This past week, Richard Stiennon, a noted network guru, did a podcast with Ken Steinberg, CEO of Savant Protection. Savant, a relatively new startup, offers the ability to deny all access to CPU unless the application or request has an approved certificate.
On the surface, this provides a more realistic defence against most malware. It accepts that malware will make its way into the enterprise one way or the other. By denying all requests to the CPU without a certificate effectively takes the legs out of the malware trying to get CPU time to download itself into the operating system.
I am not yet sure if this defense will defeat Blue Pill type attacks but it will definitely shut down most existing other malware attacks. I am also not yet sure of the performance degredation on each request to the CPU by using this method.
With those caveats stated, this type of defense is an excellent tool to consider utilizing for your enterprise. It avoids the lag time between existing anti-virus and firewall vendors discovering a security threat in the wild and issuing a patch. Furthermore, it also defends against most undiscovered malware threats which will pass below the enterprise anti-viral and firewall radar screens. Enterprises need to consider deplyoment of something like Savant Protection as one of their many layered defenses.
What won't it prevent? Criminals who obtain user's id and passwords, tokens and their biometrics and fraudulently masquerade as the user.