Message security has been an important factor in computer systems for years. Initially, anti-virus programs ran on individual computers, protecting against individual files that were loaded into memory. Because each computer needed its own copy of the anti-virus program, computers without anti-virus programs could be compromised even in the face of corporate policy to the contrary.
Over time, server anti-virus programs become available. Such programs could theoretically protect an entire company's network against viruses by scanning all the files on all network-attached computers. But server anti-virus programs had a weakness: they could only scan files on computers on the network. This meant that if a computer was disconnected from the network, that computer could be infected with a virus.
As e-mail became a more prominent tool, other threats arose. A file could enter the network as an attachment to an e-mail message. If that file had a virus, the virus could infect the network. So anti-virus tools began to scan e-mail messages and attachments to e-mail messages.
Over time, new threats have emerged: web sites that could execute code in a browser and thereby infect a computer, phishing websites and messages (which attempted to persuade a person to part voluntarily with sensitive information), and so on. Anti-virus programs have kept up with the threats by becoming more sophisticated.
But anti-virus programs have traditionally relied on detecting malicious content via signatures. This technology has two weaknesses. First, anti-virus programs have to store increasing numbers of virus signatures, all of which must be considered (as once a virus has been created, it could potentially be used, potentially even years or decades after creation). Second, because anti-virus programs use signatures to detect malicious content, until a signature has been created for a particular threat, the anti-virus program cannot detect that threat.
One way anti-virus programs address threats for which signatures have not yet been created is by using heuristics. The anti-virus programs look for content that looks like a threat, even if no threat is actually known that matches the heuristic. But while heuristics can protect against content that might be an unknown threat, heuristics can also end up flagging as suspicious content that is, in fact, benign.
A need remains for a way to manage the risk associated with potentially malicious content.