An executable file run on a user's computer may contain a virus or a Trojan horse. An executable file is also called a binary image and includes, for example, any executable object such as portable executables (PEs), macros, scripts like Visual Basic script (VBS), etc. A virus is a program or piece of code that modifies a binary image on disk, typically against the user's wishes and without the user's knowledge. Viruses can also replicate themselves. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such simple viruses are dangerous because they may quickly use all available memory and bring a system to a halt. Other dangerous types of viruses are capable of transmitting themselves across networks and bypassing security systems. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive, often masquerading themselves as benign applications. For instance, a Trojan horse may be independently launched by an unsuspecting user. An insidious type of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer. Thus, executable files can be risky to run on a computer.
One approach to identify executable code that has been corrupted, for example, with a virus or a Trojan horse, involves the use of trusted cryptographic hashes when installing or downloading an executable onto a computing device. A cryptographic hash, or simply a “hash”, compiles an executable into a summarized form, or digest. A trusted hash is known to be good, or represent uncorrupted code, at the time of the hashes' creation. To generate trusted hashes for a an executable file (i.e., a binary image, executable code, scripts, macros, etc.), a message digest or checksum calculation is performed on the executable, including associated resources such as data, to obtain a first result before transferring the executable from one location to another. The same calculation is made on the transferred executable to obtain a second result. The first result is compared to the second result to determine if the received executable is the same data that was originally sent. For instance, if the before and after calculation results match, then the received data is likely accurate. Otherwise, the received executable has been corrupted. In this manner, use of a full binary image hash effectively reduces the risk of downloading or installing a corrupted binary image.