Dear lsi, This approach is already implemented, at least partially, to limit functionality of unknown applications. It can be found in multiple personal firewalls or things like http://www.securesize.com/GeSWall/
There is a better approach - every "good" application should be signed and unsigned applications are not allowed to run. But any approach has it's weakness. Malware code should not necessary be an executable. It can be html, doc, pdf, jpg, gif - anything that contain data processed by some trusted application. Can you make signature or sign every html or gif? -- ~/ZARAZA http://security.nnov.ru/ --Monday, January 22, 2007, 3:42:43 PM, you wrote to Full-disclosure@lists.grok.org.uk: l> This is probably patented and implemented already but nonetheless its l> a new idea for me, so I mention it... l> While mass-produced malware remains an issue for a most users, an l> significant threat is also posed by malware customised for a specific l> victim (so called 'targetted malware'). This threat is potentially l> worse as an organisation cannot rely on traditional AV or anti- l> spyware scanners to detect the targetted malware; as the malicious l> code is customised it does not have an entry in AV/AS signature l> databases. l> Despite this, detecting customised code should be easy. All that's l> needed is a scanner. It simply finds every piece of executable code l> on a system. It then compares each piece with its list of known-good l> executables. Any executable that is found but is not on the list is l> an intruder. l> This approach takes advantage of the fact that, unlike spam, we can l> make a list of all our known-good items. l> Stu l> --- l> Stuart Udall l> stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ l> --- l> * Origin: lsi: revolution through evolution (192:168/0.2) l> _______________________________________________ l> Full-Disclosure - We believe in it. l> Charter: http://lists.grok.org.uk/full-disclosure-charter.html l> Hosted and sponsored by Secunia - http://secunia.com/ -- ~/ZARAZA Бросьте стараться - ничего из этого не выйдет. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
