It is known in the art that each day, many tens of thousands of new malicious software programs are discovered. These programs can compromise the security of general computing devices. Possible security violations include, but are not limited to, the theft of data from the system, the usurping of the system for other nefarious purpose (like sending spam email), and, in general, the remote control of the system for other malicious actions.
One popular technique in the art for detecting malicious software comprises the following steps:                a. Establishing through some independent means that the application is malicious (e.g., by manually analyzing it).        b. Computing a hash or fingerprint of this software. A hash is a mathematical transformation that takes the underlying binary contents of a software application and produces a relatively short string, with the idea being that two different applications will, with overwhelmingly high probability, have distinct fingerprint values. Common functions for performing this fingerprinting or hashing step include SHA-256, SHA-1, MD5, and others. Besides hash and fingerprint, another term used in the art to describe this transformation is a signature. For the purposes of this invention, the terms hash, fingerprint, and signature will be used interchangeably.        c. Publishing this hash so that it is accessible to end-users operating a general purpose computing device.        d. Having the device compare this fingerprint with the fingerprint of any new software applications that have arrived on the system.        e. Applying a set of steps based on a given policy if the fingerprints match (e.g., blocking the installation of the application).        
The above technique suffers from the drawback that it only works when an application is determined to be malicious ahead of time. Put differently, it is a reactive approach. It is understood in the art that oftentimes superficial changes to a malicious application will cause it to have a different fingerprint even though the underlying actions of the application continue to be malicious. If the fingerprint changes, then it will no longer match the one that was initially established for the application, and consequently the application can potentially evade detection by anti-malware technology. Indeed, the explosion in malware instances appears to be a result of malware authors making frequent, but innocuous, changes to a smaller number of applications rather than creating entirely new applications.
There is, accordingly, a need in the art to develop methods, components, and systems for detecting malicious software in a proactive form that addresses the above limitations.