In recent years, authors of malicious software (“malware”) have attempted to proliferate malware by generating thousands or potentially millions of variations of a malicious file. Unfortunately, because many existing antivirus technologies detect malware by detecting or identifying unique digital signatures or fingerprints associated with known-malicious files, malware authors may avoid detection by only distributing new (i.e., unique) or repacked versions of malicious files.
In light of this, at least one security-software vendor has begun investigating and implementing reputation-based security systems. In a reputation-based security system, a security-software vendor may attempt to determine whether a file represents malware by collecting, aggregating, and analyzing data from potentially millions of user devices within a community, such as the security-software vendor's user base. For example, by determining a file's source, age, and prevalence within the community, among other details, a security-software vendor may gain a fairly accurate understanding as to whether the file represents malware.
In a typical reputation-based security system, a file that has a low prevalence and/or a file for which little is known about its source of origin or age may be classified as malware since these characteristics are common among malware. Because of this, however, typical reputation-based security systems may be unable to accurately distinguish between malware and legitimate files that have a low prevalence and/or for which little is known about their source of origin, which may in turn result in such systems mistakenly classifying legitimate files as malware. These mistakes, known as “false positives,” may be extremely disruptive and costly for an enterprise since they can result in the deletion or removal of legitimate, and potentially essential, files and software from computing devices within the enterprise. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for preventing false-positive malware classifications.