Hi What you are referring to is a 'white-list' of applications, e.g. you have an application that runs at a low level and only allows a list of approved or allowed applications to run. These do not necessarily need to scan you system as they can work at run-time - each time an application of any sort tries to run the monitoring application checks it against it's list off approved applications and decides whether it can start or not (this obviously needs to be more than just the application name some sort of checksum and / or other intelligence is required to ensure a malicious application cannot masquerade as an approved one).
Various tools can offer this service with varying degrees of complexity / intelligence, AppSense springs to mind as one that specializes in this service, but many desktop protection tools that offer AV/ firewall / IDS etc also offer white / black list application controls. cheers K On 1/22/07, lsi <[EMAIL PROTECTED]> wrote: > This is probably patented and implemented already but nonetheless its > a new idea for me, so I mention it... > > While mass-produced malware remains an issue for a most users, an > significant threat is also posed by malware customised for a specific > victim (so called 'targetted malware'). This threat is potentially > worse as an organisation cannot rely on traditional AV or anti- > spyware scanners to detect the targetted malware; as the malicious > code is customised it does not have an entry in AV/AS signature > databases. > > Despite this, detecting customised code should be easy. All that's > needed is a scanner. It simply finds every piece of executable code > on a system. It then compares each piece with its list of known-good > executables. Any executable that is found but is not on the list is > an intruder. > > This approach takes advantage of the fact that, unlike spam, we can > make a list of all our known-good items. > > Stu > > --- > Stuart Udall > stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ > > --- > * Origin: lsi: revolution through evolution (192:168/0.2) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
