Methods of detecting malware, such as viruses, worms, and spyware, may utilize a file signature, a file origin, or other file attributes to determine if a file is harmful. Malware, however, may be designed to interfere with such determinations once a machine is infected. For example, malware may affect an infected machine's network stack, such as a network proxy, and may redirect network requests in a manner that is more difficult to detect. Thus, a network request on an infected machine may appear to be directed towards an innocuous network site and the malware may utilize an infected network proxy to redirect the request to a harmful network site.
Other actions may be taken by malware to mask, spoof, or otherwise hide the nature of a file on an infected computer, hide a request to download malware, or to hide other malware activities and/or malware attributes. As another example, malware may change network information such as Uniform Resource Locators (URLs) contained on an infected machine. That is, malware may alter browser cache files to list only safe or valid websites in the browser cache file. Malware may also affect file system drivers or network drivers to hide the presence or the identity of a file. Thus, a malware detection or prevention system may attempt to scan a system or a file being downloaded and may be provided with improper file attributes. For example, if a malware detection system attempts to determine the reputation of a file being downloaded using a fake URL provided by an infected machine, the malware detection system may incorrectly identify the file being downloaded as safe.
In view of the foregoing, it may be understood that there are significant problems and shortcomings associated with current reputation based analysis technologies.