Malicious software (e.g., “malware”) presents a serious hazard to computer systems and devices. Once present on a computing system or device malware can, amongst other effects, appropriate personal, financial or otherwise sensitive information, and hinder or wholly prevent proper system performance. Despite efforts to block or remove malware from systems, such as the use of antivirus software programs, it is estimated that millions of computing systems are infected with some form of malware. The widespread presence of malware is due in part to the extent and diversity of malware variants. Indeed, malware can take the form of viruses, worms, bots, Trojan horses, rootkits, keyloggers, spyware, adware, and ransomware, amongst others, and new types of each are being made constantly.
Typical methods for protecting computing devices from malware utilize code signatures from known malware variants. For example, techniques such as deep packet inspection can be used to examine all data or files entering a network and compare it to known malware signatures. If some or all of the incoming code matches a known signature, the data or file is denied access. These methods, however, rely on discovering and identifying malware signatures. Because so many new malware variants are being constantly created the computing system is still vulnerable to these new variants whose signatures have not been identified. Malware capable of mutating its own code can also avoid detection by these techniques by changing its code from the identified signature.
Various heuristic analysis techniques can be used to attempt to detect the presence of currently unknown types of malware by evaluating the traits of individual files. For example, some heuristic techniques scan the code of files for flagged characteristics that are indicative of malware or execute the files in a protected environment, such as a sandbox, and analyze the attempted actions of the file. These heuristic techniques often result in false positives and the subsequent quarantine of benign files, however, and the intensive amount of analysis required can consume an undesirable amount of system resources.
Even combining these forms of analysis, the ever expanding scope of malware variants can provide malware that escapes these detection methods and may not be promptly recognized, if at all, as being present on a computing device or network. Therefore, it would be desirable to provide additional detection techniques that can promptly indicate the presence of malware, even if a currently unidentified variant of malware, without falsely identifying truly acceptable files or consuming an undesirable amount of system resources in the process.
Additionally, as part of a network security strategy, information technology (“IT”) professionals and similar employees often ask users to only utilize previously approved software rather than installing additional programs that could potentially compromise the security of the user's computing device or the network as a whole. Despite this, users may still install additional programs on their own computing devices. As such actions can unwittingly comprise the security of their own computing device or network, it would also be desirable to provide techniques of indicating the presence of unauthorized software on a user's computing device.