Malicious computer executable instructions, commonly referred to as “malware”, can take many forms, including, for example, viruses, Trojan horses, and software exploits. At bottom, however, all share one basic characteristic: to cause the execution of the malicious computer executable instructions on a computing device. Some malware is capable of causing a target computing device to execute its instructions by exploiting the ignorance or unpreparedness of the users of that computing device. Thus, for example, a malicious executable file can be presented as an image or other benign file to entice a user of a computing device to open such a file and, consequently, cause the execution of the malicious computer executable instructions present in the file. Other malware is capable of causing a target computing device to execute its instructions by exploiting aspects of the design of the computing device or other executable instructions executing on the computing device. For example, early forms of malware were able to commandeer specific interrupts in early operating systems, and thereby copy themselves or cause execution of their malicious instructions.
Often, the malicious computer executable instructions that comprise a piece of malware were embedded or attached to other, benign files. Traditionally such files were executable files having their own, benign, computer executable instructions. When such files were “infected” with the malware, the execution of the benign computer executable instructions of the file would also result in the execution of malicious computer executable instructions. More recently, however, malware has taken the form of non-executable files that, traditionally, would not have had computer executable instructions within them. For example, structured document files can, themselves, be malware because such files can be created such that, when they are parsed by an appropriate program in order to be displayed and edited, the design of the parser can be exploited to cause the execution of malicious computer executable instructions embedded within the document file.
Efforts to prevent the execution of malicious computer executable instructions have traditionally focused on detecting the malware and preventing the execution of what were deemed to be “suspicious” instructions. Malware detection has traditionally focused on finding unique combinations of data that are only present in the malware. Such unique combinations, known as malware “signatures”, can enable malware detecting mechanisms to identify malware from among other, legitimate, non-malicious computer executable instructions. However, in order to detect malware by searching for its signatures, those signatures must first be identified and distributed. Such identification and distribution of signatures requires time, thereby providing a window of time during which the malware can execute on a computing device without detection. To prevent malware from executing without waiting for such signatures to be identified and distributed, behavior blockers were developed that monitored the execution of computer executable instructions and stopped any instructions that appeared to be suspicious. Unfortunately, the behavior of malware was often similar to the behavior of legitimate software applications, such as installation applications or operating system utilities. Consequently, behavior blockers would often alert the user to suspicious activity when the user was performing legitimate actions. As a result, behavior blockers were often not trusted by the users of computing devices.