In contrast to blacklisting, the whitelist includes all operations and communication patterns that are authorized and thus allowed for an IT network or control system. The whitelist represents a positive list against which the communication in the network or at its perimeter is matched. If a data packet listed on the whitelist passes the network boundaries, it is accepted and can be executed. Unlisted data packages or functions (eg software programs) can not be executed or get blocked directly. In the area of emails, the whitelisting function is covered by the possibility to classify certain addresses as trustworthy (eg via the function "Never block sender"). Addresses on the whitelist are therefore always accepted and displayed by the mail program independently of the contents of the individual emails. The same applies to domains on the Internet. The advantage over blacklisting is that this method can potentially block threats or attacks that are still unknown - that is, are not on any IT blacklist. However, this security aspect is strongly dependent on the specific technology used and the depth of its analysis. Generally, the data packets are analyzed only by their metadata (sender, recipient, domain) without considering the contents of the data packet. Compromised, but permitted e-mail contacts or websites can pass through the network boundaries unimpeded, even if a malicious software is hidden in the email or on the website. To achieve a complete anomaly detection the solution would have not utilize Deep Packet Inspection, which also specifically analyzes and matches the contents of a data packet.