Bit9

With advent of Application Whitelisting, behavioral approaches to security gain new prominence. It is much easier to determine a bad behavior when you have removed all the known good suspects from the line-up. ISS Mid-Year report on reports that the Top Bad Behavior is to no surprise a dropping of a file into the Windows/System folder.

Why is this important? Windows/System folder is reserved for known good elements, your system device drivers. All files there should have been placed by the Operation System or any of its trusted derivatives. Even more so, under Vista, and in the ideal world, all of those components should be signed to run.

So it is absolutely correct to concluded that if an unknown device driver is ever placed in the Windows/System folder, it should be treated as unwanted if not malicious. Modern Behavioral approaches utilizing Application Whitelisting or a complete lockdown of a system where no unauthorized software is allowed to run are the proper solutions.