As is known in the art today, computer viruses, or in general, malware, are identified using virus signature matching or by a behavior-based heuristic technique. Virus signature matching requires analysis of known malware, development of malware signatures, and then deployment of the virus pattern file to customer sites. Behavior-based heuristic detection also requires a constant effort to identify the behavior of known and unknown malware, codifying that behavior into rules, and then deploying those rules to customer sites. In general, these approaches require constant effort to maintain protection.
The cost and effort for developing either signature-based or behavior-based patterns is increasing. This trend is perceived especially when a large amount of new malware is created by automation, by the technique of polymorphism, or by attacks of so-called zero day malware. This zero day malware can be difficult to detect the first day that it is introduced to the world as no pattern files have been developed for it and it may exhibit behavior that is new. Detection of this type of virus would be beneficial. Even known viruses can cause problems if they are not detected right away or if antivirus software is installed and operational after the virus has infected a computer. These known viruses (and also zero day malware) cause problems because they are often capable of creating other malicious files, known as dropped files, if the virus is not removed right away. These dropped files are problematic because while the original virus may eventually be removed because its virus signature is present in a virus pattern file, there may be no virus signature for the dropped files. Further, there may be no heuristics capable of detecting these dropped files. The dropped files may then cause damage to the user's computer.
Accordingly, an improved technique is desired that would be able to detect malware in general without the cost and effort of pattern creation, and that would specifically detect and remove dropped files from known and unknown computer viruses without using a virus pattern file.