1. Field of the Invention
The present invention relates to techniques for controlling access to suspicious files, and more particularly to a computer program product, method and data processing apparatus for reviewing files for potential malware. As will be appreciated by those skilled in the art, “malware” may include, amongst other things, viruses, worms, Trojans, and/or computer files, words, content, etc that are considered to be banned, etc.
2. Description of the Prior Art
It is often desirable to perform malware scanning of files, for example to seek to prevent the distribution of such malware within a computer network. Accordingly, appropriate scanning software has been written for installation within the computer network so as to enable files to be scanned at appropriate times, for example when they are written to a device within the computer network, read from such a device, etc. An example of such scanning software would be anti-virus (AV) software installed within the computer network to perform scanning of the files in order to determine whether they contain computer viruses.
Typically, the anti-virus scanner can be configured to determine when scanning is performed (e.g. when files are read, when files are written, both, etc), what type of files are scanned (all files, only executable files, files of a type in which a macro program may be embedded, compressed files, etc), and what type of scanning is performed. Currently, there are two general types of scanning that are performed. The first type of scanning involves the use of anti-virus algorithms that compare a suspect file to a dictionary of known virus characteristics, whilst the second type of scanning involves the use of heuristic algorithms that seek to detect virus-like activity associated with a file being scanned.
Regarding the first type of scanning, this is basically a “find/fix” technique. When a new virus is released into the public domain, anti-virus vendors have to obtain a sample of the virus code to be able to add detection routines into their anti-virus software, and then release a signature file that has to be loaded into the dictionary of known virus characteristics by each of the anti-virus vendor's customers. This means that anti-virus software of the first type is always “one step behind” the virus writers, and if a new virus is received by a user on a computer network, the virus can very rapidly spread out of control until the new signature file is developed by the anti-virus vendor.
Whilst the second type of scanning involving heuristic detection can provide some assistance in detecting new viruses, it would be desirable to provide an improved technique for detecting the presence of new viruses, or other types of malware, within a computer network.
Accordingly, it is an object of the present invention to provide an improved technique for detecting potential malware within a computer network.