Why don't you reverse he policy and make it such that the user can only run programs on the list you define. Then only those programs will run rather than try to guess at the myriad combination of names hacktools either have or can be named.