Dealing with malicious code such as viruses and Trojan horses is a constant concern for software developers. Hackers are generally taking advantage of vulnerabilities within an application or file format as soon as the vulnerability becomes known. Malicious code that takes advantage of a known vulnerability on the same day that the vulnerability becomes generally known is referred to as a zero day exploit. To date, there are very few solutions that effectively deal with zero day exploits.
Because of the speed with which the malicious code can be circulated in a zero day exploit, developers do not have enough time to implement a patch or other solution to deal with the vulnerability. Frequently, the only solution available is to reduce the potential for opening malicious code by encouraging users to follow security best practices such as turning off unneeded services, keeping patch levels up to date, and avoiding opening attachments that are from unknown sources or are unexpected. Once a vulnerability becomes known, a user can avoid opening files that are affected by the vulnerability. However, this does not provide an adequate solution in cases where a user must access the file.
Moreover, currently available software applications (e.g., anti-virus software) used to search and eliminate malicious code must have some previous knowledge of the malicious code or vulnerability being exploited. For example, some applications search documents for code that has been previously identified as malicious. Other applications require knowledge about the vulnerability, such as a particular field in a structure that should be searched for unusual code. Each of these methods requires prior knowledge (of code or the vulnerability). In a zero day exploit, the vulnerability will not be known, and hackers generally create new code that will not be identified as malicious. This makes currently available software applications ineffective against zero day exploits.
It is with respect to these and other considerations that embodiments of the present invention have been made. Also, although relatively specific problems have been discussed, it should be understood that embodiments of the present invention should not be limited to solving the specific problems identified in the background.