site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 Well yes, but the malware would need super-user permissions to do that. If your system is compromised, then there is nothing anyone can do. On the other hand, if you can't check the full path, than anyone (even a regular user) can create a binary with the name "utility" anywhere in the system and will be confused with the /usr/bin/utility in let's say "trusted and protected" path. -- Brian Mastenbrook brian@mastenbrook.net http://brian.mastenbrook.net/ _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... On 2/1/2010 6:24 AM, Jakub Bednar wrote: The best would be to do a code signature check, but I haven't found any kernel API to do this. I'm not quite sure what you're trying to accomplish, but I'm pretty sure that you're doing it wrong. Checking that the process being invoked is /usr/bin/utility instead of /Users/ben/utility won't help if the action you're scanning for can be carried out by /usr/bin/utility - either intentionally or due to a flaw in how the utility is written. And there are numerous methods that can be used from an ordinary user account to cause a process running as that user to execute arbitrary code. If executable path-based protection is central to your anti-malware product, your product won't be much of a problem for malware authors at all. This email sent to site_archiver@lists.apple.com