Hi, Sorry for this crazy question. As I see, to deny one program to run and execute another program there are two ways: 1) the way how GSS is working - hook/handle correct functions/events and display prompt (sorry but I am not very technical) 2) second way could be - scan and change executable in a way to remove calls to API functions which could run external process My world is mostly EXE's and DLL's. So I will give similar example. If a program want to load dll called "run_process.dll" and call function "execute". Then maybe without changes in exe, I could put my own "run_process.dll" with exactly the same function "execute". Then this exe will load my DLL, my DLL will allow/deny or ask what to do. If "execute" is allowed, then my DLL will call the original "run_process.dll" I know it is not simple answer. My knowledge in this area is very limited. I understand that there could be many complications - world is not only exe's and dll's. I see some advantages like: - full time monitoring will not be necessary, once all binaries are changed it become very clear which program can run another program and which program can access internet, etc. - virus can't attack or stop GSS process. Virus can't change GSS settings and say "virus executable have full rights without logging" (not sure if it is possible now with full time monitoring) Maybe there are many positives and negatives for both case 1) and case 2). Or maybe case 2) is not possible. I would be glad if someone explain me the real reasons why all antivirus software is using run time / full time protection. For my point of view, it is not complete crazy idea. I did read about using sandbox to isolate viruses, etc. So I was thinking for something similar but without performance problems - looks like sandbox in some cases is complete virtual machine with separate OS installation. Thank you very much.