A new executable file being created on a system represents a potentially critical moment for the security of the system. The executable file may be a new software program being installed, an existing application being updated, or a form of malware. Attempts have been made to restrict the ability of users and processes to create new executable files by requiring administrator privileges to do so, but these attempts so significantly limit the flexibility and usability of computing systems that they may be viewed as annoyances to be bypassed.
Instead of trying to restrict the ability to create new executable files, computing security organizations have focused on identifying the provenance and analyzing the contents of the files. Security mechanisms such as code signing certificates and reputation systems have been used to attest to the trustworthiness of executable code files. A variety of malware protection systems analyze the contents of executable files as they are created to assure that the files are benign.
Despite these measures, malware often manages to infect computing systems, sometimes even by commandeering software distribution systems that distribute software programs and updates. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for threat detection associated with software updates.