As used herein a “threat” comprises malicious software, also known as “malware” or “pestware”, which comprises software that is included or inserted in a part of a processing system for a harmful purpose. The term threat should be read to comprise possible, potential and actual threats. Types of malware can comprise, but are not limited to, malicious libraries, viruses, worms, Trojans, adware, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or theft of identity, malicious software that passively observes the use of a computer is known as “spyware”.
There are currently a number of techniques to restrict threats such as malware compromising a processing system.
One technique comprises using database driven malware techniques which detect known malware. In this technique, a database is used which generally comprises a signature indicative of a particular type of malware. The signatures are then compared to the downloaded entity, such as an executable file, to determine if the entity is malicious.
However, this technique suffers from a number of disadvantages. This technique can only detect known malware. If there is no signature in the database for a new variant of malware, the malicious entity could go undetected, and thus compromise the processing system.
Another technique used is code-signing. Code-signing attempts to assure users that downloaded software, such as an executable file downloaded from a web-site, has been supplied by a trusted software vendor that is participating in an infrastructure of trusted entities. Such a trusted infrastructure is available using Microsoft™ Authenticode. This mechanism generally involves the use of digital signatures and certificates in order to verify the software vendor.
However, code-signing also suffers from disadvantages. Firstly, code-signing does not analyse whether the downloaded software is malicious. It only guarantees that the software vendor is part of the trusted infrastructure. Additionally, it is still possible that an author of malware may join the infrastructure of trusted entities, if they meet particular criteria such as an acceptable Dun & Bradstreet Rating, prior to publishing malicious software for download by the public.
Therefore there is a need for a method, system, computer program product and/or computer readable medium of instructions which addresses or at least ameliorates one or more problems inherent in the prior art.
An emulator is a module which emulates the functionality of another. Generally, emulation software is software designed to enable a processing system to emulate a specified software system that is not its own.
An Application Programming Interface (API) is an interface which an application accesses services, comprising operating system services.
A proxy server is a server which is intermediate a client processing system and the network, such as the Internet. A proxy server may be a processing system, or a software application which executes on a processing system.
Hyper Text Transfer Protocol (HTTP) is a protocol used to request and transfer files, especially web-pages and web-page components, over the Internet or other computer networks.
File Transfer Protocol (FTP) is a communications protocol for the transfer of files over a computer network.
A system registry is a database used by modern operating systems, for example Windows™ platforms. The system registry comprises information needed to configure the operating system. The operating system refers to the registry for information ranging from user profiles, to which applications are installed on the machine, to what hardware is installed and which ports are registered.
A hash function (i.e. Message Digest, eg. MD5) can be used for many purposes, for example to establish whether a file transmitted over a network has been tampered with or contains transmission errors. A hash function uses a mathematical rule which, when applied to a file, generates a hash value, i.e. a number, usually between 128 and 512 bits in length. This number is then transmitted with the file to a recipient who can reapply the mathematical rule to the file and compare the resulting number with the original number.
In a networked information or data communications system, a user has access to one or more terminals which are capable of requesting and/or receiving information or data from local or remote information sources. In such a communications system, a terminal may be a type of processing system, computer or computerised device, personal computer (PC), mobile, cellular or satellite telephone, mobile data terminal, portable computer, Personal Digital Assistant (PDA), pager, thin client, or any other similar type of digital electronic device. The capability of such a terminal to request and/or receive information or data can be provided by software, hardware and/or firmware. A terminal may comprise or be associated with other devices, for example a local data storage device such as a hard disk drive or solid state drive.
An information source can comprise a server, or any type of terminal, that may be associated with one or more storage devices that are able to store information or data, for example in one or more databases residing on a storage device. The exchange of information (ie. the request and/or receipt of information or data) between a terminal and an information source, or other terminal(s), is facilitated by a communication means. The communication means can be realised by physical cables, for example a metallic cable such as a telephone line, semi-conducting cables, electromagnetic signals, for example radio-frequency signals or infra-red signals, optical fibre cables, satellite links or any other such medium or combination thereof connected to a network infrastructure.
The reference in this specification to any prior publication (or information derived from the prior publication), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that the prior publication (or information derived from the prior publication) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.