This disclosure relates generally to the field of computer security. More particularly, but not by way of limitation, it relates to the provision of cleaning code to remove malware and its effects from a device in close temporal proximity to the detection of the malware on the device.
Malware is a broad term used to describe malicious software that infects computer systems and can have varying degrees of effects. For example, the effects of malware can range from irritating and unwanted adware and spyware to computer viruses, worms, and Trojan horses that can render a computer system virtually useless. With the vast number of devices connected to networks such as the Internet and the expansion of high speed connections to these networks, malware threats can spread from system to system extremely rapidly. It is therefore common practice to employ some type of antivirus application (the term antivirus referring to a wide variety of malware) on these devices to detect malware on the device, and, if necessary, perform desired cleaning functions to remove the malware and repair its effects.
Because malware creators continuously introduce new and unique forms of malware, antivirus applications must be updated regularly to include techniques capable of detecting and repairing the most recently introduced malware threats. Accordingly, antivirus software providers routinely distribute definition files as updates to their antivirus applications. These definition files typically consist of signature files, representative of known malware to which system files can be compared for the detection of malware, and cleaning code to remove the known malware and repair its effects if detected. Even with these updates, however, it is possible for malware threats to infect large numbers of computer systems before new definition files are made available as part of an update.
Antivirus software providers have therefore employed cloud technology to detect malware. Cloud technology allows for the provisioning of services and data from a remote location via a network connection to a local device. In the case of malware detection using antivirus software, for example, information about a suspicious system file which cannot be identified as malware based on the definition files installed on the device may be packaged and transmitted utilizing cloud technology to a network device associated with the antivirus software provider via an Internet connection for further inspection. The network device can evaluate the provided information and respond with an indication that the file is or is not malware. It is therefore possible to detect malware using cloud technology even where updated definition files containing a signature of the malware have not been provided as part of a software update. However, in response to a detection of malware using cloud technology, only the most generic remedial measures to address the malware are available. For example, a default remedial measure to address detected malware for which there is no specific cleaning code may be to simply delete a suspect file. Such measures often fail to fully address the threat, and, therefore, a user of the antivirus software is left to wait for the next software update containing the proper cleaning code to address the detected malware.
An antivirus application may not have the appropriate cleaning code even where malware is detected using the antivirus application installed on the local device. For example, an antivirus application may include heuristic detection techniques according to which the software may detect malware not by comparing a system file to a signature of known malware but rather by evaluating a system file to detect properties that resemble malware. Using this type of detection, antivirus software is capable of detecting malware without the use of a signature representing the particular malware. Because this technique detects malware not by recognizing a file as a specific known malware but rather by recognizing the file as consistent with general properties of malware, it is possible that no specific cleaning code will be available as part of the definition files to address the detected malware. Here again, a user may be left to wait for the next software update containing the proper cleaning code to address the detected malware.
There is thus a need to address these and other issues associated with the prior art.