The constant progress of communication systems that connect computers, particularly the explosion of the Internet and intranet networks, has resulted in the development of a new information era. With a single personal computer, a user may obtain a connection to the Internet and have direct access to a wide range of resources, including electronic business applications that provide a wide range of information and services. Solutions have been developed for rendering and accessing a huge number of resources. However, as more computers have become interconnected through various networks such as the Internet, abuse by malicious computer users has also increased. As a result, computer systems that identify potentially unwanted software have been developed to protect computers from the growing abuse that is occurring on modern networks.
It is estimated that four out of five users have unwanted software on their personal computers. Those skilled in the art and others will recognize that unwanted software may become resident on a computer using a number of techniques. For example, a computer connected to the Internet may be attacked so that a vulnerability on the computer is exploited and the unwanted software is delivered over the network as an information stream. These types of attacks come in many different forms including, but certainly not limited to, computer worms, denial of service attacks and the like, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. Also, unwanted software may become resident on a computer using social engineering techniques. For example, a user may access a resource such as a Web site and download a program from the Web site to a local computer. While the program may be described on the Web site as providing a service desirable to the user; in actuality, the program may perform actions that are malicious or simply undesirable to the user. While those skilled in the art will recognize that unwanted software may take many different forms, for purposes of the present invention and for simplicity in description, all unwanted software will be generally referred to hereinafter as computer malware or, more simply, malware. As described herein, computer malware includes, but is certainly not limited to, spyware, ad ware, viruses, Trojans, worms, RootKit, or any other computer program that performs actions that are malicious or not desirable to the user.
When a malware becomes resident on a computer, the adverse results may be readably noticeable to the user—such as system devices being disabled; applications, file data, or firmware being erased or corrupted; the computer system crashing or being unable to perform normal operations. However, some malware performs actions that are covert and not readily noticeable to the user. For example, spyware typically monitors a user's computer habits, such as Internet browsing tendencies, and transmits potentially sensitive data to another location on the network. The potentially sensitive data may be used in a number of ways, such as identifying a commercial product that matches the observed tendencies of the user. Then the spyware may be used to display an advertisement to the user that promotes the identified commercial product. Since the advertisement interrupts the normal operation of the computer, the actions performed by the spyware may not be desirable to the user.
Many vendors have developed programs to identify and/or remove malware from a computer. Typically, a collection of signatures is developed that represents each piece of malware and then a computer is searched for objects (e.g., files, databases, etc.) that match these signatures. However, vendors who develop programs that identify and/or remove malware from a computer have been known to incorrectly identify a program as malware. In some instances, a program may be considered malware by one user and a beneficial program that performs desirable functions by another user. Moreover, under the present signature-based system, computers may be susceptible to malware in certain circumstances. For example, even when a user regularly installs software updates on a computer that provides the most recent malware signatures, there is a vulnerability window that exists between when a new computer malware is released on the network and when the new signature may be developed and installed to protect the computer from the malware. As the name suggests, it is during this vulnerability window that a computer system is vulnerable or exposed to the new computer malware.