This article is the fifth in an eight-part series examining the Australian Cyber Security Centre’s Essential Eight — a baseline set of mitigation strategies recommended for all Australian organisations.
Every piece of malware is, at its most fundamental level, a program that needs to execute. Application control is the strategy that prevents unauthorised programs from running in the first place — not by identifying malware after it arrives, but by ensuring that only explicitly approved software can execute at all.
It is a philosophically different approach to endpoint security than antivirus. Where antivirus attempts to identify and block known bad software, application control permits only known good software. Anything not on the approved list simply cannot run.
What the Strategy Requires
Application control maintains a list of approved, trusted applications and prevents the execution of anything not on that list. At Maturity Level One, this applies to standard user environments — workstations and user-facing systems. At higher maturity levels, it extends to servers, and the approved list must be validated and maintained with increasing rigour.
The ACSC specifies that application control should use cryptographic verification — file path rules alone are insufficient because attackers can place malicious executables in trusted locations. Approved applications should be verified by publisher certificate or hash, ensuring that a legitimate application name or location cannot be spoofed.
Microsoft AppLocker and Windows Defender Application Control are the most common implementation tools in Windows environments. Both are included in existing Windows and Microsoft 365 licensing, making this a low-cost control for businesses already on the Microsoft platform.
Why This Approach Is Uniquely Effective Against Certain Attacks
Signature-based antivirus is reactive — it can only detect threats that have already been catalogued. Application control is structural. A piece of malware that has never been seen before, with no known signature, cannot execute in an environment where it is not on the approved list.
This is particularly relevant against zero-day exploits and novel ransomware variants, which routinely evade signature detection in their early propagation phase. The 2017 NotPetya attack spread in part because it used legitimate Windows tools — wmic, psexec — to move laterally. Application control, correctly configured, can restrict even the abuse of legitimate system utilities.
It is also highly effective against a common initial access technique: convincing a user to run a malicious executable disguised as a legitimate file. If the executable is not approved, it cannot run — regardless of how convincingly it was presented.
The Management Overhead
Application control introduces an ongoing management requirement that some businesses find operationally challenging: every new application, update, or legitimate executable must be added to the approved list before it can run. In environments with frequently changing software needs, this can create friction.
The practical mitigation is a well-structured initial deployment — cataloguing all legitimate applications, establishing a change process for additions, and using publisher certificate rules for major vendors (Microsoft, Adobe, etc.) that automatically permit legitimate updates without individual hash management.
The operational overhead is real but manageable. The alternative — permitting any executable to run — is the condition that makes ransomware and malware deployment trivially easy.
Application Control and Antivirus Are Complementary
Application control does not replace antivirus or endpoint protection. Antivirus detects malicious activity in files and memory, including threats that may arrive through permitted applications — a malicious macro in an approved Office document, for example. Application control prevents unauthorised executables from running at all.
Used together, they address different attack vectors. A business relying solely on antivirus is depending entirely on that tool’s ability to identify every threat. A business with application control in place has reduced the attack surface to software it has explicitly trusted.
This series continues with Essential Eight #6: Restrict Microsoft Office Macros.
Further reading: ACSC Essential Eight, Luminol Cyber
