Computer systems, especially those connected to a network, are often subject to malicious attacks. For instance, an attacker may introduce unwanted software, generally referred to as “malware,” into a target system and attempt to cause the target system to execute the malware. Such malware is typically designed to carry out some unauthorized and/or undesirable activity, for example, stealing sensitive data from the target system, controlling the target system to participate in a distributed attack on another system, or even disabling the target system. These attacks can lead to extended service interruptions and/or compromise of critical data, which in turn can result in economic losses for businesses, damage to information technology infrastructure and inconvenience to users.
Malware comes in a variety of forms, including viruses, worms, Trojan horses, adware, spyware and the like. To defend against such malware, a variety of tools have been devised and deployed to detect malware and to prevent it from being executed on a computer. For example, firewalls and proxies may be configured to screen network traffic for malware, and security settings may be added to vulnerable applications to prevent malware from being executed. An anti-malware program may also be installed on a computer to scan the computer's hard disk for any files that may contain malware. During such a scan, the anti-malware program may look for specific patterns, or “signatures,” that are known to be associated with certain types of malware. If one or more signatures are found in a file, the anti-malware program may declare the file to be potentially malicious and may, in some instances, proceed to clean the file by removing suspicious portions or even to remove the entire file.
To maintain effectiveness against newly released malware, the list of signatures used by an anti-malware program may be updated periodically, for example, by communicating with an anti-malware service provider or vendor that analyzes recent malware attacks and publishes corresponding signatures. Additionally, the anti-malware program may use one or more malware detection heuristics in combination with the signature-based analysis. These heuristics may be effective in protecting the computer from a “zero-day attack” (e.g., a malware attack for which a signature is not yet available) or a polymorphic attack that mutates itself to elude signature detection (e.g., by making cosmetic, non-functional changes to the malicious code).
For reasons such as poor signature generation, imperfect heuristics or simply a bug in the anti-malware program, a file may sometimes incorrectly be identified as being potentially malicious. This type of error is generally referred to a false positive error, or a false positive. On the other hand, an anti-malware program may fail to identify a file that does containing malware. This latter type of error is generally referred to a false negative error, or a false negative.