Over the next decade, computer security programs may continue to transition from primarily blacklist-based anti-malware solutions to whitelist-based solutions. Whitelist-based solutions may allow whitelisted software applications to run while blocking all other applications. However, whitelist-based solutions may not block all malicious code from executing. For example, a publisher may provide legitimate software for a period of time in order to gain trust and have the software whitelisted. The publisher may then introduce malicious code into the whitelisted software. As another example, a malicious developer in a trusted software company may introduce malware in a whitelisted program.
Traditional behavior-monitoring systems may provide some protection against malware in whitelisted software. Behavior-monitoring systems may monitor a software application and may ask a user about whether to allow the software application to access a potentially sensitive file. However, most traditional behavior-monitoring systems do not provide users with enough context to allow the users to make an informed decision. The information that traditional behavior-monitoring systems provide may be cryptic and unintelligible to a typical user. For example, JAVA, .NET, and other managed applications may provide users with a directory path for the potentially sensitive file, but the directory path may not help the user make a decision about whether to allow the software application to access the directory.