A computer virus, in the broad sense that the term is used in the present specification and claims, is any malicious computer program or code that has the potential to infect normal computer files or damage computer systems in any way. Computer viruses typically reside in executable computer code and are activated when the computer code is executed. For example, a computer virus may be buried in an .EXE or .COM file, a Java script file embedded in an email in HTML format, or a WORD macro template, etc. Some computer viruses replicate themselves to use up computer resources in computer hard drives or memories and thus cause the computer system to collapse. Some computer viruses reformat computer hard drives to destroy computer files. Some computer viruses do not copy themselves to other computer code, e.g., Trojan horse type viruses, but they allow a hacker in a remote computer to take control of an infected computer.
Nowadays computer viruses spread rapidly throughout computer networks. New viruses can contaminate hundreds of thousands of computers worldwide in a few hours or days and cause enormous damage. During the virus outbreak, enterprise computer networks are especially vulnerable to computer virus attack because most of them are constantly connected to a wide area network (WAN) to communicate with outside computers or networks. This provides computer viruses a fertile soil to invade the enterprise computer networks from any location within the WAN.
Current anti-virus technologies fall short of providing optimal protection for enterprise computer networks against computer virus attacks. Many individuals and organizations use reactive technologies, e.g., anti-virus scanning software, to scan computer files in their servers and/or client computers to detect computer viruses that are known and have been analyzed. The reactive anti-virus software often fails to catch or prevent new and unknown infections. Another anti-virus technology, behavior blocking anti-virus software, has the capability to detect new varieties of computer viruses by monitoring if a computer code acts in a virus-like manner, such as changing a file attribute from “read-only” to “write” before infecting the file. The drawback of such behavior blocking anti-virus software is its high rate of false virus alerts, because it has difficulty in distinguishing a computer virus from normal software, which sometimes acts in a virus-like way. For example, standard installation and upgrade routines may patch existing files in a manner similar to a computer virus. To reduce the false alerts, a network administrator may have to lower the sensitivity of the behavior-blocking software, which entails higher risk of virus infection during a computer virus outbreak.
While some solutions provide temporary solutions to address the short term effects of virus outbreaks, these solutions may be inadequate for routine protection against infection. For example, a number of systems may be infected before an administrator detects a virus outbreak. While methods exist for constantly checking for viruses, these methods are cumbersome, and can continue to apply unnecessary scrutiny to files that may no longer be suspicious. What is needed is a method for screening computer code that targets computer code during the period when it is most likely to be infected.