> For lack of a better name -- after all, this is a technology > that has hardly been investigated -- I refer to this as > integrity management. > Basically you turn known virus scanning on its head to have > the on- access scanner only allow known good code to run, > rather than trying to do the impossible of finding all > possible permutations of all possible > (known) "bad" code. This can easily be done using the > existing technology, but instead of depending on the a vendor > to find new bad things, add detection of them and ship that > update _finally_ giving the user protection, the user > supplies their own list of _allowable_ code and new code can > be run once the administrator updates their own, of allowable > code database . (There are other clever things such a re- > purposing of this technology neatly allows too -- for > example, such technology could easily be configured to block > access to all files of a given type; it can be easily used to > track software usage for auditing > and licensing checking; etc, etc...)
Isn't this similar to what MS do in Windows 2003/XP SP2 with Software Restriction Policies? Executables are only allowed to run provided they fit a prespecified pattern i.e. name (not very useful), signed or not, hash of the executable. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
