Application control for malware protection
Vanja Svacjer Sophos
Traditionally, protection against malicious software has relied on the known bad characteristic of file structure,
functionality in the code and the exhibited behaviour. Soon after traditional anti-virus vendors started dealing with
potentially unwanted applications (PUA), it became clear that the concept can be easily extended to other, fully
legitimate applications that may cause decrease in productivity or provide a vector for information leakage
(IM clients, VoIP programs and games). If the 'detect and authorise' approach can be applied to some, why not to all
applications?
As it is fairly safe to say that the number of existing malicious programs is approaching a million, the inevitable
question comes to mind - would it be possible to provide comprehensive protection against malicious software by
detecting a set of known good characteristics of file structure, functionality and behaviour instead of the know bad
ones? The concept is already used by client firewalls when blocking outgoing network requests and limiting the
behaviour of an unauthorised program.
At first, this approach seems very appealing, but it brings its own set of problems, concentrated around completeness
of the detection set, management of new application versions and updates, verification of integrity of the controlled
applications and reliance on the end-user to make an informed decision.
This paper investigates the feasibility of using application control for malware protection. The concept is evaluated
by looking into known classes of malware, a set of representative samples and the results of the applying application
control on the quality of protection against the chosen sample set. The paper also investigates other problems of
application control implementation and discusses potential solutions.
