Raccine could also verify the process integrity level when comparing a suspect process with the allowlist

[247arjun]

wininit.exe and winlogon.exe run at SYSTEM IL (not Medium/Low that the current user is), so it will also be a good idea to check if the suspect process, if named any of the allowed processes, is running with the expected IL of these known allowed processes.

[olliencc]

Good call, patch submitted. Explorer is a trickier one and could be in the process tree. Without going to the extent of checking the authenticode I've used a combination of path and integrity level for the two logic branches.