The traditional preventing and removing of malware relies mainly on feature library approaches. A feature library consists of feature codes of malware' s samples collected by a manufacturer, while a feature code is a segment of program code, similar to “search keyword”, intercepted by an analysis engineer from where a malware is found to be different from a goodware. During the process of detecting and removing, an engine will read a file and match it with all of the feature codes (“keywords”) in the feature library; and if a program code of the file is found to be hit, the program of the file may be determined as a malware.
Afterwards, a way in which antivirus is performed heuristically locally is derived, and is a dynamic heighter or decompiler implemented in a particular way, wherein the virus' hidden real motive is gradually understood and determined by decompiling a related sequence of instructions. Differences between a malware and a goodware may be embodied in many aspects. For example, for an application program, an initial instruction usually is to examine whether there is a parameter entry in the command line input, to clear screen or to store the original screen display, etc., whereas for a malware, usually an initial instruction is a direct disk write operation, a decoding instruction, or a sequence of related operation instructions such as searching an executable program under a certain path, etc. These significant differences will be completely clear in a debugging state to a skilled programmer only at a glance. The heuristic code scanning technique is actually a specific program implementation which transplants such experiences and knowledge into a software for detecting and removing viruses.
However, all of the above-mentioned methods for detecting and removing a malware are based on a malicious behavior and/or a malicious feature, wherein they first determine if a program is a malware, and then decide whether to kill or clean it up. This inevitably results in the following disadvantages.
According to statistics, nowadays the number of malwares around the world increases exponentially. Based on such an explosive growth rate, the generation and update of a feature library often lags behind, and the supplement of malwares' feature codes in the feature library can not keep up with endlessly emergent unknown malwares.
In addition, in recent years, with the application of the anti-antivirus technique by a malware producer, means for packing a malware or modifying feature codes of the malware appear more and more, and many Trojan programs employ more and more frequent and quick automatic variations, all of which result in that it is more and more difficult to determine a malware by a malicious behavior and/or a malicious feature, thereby leading to the difficulty in detecting and removing or cleaning up a malware.