Executing an executable file or a Portable Executable (PE) file, each of which can include a dynamic library or a Dynamic Link Library (DLL), can be hazardous for computer system users. Malicious code is primarily spread using such executable files (for example, as viruses and Trojan programs). Therefore, prior to executing or running an executable file, an antivirus determination (or check) of such files is recommended. Traditional antivirus checks can be based both on simple or complex check methods. For example, a simple check can be a signature scan, which allows the detection of known malicious programs from among all programs. However, a signature scan can be a time-consuming procedure, as the antivirus database that is utilized for the check is often very large. In another example, a complex check can include an analysis of the behavior of the executable files. Such systems can use a code emulator with an analytical module designed for deep analysis of files. The aforementioned checks ensure the security of both computer system resources and personal (including confidential) user data. Varying amounts and types of computer resources (which are typically limited) are needed for the aforementioned checks, depending on the type of check utilized.
In addition, the number of executable files on today's computer systems is constantly growing, which affects the time required for the antivirus checks of all executable files and the resources that need to be spent in order to perform the relevant checks. As a result, approaches that decrease the computer system resources required for an antivirus check are important.
Some of the approaches that optimize antivirus checks typically include the use of so-called whitelists or blacklists, or are based on the tracking of file modification (for example, by time stamps) after which a check will be performed. These approaches can also be conducted based on a particular type of executable file, such as: object code, PE-format executable files, macros, or scripts, and so on.
For example, U.S. Pat. No. 7,490,352 describes an approach that checks whether an executable file is trusted at the moment the execution of the executable file begins. That approach includes determining whether the file being checked belongs to a malicious file type and verifying the integrity of the file and the reliability of the source which sends or runs the file. However, these approaches have one very substantial drawback; particularly, the need to pre-build the aforementioned lists. Therefore, the executable files included in the above-mentioned lists have been, at least once, subjected to a deeper anti-virus check, which usually involves a determination using all available anti-virus technologies, including the aforementioned ones. Accordingly, hardware resources and time resources have therefore also been allocated for the deeper check and in order to build the lists. However, computing systems often require that an antivirus check of new executable files be performed as fast as possible and using the least computer resources possible. “New executable files” mean that the above-mentioned lists do not include such files or any information about such files.
Therefore, systems and methods that reduce the duration of antivirus determinations are needed, and particularly for those checks that include executable files encountered for the first time (“new executable files”). Accordingly, there is a need for systems and methods that optimize antivirus checks, including systems and methods that allow, prior to an antivirus check of executable files, for the detection and exclusion from further antivirus checks, those executable files which can be determined to be safe.