It is known in the art that each day, many tens of thousands of new malicious or otherwise undesirable software programs are discovered. These programs can compromise the security of general computing devices. Possible security violations include, but are not limited to, the theft of data from the system, the usurping of the system for other nefarious purpose (like sending spam email), and, in general, the remote control of the system for other malicious actions.
One popular technique in the art for detecting malicious software comprises the following steps:                a. Establishing through some independent means that the application is malicious (e.g., by manually analyzing it). This step is typically carried out by a vendor of anti-malware technology.        b. Extracting a signature from this piece of software. A signature is a transformation applied to the software to extract a short string of data. Examples of signature can include a cryptographic hash or fingerprint. A hash is a mathematical transformation that takes the underlying binary contents of a software application and produces a relatively short string, with the idea being that two different applications will, with overwhelmingly high probability, have distinct fingerprint values. Common functions for performing this fingerprinting or hashing step include SHA-256, SHA-1, MD5, and others.        c. Publishing this signature so that it is accessible to end-users operating a general purpose computing device        d. Having the device determine if this signature matches one associated with any software applications that have arrived on the system.        e. Applying a set of steps or a given policy if the fingerprints match (e.g., blocking the installation of the application).        f. The above technique is geared towards situations when the signature was known ahead of time (i.e., before an actual piece of malicious or unwanted software arrived on an actual end-user system). Suppose that a piece of malware has already infiltrated end user systems prior to its discovery by an anti-malware vendor and prior to the creation of a signature for it. In this case, an end user system will have to cross reference every file it has against all new signatures. Given that a typical end user system can have many tens of thousands of files and given that many tens of thousands of signatures are created each day, this process of cross referencing can be prohibitively expensive to execute on an end user system. As a result, existing anti-malware vendors do not provide any form of efficient retroactive protection.        
Aside from that, if an anti-malware vendor initially deems a software application to be malicious, but later learns that this determination was made in error (i.e., the particular application is actually benign), then there is no easy way for the vendor to retroactively undo its mistakes on end user systems without forcing users to scan their entire system for threats or clean files each time new intelligence on threats or clean files is discovered. Such an approach is prohibitively expensive, especially considering the large number of files on a given end-user system as well as the rate at which commercial anti-malware vendors gather new intelligence on the latest threats.
There is, accordingly, a need in the art to develop methods, components, and systems for retroactively handling two situations: First, retroactively detecting malicious software on an end user system in a way that does not incur a high computational cost directly for the end user; Second, retroactively undoing the effects of situations in which a file was erroneously labeled as malicious, but subsequently found to be benign.