A security server distributes security polices to the client computers.
Each security policy includes an identifier identifying the process to
which the policy pertains, and security rules for use with that process.
The identifier includes a version hash and a code hash. The version hash
of a process is likely to remain unchanged if the process is modified by
a legitimate agent, such as by a software update. The code hash of a
process is likely to change if the process is modified by a malicious
agent. When a process executing on the client computer requests access to
a resource, the client computer generates a version hash of the process
and uses it to identify the security policy pertaining to the process. If
the version hash matches a version hash in a security policy, but the
code hash does not match, the client computer declares the process
potentially malicious.