An increasing amount of malware (e.g., viruses, worms, Trojan horses and the like) is returning to the model of hiding in a host file, rather than existing in an file of its own and spreading itself across computer systems. This type of malware injects itself into an existing executable image (or other type of file), modifying it in such a way that the original application (generally) works as expected, but at the same time quietly hosts the malware. Unlike simple file based malware, removing such infections requires undoing the modifications made to the original executable, rather than simply destroying the malicious files. The modifications made to the host file may be polymorphic, and thus unique to each infection.
Moving towards a white listing model makes the detection of such modified binaries easier than with the currently widespread black list technology. Under such a model, rather than searching for the signature of known (blacklisted) malicious code, binaries are checked against a list of signatures for known benevolent programs (a whitelist). Thus, for various known files, signatures are maintained for the various known versions, revisions, release sets, etc. If a binary being checked by security software does not match one of the known good signatures for a binary of its name, description, version information, etc., it is assumed to be malicious.
Although the above described whitelisting methodologies can be used to detected infection of a host file, it would be desirable to be able to be able to remove such detected infections.