Malicious programmers often disseminate malware that injects malicious code into legitimate files on a user's computer. Such malicious code may be difficult to detect and remove. While it may sometimes be possible to remove an infection from a file, traditional anti-virus software generally cannot remove infections in a manner that returns an infected file to its original (i.e., same size and file hash) state.
As an alternative to attempting to clean a file, some anti-virus solutions may attempt to replace an infected file with a clean instance of the infected file. Such anti-virus solutions may attempt to locate a hash that was created of the infected file prior to infection. The anti-virus solution may then use the hash to identify a clean instance of the file and may replace the infected file with the identified clean file.
Unfortunately, the process for replacing infected files with clean files may result in the wrong version of a file (or even the wrong file) being used to replace an infected file. As a result, a software program and/or computer system that uses the replacement file may not function properly or may not function at all. Another problem with attempting to replace infected files with clean files is that some software publishers may not allow individual files to be downloaded to a user's system solely based on a hash of the individual file because the publishers cannot ensure that the user is legally entitled to use the file. What is needed, therefore, is a more effective mechanism for identifying files for use in file restoration.