How does Application Control determine if a software file has changed?

Application Control primarily determines if a software file has changed by analyzing disk write activity and comparing hashes. When a file is executed or modified, Application Control monitors the changes at the disk level, examining the file's integrity through hash values—unique digital signatures generated based on the file's contents. If these hashes do not match the values stored in the database, Application Control recognizes that the file has been altered.

This method of comparing hashes is particularly effective because even minor changes to a file will result in a different hash value, thus alerting the system to any unauthorized modification. The true advantage of this approach is its ability to detect even discreet alterations that could compromise the software's integrity.

Other options are less effective for this purpose. For instance, checking the file name against a whitelist would only confirm known good files but would not detect modifications to those files. Monitoring user access to a file does not directly indicate whether the file itself has changed, and assessing software performance metrics does not provide relevant information regarding file integrity or alterations. Thus, using hash comparisons linked to disk write activity presents the most reliable method for identifying changes in software files.