In current form it's nearly useless. It's design is wrong and it doesn't provide expected protection(and generates way too much warnings). Now i got another idea. You seem to refuse heuristics which is logical. You need extensive knowledge in this area to avoid false positives and to make heuristics effective. But here is the trick. Forget about heuristics for now and focus on Blocker.
It will be much easier to upgrade it (unlike heuristics),plus it will provide higher protection right away without much false positives.
At the moment,Blocker protects files that are usually malware (COM,SCR,EXE) instead of preventig such files to perform actions.
This is what i learn from McAfee VSE8.0i Access Protection and i found it to be extremely effective and with nearly zero false positives.
For example you set such rule:
Now this rule will block all actions performed by .PIF file.
So if PIF file attempts to execute itself,execution will be blocked.
If .PIF file attempts to erase other files PIF file will be blocked from doing that.
It will be also blocked from from creating any other files.
You can specify are to protect and processes that are affected.
Same can be done for any other filetype (like COM,SCR,VBS...).
Only thing that needs to be changes is how to react on such events.
One should be Ask (ask if you allow execution/creation/deletion etc),one should be Silent mode (block and don't warn+log action) and last just log action and do nothing.
I tried McAfee VSE rule blocking and it really worked great. For example PIF files are useless on NT systems,so you can block them all without any problems (PIFs are commonly used for malware).
So PIF files cannot do anything on system.
SCR files for example could have rule that allows them to be executed,but they can't modify or create other files (why should screensaver modify or create new files anyway?). Ask rule for VBS files and so on.
Kaspersky 2006 will also use such technique to proactively protect systems,McAfee VSE 8.0i already use it.
This is a cheap way to increase security while avoid complicated heuristics that require lots of work to impliment them. Blocker is already there,you just need to improve it a bit. If implimented properly,you shouldn't get many false positives too.
