Inspired by Firefox's KarmaFilter extension, which was in turn inspired by SpamAssassin and suchlike. The idea is that various information about an executable file can count against it for a certain number of points. Too many points, and the OS won't execute it. e.g. maybe something like this, with a "cutoff" of 10 points before the EXE is blocked: - No digital signature: +3 points - No ASLR: +3 points - No program icon: +2 points - Packed executable: +8 points - Build date more than 3 years old: +4 points - Missing author/version info: +3 points - Digital signature does not match author/version: never execute! (Obviously there could be other stuff, but you get the idea...) So, your typical Cygwin executable would be No digital sig (3) No ASLR (3) No icon (2) --> 8 points, barely makes it. Whereas most malware droppers I've seen would easily have more than 10 points. (No digital sig, no ASLR, packed, fake build date...) What's the advantage vs. a normal antivirus or HIPS? Well... vs. antivirus: all of the above data can be gotten without any in-depth code analysis. So it would be faster to look at executables, and probably less prone to attack than AV engines. Also just a lot simpler. vs. HIPS: not whitelist based, more set-and-forget. This would probably best be implemented with a driver and service, in order to have a (small) chance of blocking payloads. But I think it would be reasonable to make it an Explorer shell extension, or something like that. The main idea is not to block exploit payloads; it's to prevent a user from unwittingly installing a trojan horse. Which, in my experience, is a very common occurrence. Sound reasonable?