And you can't even say "Any 'good' application is only going to do certain sorts of actions. We'll scan those and if the application does something else, stop it". UAC in Windows 7 and Vista went a long way to making this better, at least if you're opening yourself to malware you usually have to click "I know this is doing something which could be dangerous", and 7 went a step farther by making it far more un-obtrusive so that users are less likely to auto-click it.
Its still a losing battle though. Run http://technet.microsoft.com/en-us/sysinternals/bb896645.asp... for a few minutes, and look at how many actions are being taken, just when your computer is supposedly idle. Trying to whitelist each and every one of those would be massive overhead.
I've found (personally, this isn't for everyone) is to run with as minimal AV as possible (Right now, SSE), and if I notice anything out of the ordinary run an offline virus scan. I usually do this with Bart-PE, although I've been working on another method for it. Expecting an infected OS to report that it is infected isn't the best idea, it is too easy to fake the results. Doing a scan of the system while the OS is not running tends to be more reliable and remove any problems a lot easier. I'm currently working on a system which will PXE boot once a month, do a virus scan or two (with different, fully updated scanners), defrag, checkdisk and do a general cleanup.
If you define them that way, yes. If instead you define them as:
Delete files in the application's working directory, read files from the application's working directory or public areas, contact websites, read keyboard when this application is the focus, send email.
It isn't nearly as dangerous. Sure, you've still got the computer contacting webistes and sending email, but that isn't a terribly large risk. There is still a need for blacklisting that sort of activity. As far as reading sensitive information, however, as long as working directories are categorized well, and used by any applications dealing with anything sensitive, it isn't a problem.
Its still a losing battle though. Run http://technet.microsoft.com/en-us/sysinternals/bb896645.asp... for a few minutes, and look at how many actions are being taken, just when your computer is supposedly idle. Trying to whitelist each and every one of those would be massive overhead.
I've found (personally, this isn't for everyone) is to run with as minimal AV as possible (Right now, SSE), and if I notice anything out of the ordinary run an offline virus scan. I usually do this with Bart-PE, although I've been working on another method for it. Expecting an infected OS to report that it is infected isn't the best idea, it is too easy to fake the results. Doing a scan of the system while the OS is not running tends to be more reliable and remove any problems a lot easier. I'm currently working on a system which will PXE boot once a month, do a virus scan or two (with different, fully updated scanners), defrag, checkdisk and do a general cleanup.