. Quoted from Wikipedia, least privilege is defined as:

In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.“.

That’s why maintaining white lists is a pain and a recurrent process. To not reinvent the wheel, why not use online white lists? If you plan to restrict access to files and applications using a while list, consider the following new tool.

The ISC (“Internet Storm Center“) provides a direct access to the NIST National Software Reference Library database. This database is a collection of digital signatures of well-known software applications (The current database contains nerlay 40 millions of records). Provide a MD5, SHA1 or a file name and you will receive useful information. Check out the search interface here.

Note that the database is also available via DNS request! Very convenient to check your files directly from a script. Perform DNS queries on Here is an example:

$ dig +short TXT
"cmd.exe | NIST"

Note: If you need to test a complete system, NIST has a very convenient bootable CD ISO for collecting metadata, hashing and storing in NIST NSRL format. There are also images of CD with the hashes databases available.

How to use this database? Via the following script, you can search for files created on a file system and query the online database:

$ find /data -type f -ctime 1 -exec dig -short /bin/md5sum {} \; | while read L
     set $L
     dig +short $ TXT

The database must be considered as a while list. It contains only signatures of “good” applications and no malwares or other suspicious tools. But some tools can be detected as dangerous in some environments (Nmap is a good example). This could be interesting to implement this security check in parallel to a host based IDS like OSSEC.


  1. I remember old times when there was TBAV/DOS antivirus which has functionality to calculate/keep whole system’s checksums and then one could compare it later and find out any modifications. I think similar sulution exist in today’s AV products… F.e. Avast ? The problem is how effective/friendly is this solution…

  2. Hi Xavier,

    Thanks for your answer.
    I will try to use it. Really good idea.


  3. Hello Renaud,
    It seems that the DNS gateway is very unstable! 🙁 After the article being posted, I had the same problem. Now it’s ok (tested a few seconds ago):

    $ cd /mnt/My\ Documents/Temp
    $ md5sum cmd.exe
    6d778e0f95447e6546553eeea709d03c cmd.exe
    $ dig +short TXT
    “cmd.exe | ISC”

    Note that no valid DNS answer will be returned if the lookup failed (unknown file as example)


  4. Hi,
    Really interesting concept, i plan to automatize this on machines, for a first test.
    Really good thing for the dns requests.. (udp, rapidity..Etc)

    Anyway my first test aren’t really OK, let explain:

    On a Debian OS, with a mounted windows partition (XP):
    $ find /mnt/win/Program\ Files/Nmap/nmap.exe -type f -exec /usr/bin/md5sum {} \;
    ae4323c5dd77b1df988a34cbb124d32c /mnt/win/Program Files/Nmap/nmap.exe

    2) $ dig +short
    ==> nothing.
    In capture i see a servfail..
    I tried with other binaries, same results.. except for your example :
    $ dig +short TXT
    “cmd.exe | NIST”

    Any clue ?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.