Computer systems these days run the risk of being infected by malware and having that malware disrupt the computer system or destroy data among other unwelcome behavior. Malware includes computer viruses, worms, root kits, etc. that disrupt and cause damage.
Traditional malware prevention technologies use either pattern matching (including virus signatures) to detect a malware file and to block specific files from running, or use behavior-based rules and policies to detect specific activities and then to block the processes and files causing those activities. A drawback of such approaches, though, is the requirement to continuously update virus patterns, rules and policies regularly. Another disadvantage, which is the biggest concern of users, is the high consumption of computer system resources and the decrease in computer system performance.
It is realized that most malware today uses some kind of self-defense mechanism, and these techniques can be classified in a variety of ways. Some of these techniques are used to bypass virus signature scanning, while others are meant to simply hinder any analysis of the malicious code in a malware file. A malicious program may attempt to conceal itself in the computer system, while another will choose instead to search for and counter specific types of antivirus protection. In general, malware self-defense techniques range from passive to active, and from targeted to general. These techniques include: blocking files as a countermeasure against file scanning; modifying the “hosts” file in order to block access to antivirus update sites; hindering detection of a virus that uses signature-based methods; preventing analysis of the virus code by an engineer; hindering detection of a malicious program in the computer system; and searching for and hindering the functionality of security software such as firewalls.
Given the importance of detecting and preventing malware from operating within a computer system, and the drawbacks of traditional technologies such as pattern matching and behavior matching, further techniques are desired to disable malware.