| 摘要 |
A system and method for creating, maintaining and enforcing an authorized system state through the use of policies that prohibit and/or authorize both the writing and execution of executable files is presented. Executable code that is attempting to execute is intercepted and suspended by a kernel-level file filter driver. A file signature is used to uniquely identify the executable code file at time of execution. Policies either allow the file to execute, prohibit the file from executing, allow the file to write executable code to disk while recording all file write activity conducted, prohibit the file from writing executable code to disk, or are created at the time of execution by prompting administrators to establish policy for the file.
|
