Anti-virus and anti-spyware solutions generally employ traditional scan-based technologies to identify viruses, worms, Trojan horses, spyware, and other malware on an endpoint device. Typical anti-virus and anti-spyware solutions may detect these threats by checking files for characteristics (e.g., anti-malware signatures) of known threats. Once an anti-malware system detects a threat, the anti-malware system may remediate the threat, typically by deleting or quarantining the threat.
Some malware may open and write to files (e.g., to propagate itself and/or other malware). Accordingly, some anti-malware systems may scan files once the files are closed (e.g., to check for recently introduced malware). In this manner, anti-malware systems may check files that may have been altered by malware and/or to include malware.
Unfortunately, some malware authors have designed their malware to evade such traditional scan-on-close anti-malware systems. For example, some malware may create a hard link to a file (e.g., an alternate file name for a file), resulting in at least two file names referring to the same file. By opening and infecting the file under one file name (e.g., the alternate file name) and then immediately deleting the file (e.g., deleting the file name under which the file was opened) after closing the file, the malware may prevent some traditional anti-malware systems from scanning the file. For example, a traditional anti-malware system may attempt to open the file using the file name by which the malware opened and closed the file, leaving the file intact (by the other file name not used for opening, modifying, and closing the file) and unscanned. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for detecting malware.