Inspired by Firefox's KarmaFilter extension, which was in turn inspired by SpamAssassin and suchlike. The idea is that various information about an executable file can count against it for a certain number of points. Too many points, and the OS won't execute it. e.g. maybe something like this, with a "cutoff" of 10 points before the EXE is blocked: - No digital signature: +3 points - No ASLR: +3 points - No program icon: +2 points - Packed executable: +8 points - Build date more than 3 years old: +4 points - Missing author/version info: +3 points - Digital signature does not match author/version: never execute! (Obviously there could be other stuff, but you get the idea...) So, your typical Cygwin executable would be No digital sig (3) No ASLR (3) No icon (2) --> 8 points, barely makes it. Whereas most malware droppers I've seen would easily have more than 10 points. (No digital sig, no ASLR, packed, fake build date...) What's the advantage vs. a normal antivirus or HIPS? Well... vs. antivirus: all of the above data can be gotten without any in-depth code analysis. So it would be faster to look at executables, and probably less prone to attack than AV engines. Also just a lot simpler. vs. HIPS: not whitelist based, more set-and-forget. This would probably best be implemented with a driver and service, in order to have a (small) chance of blocking payloads. But I think it would be reasonable to make it an Explorer shell extension, or something like that. The main idea is not to block exploit payloads; it's to prevent a user from unwittingly installing a trojan horse. Which, in my experience, is a very common occurrence. Sound reasonable?
That's how reputation systems work.. Trend became VERY effective in recent incarnations largely because of DNA, and Reputation types of systems. A file has to pass a wide variety of 'conditions' before it can pass through the reputation engine of Trend, and some of those are exactly condtionals you describe. This is why I keep saying going forward, the only solutions I am interested in deploying are reputation/karma/DNA types of systems. I don't trust raw signature and heuristic products any longer.
Kaspersky has patents for similar technology. For example: https://www.google.com/patents/EP2720170A1 (Automated protection against computerexploits) The following image is just an example of checking whether memory is writable and executable: https://patentimages.storage.googleapis.com/EP2720170A1/imgf0004.png But as always, security is not about one magic protection tool. It's about layering your defenses. A combination of for example Trend Micro/Kaspersky and MBAE/HMPA should quite okay.
Trend 2015, Norton 2015 come to mind as the most potent in this area. Also F-Secure (Deepguard), and a few others. I put my trust in Trend or Norton for the reasons you cite, both have strong karma based type engines IMO.
