In order to detect malicious software on a computing device such as a computer or mobile telephone, an antivirus service provider uses a variety of techniques such as traditional file scanning using virus signatures, heuristics and white lists. The antivirus software may be present on the user's computing device or a remote server may be used to provide an antivirus service.
Current technology focuses on constructing large databases of white lists which contain signatures of normal files; if the signature of a suspect file matches a signature in the white list then the file is considered benign. Thus, once a file is considered suspect, instead of determining that the file is malware (and possibly producing a false positive), the signature of the file is compared to the white list. A match indicates a benign file and a false positive is avoided. Unfortunately, though, these white list databases can become extremely large and must be updated each time a file is modified, increasing complexity and decreasing performance. In addition, the larger the size of the database the greater the decrease in performance of performing a white list query.
Accordingly, new techniques are desired to reduce the number of false positives in the course of malware detection that do not rely upon white lists.