The Trusted Vendor list add much more flexibility to the safelist although each vendor may actually release different applications of different span and purpose even at a later time.
Indeed it could be possible to allow further reconfigurability to Trusted vendor list by making each entry act as a Group and let the user further define if safelist all application of a specific vendor (using a wildcards like * or ? ) or specific products only.
Since only digially signed applications whose vendors were added to Trusted vendors list are eligible for safelisting it would be also possible to parse some additional executable properties (like Original File Name, Product Name, ProductShortName)
Indeed this would allow to safelist all application digitally signed by Google inc. (using an *) or only applications digitally signed by Google inc and whose Product Name is “Google Chrome”
Using some tools to rename these values will not be able to circumvent the digital signature seal and thus it will possible to restrict which applications will be effectively safelisted without any way to circumvent these restrictions.
This feature could be a likely complement to Parental Contol with alert suppression enabled.
Additionally a Blocked vendor list could provide further features similar to Applocker on Windows 7
With new approach each Trusted vendor Group contain an All applications (*) specifier thus mimicking the current Trusted vendor behavior.
It would be still possible to achieve the same effect with the current Trusted vendor design by manually safelisting specific applications and removing their vendor from the trusted Vendor list to prevent safelisting of other applications from the same brand.
[attachment deleted by admin]