1. Field of the Invention
The present invention relates to computer system security. More particularly, the present invention relates to a system and method of reducing false positives of a behavior blocking system of a computer system.
2. Description of the Related Art
A behavior blocking system heuristically monitors processes and blocks suspicious behavior that the behavior blocking system considers as malicious. Although behavior may be suspicious, in certain instances, the behavior is legitimate, i.e., is not associated with malicious code. Accordingly, blocking the legitimate behavior is undesirable and sometimes is referred to as a false positive.
Accordingly, assessing the trust level of a process is very important in behavior blocking. More particularly, for a trusted process, legitimate behavior, which otherwise would be blocked, is allowed.
There are a number of ways to assess the trust level of a process. One of the best is a digital signature on the process file itself. Unfortunately, many files are not signed.