It occurs to me that there’s no way to stop trojans from working – there will always be a way to disguise it so that it looks like a valid application – if by no other means than by making it a valid application. There is also no way to allow the user to get their work done and prevent trojans from doing any damage or being annoying – even with privilege separation, the trojan has access to all the user’s files. Note that this only applies to trojans, not to other types of malware – viruses for instance can be prevented by writing secure code.

It seems to me that we should instead focus on making it easier to remove trojans. This happens to be the greatest failing of Windows and it’s mostly caused by the fact that you can’t remove a file that is in use. So as soon as the trojan loads, nothing can delete it’s files and the trojan loads on boot so you’re pretty much screwed. There are even some trojans – like the one I’ve been dealing with recently – that embed themselves in the OS so that they run even in safe mode. As best I can tell the only way to remove it is to reformat.

If however Windows allowed me to delete the infected file or replace it with an uninfected version while the trojan was running, I’d have a much better chance of fixing the problem. The problem of course would be that the trojan could just replace the file again, leading to the second thing that needs to be fixed.

There must be a simple way for every single process on the system to be listed, interrogated and killed. No ifs, no buts and absolutely no way of hiding them. Anything that’s not in the list doesn’t get assigned any resources ever. Even better though, why not allow the user to click on a window and mark the process as malware? Never allow that executable to load again. That way when you get ads popping up on your desktop, you mark the process as malware and the trojan is immediately disabled – even though the files are still lying around on the drive. This isn’t as simple as it sounds though – if a trojan loads IE and points it at a web page to display an ad, marking that window as a trojan needs to disable the executable that triggered IE to launch and not IE itself. Any number of other applications might be used as a proxy to get windows on screen and the OS has to work out who to blame for it. Applying the same concept to task bar items and so on would be extremely powerful if it could be made to work.

Just please, whatever you do, don’t add yet another dialog checking that the user wants to run the file – they have no idea that it’s a trojan so you’ll achieve nothing. You only discover it’s a trojan after you run it.