Idea: karma-based executable blocking

Discussion in 'other anti-malware software' started by Gullible Jones, Mar 2, 2015.

  1. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    Inspired by Firefox's KarmaFilter extension, which was in turn inspired by SpamAssassin and suchlike. The idea is that various information about an executable file can count against it for a certain number of points. Too many points, and the OS won't execute it.

    e.g. maybe something like this, with a "cutoff" of 10 points before the EXE is blocked:
    - No digital signature: +3 points
    - No ASLR: +3 points
    - No program icon: +2 points
    - Packed executable: +8 points
    - Build date more than 3 years old: +4 points
    - Missing author/version info: +3 points
    - Digital signature does not match author/version: never execute!
    (Obviously there could be other stuff, but you get the idea...)

    So, your typical Cygwin executable would be
    No digital sig (3)
    No ASLR (3)
    No icon (2)
    --> 8 points, barely makes it.

    Whereas most malware droppers I've seen would easily have more than 10 points. (No digital sig, no ASLR, packed, fake build date...)

    What's the advantage vs. a normal antivirus or HIPS? Well...

    vs. antivirus: all of the above data can be gotten without any in-depth code analysis. So it would be faster to look at executables, and probably less prone to attack than AV engines. Also just a lot simpler.

    vs. HIPS: not whitelist based, more set-and-forget.

    This would probably best be implemented with a driver and service, in order to have a (small) chance of blocking payloads. But I think it would be reasonable to make it an Explorer shell extension, or something like that. The main idea is not to block exploit payloads; it's to prevent a user from unwittingly installing a trojan horse. Which, in my experience, is a very common occurrence.

    Sound reasonable?
  2. Mayahana

    Mayahana Banned

    Sep 13, 2014
    That's how reputation systems work.. Trend became VERY effective in recent incarnations largely because of DNA, and Reputation types of systems. A file has to pass a wide variety of 'conditions' before it can pass through the reputation engine of Trend, and some of those are exactly condtionals you describe. This is why I keep saying going forward, the only solutions I am interested in deploying are reputation/karma/DNA types of systems. I don't trust raw signature and heuristic products any longer.
  3. TomAZ

    TomAZ Registered Member

    Feb 27, 2010
    Are there any such products available?
  4. guest

    guest Guest

  5. Mayahana

    Mayahana Banned

    Sep 13, 2014
    Trend 2015, Norton 2015 come to mind as the most potent in this area. Also F-Secure (Deepguard), and a few others. I put my trust in Trend or Norton for the reasons you cite, both have strong karma based type engines IMO.