Field
Embodiments of the present invention generally relate to the field of computer virus and malware detection and prevention within computer systems having methods for the detection of and protection from malicious and undesired computer files. In particular, various embodiments relate to detecting malicious and undesired computer files sent through the internet by tracking, examining, and comparing the digital certificates that accompany sent files.
Description of the Related Art
Digital certificates attempt to address problems associated with whether or not to trust computer software, such as software that arrives from the Internet and is sometimes run or executed immediately. A digital certificate can be obtained by a software distributor from a certificate authority and attached to a file or program by the software distributor. The software distributor only needs to provide proof of identity to the certificate authority when obtaining the certificate. No attempt is made by the certificate authority to determine whether the distributor is trustworthy, or whether the files that will be distributed with the certificate can be used safely.
A program with an attached certificate is known as signed code. When signed code arrives on a computer, the user is typically presented with certificate information, by way of a dialog box, including the name of the distributor associated with the certificate. The user is given a choice. The signed code can be trusted and allowed to execute, or it can be rejected. However, the user has no good way to make this decision, except in rare cases where the distributor's name and reputation are familiar. Consequently, the use of code signing does little to protect computer users from undesirable and often harmful software. Worse yet, the presence of a certificate suggests to users that a program can be trusted, so that they may decide to execute and run a program that they would have rejected if it were not signed.