As of BlackFog 4.2 we offer a new feature called “execution prevention” within the settings. This option provides a new technique for preventing Malware Execution.

Typically, organizations and older editions of BlackFog used a whitelisting approach whereby execution of rogue malware was prevented by blocking execution in specific directories such as temporary folders or Application data directories. Whilst very effective at preventing malware, the downside was that many legitimate applications often used these locations as well. Even though this is against guidelines even, even companies like Google and Microsoft’s own applications sometimes did this. This meant that when you installed a new application that used these directories you had to whitelist the files. This was too invasive for many users and so we developed a new approach.

We eliminated whitelisting in favor of process monitoring and application validation. This is a behavioral technique for detecting malicious activity. The principle behind this technique is that malware often masquerades as other applications, spawns from system processes and executes in certain ways. In these scenarios we introspect all the processes to see if they are being hijacked, replicated or simply spoofed. As with the data exfiltration rules, this is done in real-time.

Ultimately this will lead to less false positives and ensure more accurate protection than whitelisting can ever provide. In addition, this will protect execution across the entire device rather than specific directories.