"Software installation" is currently defined "Software installation or code modification" however, it somewhat implies on-disk installation. Unfortunately that leaves no impact for in-memory malware. A short term fix is to clarify the definition of "Software installation" to include in-memory or on-disk malware. A mid-point would be to add an integrity variety specific to in-memory malware, (potentially as a child of software installation along with an on-disk child). Finally, there are more wide-impacting changes around defining a new attribute associated with volatile memory manipulation (or no impact at all).

Update definition to specify on disk and for folks to use 'in-memory' if a malware only exists in memory.