As the Internet continues to expand in terms of both connectivity and number of users, the amount of malicious software (“malware”) existing across the Internet continues to increase at a significant rate. Malware, in the form of, for example, viruses, spyware, and worms, is essentially software code written to infiltrate and/or damage a computer system. In some worst case scenarios, malware can destroy important data, render a computer system virtually useless, and/or bring down a network of hundreds or thousands of computer systems. Recovering a computer system or network from a successful malware attack often requires considerable resources. Further, malware, while typically attacking computer systems connected to the Internet, can also spread from one computer system to the other by, for example, a non-Internet based file transfer between computer systems.
In an effort to protect computer systems against malware, various companies design and offer anti-malware programs (e.g., Norton Antivirus™ by Symantec Corporation). Generally, anti-malware programs use “signatures” and “heuristics” to detect malware. A signature of a particular type of malware is a characteristic (e.g., a bit pattern) unique to a type of malware. Anti-malware programs rely on signatures to detect and identify specific malware. Stored signatures must be kept up-to-date in order for anti-malware programs to remain effective as malware evolves over time.
The reliance of anti-malware programs on heuristics involves detecting behaviors that indicate the presence of malware. Such behavior may be detected by monitoring running software for suspicious actions that indicate malicious activity. Suspicious actions include, for example, particular software installing itself in an obscure or hidden location, copying itself to another computer, downloading and installing additional software without knowledge of the user, modifying registry settings, and modifying executable files.
Typically, anti-malware programs work in one or both of two modes. In one mode, a user may initiate a “scan mode,” in which the anti-malware program examines the user's computer system for matching malware signatures. In another mode, real-time monitoring may occur, whereby the anti-malware program continuously runs during use of the computer system. When malware is detected in either of these modes, (i) the user can be alerted of the found malware and asked what action to take, or (ii) the found malware can be automatically quarantined and/or removed.
The operation of an anti-malware program generally involves scanning all the files and/or memory of a computer system. Those skilled in the art will note that scanning is computationally expensive. Further, the scanning of certain types of files may not be well received by a program having a domain of which the files are part. The “domain” of a software program is defined as the set of files and/or memory of a computer system that the program has designated or otherwise uses for its operation.
Further, an anti-malware program may be designed to allow a user to select certain files to exclude from scanning by the anti-malware program. However, those skilled in the art will note that the domain of certain software programs may dynamically change during the course of operation. Further, those skilled in the art will note that manually excluding files from a domain of an anti-malware program is susceptible to a relatively high level of error and requires a high level of sophistication at the user level.