Vanja Svacjer Sophos
Traditionally, protection against malicious software has relied on the known bad characteristic of file structure, functionality in the code and the exhibited behaviour. Soon after traditional anti-virus vendors started dealing with potentially unwanted applications (PUA), it became clear that the concept can be easily extended to other, fully legitimate applications that may cause decrease in productivity or provide a vector for information leakage (IM clients, VoIP programs and games). If the 'detect and authorise' approach can be applied to some, why not to all applications?
As it is fairly safe to say that the number of existing malicious programs is approaching a million, the inevitable question comes to mind - would it be possible to provide comprehensive protection against malicious software by detecting a set of known good characteristics of file structure, functionality and behaviour instead of the know bad ones? The concept is already used by client firewalls when blocking outgoing network requests and limiting the behaviour of an unauthorised program.
At first, this approach seems very appealing, but it brings its own set of problems, concentrated around completeness of the detection set, management of new application versions and updates, verification of integrity of the controlled applications and reliance on the end-user to make an informed decision.
This paper investigates the feasibility of using application control for malware protection. The concept is evaluated by looking into known classes of malware, a set of representative samples and the results of the applying application control on the quality of protection against the chosen sample set. The paper also investigates other problems of application control implementation and discusses potential solutions.
