Read the post by Citlali,  "There is an easier way" on this thread.

https://www-secure.symantec.com/connect/forums/how...

Thomas

Unfortunately this option means you have to open up your network to applications being executed and until they are explicitly added to the blocked list.  That's a lot of exposure for a corporate network.   I know about that option, but was hoping there was something better out there. 

Hi Blenkey

I really like the idea of having a database of the MD5's for our users to look through. I think this could be helpful to quite a few of our users. I think you should suggest this in the idea's part of this site. I can also suggest it for you, but seeing as it was your thought i figured you might want to do it so you can completely explain what you wanted. Cheers

Grant

I've been told that there is something like this on the Altiris side.  Not sure that it is based on an MD5 hash, but at least a database or collection of some sort that is used as a reference to block applications.

I'll definitely suggest it because realistically, anyone coming over from another product as a competitive takeout would have this issue. 

MD5 or signaure blocking equals to always being behind. Developers will always update their code, rendering your checksum only as relevant as the latest fingerprint you use. Also, consider performance impact: let's say you're blocking 50 applications with 10 MD5 checksums for each version it ever had. Every time an EXE launches on your system, it needs to be checked against 500 MD5 signatures just to be passed onto the "on-access scanner" for regular signature-based detection. Result is poor performance we all love so much.
Behavior detection is the route to go. Like with Ultrasurf thread last week, all Symantec has to do is classify application properly based on its bahaviour and group known processes in that class. For example, you can have a class called "Unwanted Proxy Applications", where bad thinhs like Tor and Ultrasurf will reside, and, more importingly, new programs that have the same behavior will automatically be added to this class. Same would be done for "IP Scanners" where SuperScan, Angry IP Scanner, netcat and others would live.
Unfortunately, Symantec's behavior detection is pretty useless with TruScan, and this would have to be a superior behavioral engine to that of TruScan. Maybe in a future something like this would become available?

Do you guys ever feel guilty about being such narcs?  It seems like we'd save ourselves a lot of hassle if we just educated our end users about risks rather than trying to continually compensate for the ways they find to sneak out of the playpens we build for them. 

Because it's not like we play by the exclusionary rules we set up for users.