As more and more computers are interconnected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features—all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all of these attacks will be generally referred to hereafter as computer malware, or more simply, malware.
When a computer system is attacked or “infected” by a computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other computers.
FIG. 1 is a pictorial diagram illustrating an exemplary networked environment 100 over which a computer malware is commonly distributed. As shown in FIG. 1, the typical exemplary networked environment 100 includes a plurality of computers 102-108, all interconnected via a communication network 110, such as an intranet, or via a larger communication network, including the global TCP/IP network commonly referred to as the Internet. For whatever reason, a malicious party on a computer connected to the network 110, such as computer 102, develops a computer malware 112 and releases it on the network. The released computer malware 112 is received by and infects one or more computers, such as computer 104, as indicated by arrow 114. As is typical with many computer malware, once infected, computer 104 is used to infect other computers, such as computer 106, as indicated by arrow 116, which, in turn, infects yet other computers, such as computer 108, as indicated by arrow 118. Clearly, due to the speed and reach of the modern computer networks, a computer malware 112 can “grow” at an exponential rate and quickly become a local epidemic that quickly escalates into a global computer pandemic.
A traditional defense against computer malware and, particularly computer viruses and worms, is antivirus software. Generally, antivirus software scans incoming data arriving over a network, looking for identifiable patterns associated with known computer malware. Frequently, this is done by matching patterns within the data to what is referred to as a “signature” of the malware. One of the core deficiencies in this malware detection model is that an unknown computer malware may propagate unchecked in a network until a computer's antivirus software is updated to identify and respond to the new computer malware.
As antivirus software has become more sophisticated and efficient at recognizing thousands of known computer malware, so too have the computer malware become more sophisticated. For example, many recent computer malware are polymorphic. These polymorphic malware are frequently difficult to identify by antivirus software because they modify themselves before propagating to another computer system. Thus under the present system, there is a period of time, referred to hereafter as a vulnerability window, that exists between when a new computer malware is released on the network 110 and when a computer system is updated to protect it from the computer malware. As the name suggests, it is during this vulnerability window that a computer system is vulnerable or exposed to the new computer malware. FIG. 2 is a block diagram of an exemplary timeline illustrating this vulnerability window. In regard to the following discussion, significant times will be identified and referred to as events. FIG. 2 illustrates a vulnerability window 200 with regard to a timeline 202 under which a malware is released that exploits a previously unknown vulnerability. Thus, as shown on timeline 202, at event 204, a malicious party releases a new computer malware. As this is a computer malware that exploits a previously unknown vulnerability, antivirus software may not be able to protect vulnerable computer systems from the attack. Correspondingly, the vulnerability window 200 is opened.
At some point after the new computer malware is circulating on the network 110, an antivirus software provider or similar entity detects the new computer malware, as indicated by event 206. As those skilled in the art will appreciate, typically the presence of the new computer malware is detected within a matter of hours by antivirus software providers. Once the computer malware is detected, the antivirus software provider may begin the process of identifying a pattern or signature by which the antivirus software may recognize the computer malware. As a result of these efforts, at event 208, the antivirus software provider releases an antivirus update, which addresses the computer malware. Subsequently, at event 210, the update is installed on a user's computer system, thereby protecting the computer system and bringing the vulnerability window 200 to a close.
As may be seen from the example provided above, which is only one representative scenario in which computer malware poses a security threat to a computer system, a vulnerability window exists between the time that a computer malware 112 is released on a network 110 and when an antivirus update is installed on a user's computer system to detect the new malware and close the vulnerability window. As a result, antivirus software providers typically produce malware “cleaners,” e.g., computer software designed to identify and remove malware that is infecting a computer. One known method of “cleaning” a computer that is infected with malware includes searching each file stored on the computer for data characteristic of malware. When the data characteristic of malware is identified, the software cleaner performs certain steps designed to remove or quarantine the malware. However, searching each file stored on a computer for data characteristic of malware is a resource-intensive and time-consuming process. A computer may functional at a degraded performance level for a significant period of time when the cleaner is searching file data. Frequently, computer users will be deterred from using a malware cleaner or will not receive the full benefit a malware cleaner because of the time and resources required to search files.