Which setting prevents malware from acting on behalf of a trusted process?

which setting in defense+, if any, prevents malware from performing potentially dangerous actions on behalf of a trusted process? for example, services.exe is a windows sytem application that, by default, is permitted to install drivers. but what is to stop malware from using services.exe to load a malicious driver? all installers, after all, can access services.exe and use it to install the needed drivers for the program to function properly. but this can also include installers that do not have your best interests in mind.

is there a better way to stop the malicious driver from being loaded by services.exe other than by forbidding services.exe from loading any driver other than explicitly allowed ones? this would be a hassle indeed. the potentially dangerous actions a malicious installer or application could perform is not limited just to loading drivers, but can include others too, such as the editing of sensitive areas of the registry, direct access to the screen/keyboard/physical memory, and so on.

Defense + will protect you because it will always alert you when a program tries to start another program. The only exception is for the situation where the user gave a program the Windows System Application policy. The latter allows programs to start other programs without alert.

What if the program has already been started? (e.g. explorer.exe is always started). Which setting prevent the malicious program from invoking a program that’s already running?

When in Paranoid Mode you will get alerts all the thing described under Monitor Settings under Defense + settings. Suppose a program wants to access explorer.exe in memory you will get alerted…etc… When you allow it with remember you can retrieve that under Access rights of the custom policy under Modify.

Suppose you want a stronger protection then you can enable Protection Settings; they can be found in the custom policy.