Personal computers and similar information technology devices, such as mobile phones, tablets, and the like, have become ubiquitous throughout the world. Unfortunately, with the increasingly widespread usage of such technology, there is a corresponding increase in the number, and quality, of computer threats, such as malware. Computer threats in the present context refer generally to objects able to cause any harm to the information and programs on a computer system, such as network worms, spyware, computer viruses, and the like.
Various antivirus technologies are deployed to protect users and their personal computers from possible computer threats. Antivirus software can include various computer threat detection components. Signature-based detection and heuristic detection engines represent particular cases of such components. Due to the significant growth of the number of malicious programs, the efficiency of the above-mentioned protective technologies depends on the number of signatures and heuristic rules that are available for their use. At present, new heuristic rules and signatures are created by experts and by automated signature creation systems designed for such purposes. Extensive work of experts and automated systems results in the creation of a large number of heuristic rules and signatures for detection of computer threats. The large number of created heuristic rules and signatures (hereinafter referred to simply as “detection rules”) often increases the number of false activations during the operation of threat detection systems.
There are systems which examine detection rules based on a check of specified rules using a collection of safe files. When such systems are used, a detection rule is checked using a collection of safe files and is made available to the user's antivirus software only after an update of antivirus databases.
However, a representative collection of safe files made available to antivirus software manufacturers cannot cover the entire variety of files encountered by users in the field; therefore, quite often, feedback from the detection rule is used when it is already functioning on the user side. An antivirus application using a detection rule can send notices to developers, specifying which files activated the rule, and the developers analyze this information on their side. However, this scenario presents a burden to the developers and suffers from associated inefficiencies and the potential for human errors.
A solution is needed that facilitates automated deployment of highly selective detection rules (which, when used, will not cause false activations).