Whitelisting can be a good way to combat new malware not yet defined for a blacklist, but "whitelisting alone is not the answer," Head says.

Kish Yerrapragada, McAfee director of product management for systems security, and formerly with Solidcore, acknowledges he's heard stories that whitelisting can seem difficult to manage over time.

Whitelisting is "dynamic, and it's a change-control problem," says Yerrapragada, who says McAfee counts about 300 customers in industry and government using its application-control software today.

To address the question of authorized and unauthorized applications, McAfee Application Control can link with management systems such as IBM Tivoli or SMS to authorize applications. He says whitelisting works particularly well as a defense for application and DNS servers and point-of-sale devices, or in highly-controlled corporate environments.

In the future, McAfee is expected to not only detail whitelisting as an added protection in its endpoint security products and other defenses, but also to show that it can be a useful in protecting virtualized applications in particular.