Software, binaries, executables, advertising, web pages, documents, macros, executable objects, and other data provided to users (collectively “applications”) may include security flaws and privacy leaks that are subject to exploitation by malware. As used throughout this specification, malicious software (“malware”) is expressly defined as a virus, Trojan, zombie, rootkit, backdoor, worm, spyware, adware, ransomware, dialer, payload, malicious browser helper object, cookie, logger, or similar application or part of an application designed to take a potentially-unwanted action, including by way of non-limiting example data destruction, covert data collection, covert communication, browser hijacking, network proxy hijacking or redirection, covert tracking, data logging, keylogging, excessive or deliberate barriers to removal, contact harvesting, unwanted use of premium services, and unauthorized self-propagation. In some cases, malware may also include legitimate software that includes inadvertent security flaws that cause or enable malware behavior. Also included in the class of security or privacy threats is “grayware,” which is a less-serious form of malware, such as a semi-legitimate application, including legitimate functionality, but also including behavior that is annoying, somewhat-harmful, or undesirable (including for example collecting private data or covert use of premium services), but that is nevertheless not as severe as pure malware. Often, grayware fails to disclose to the user the full extent of its collection activities or surreptitiously goes beyond its stated functionality. In this specification, it is intended for the term “malware” to encompass both pure malware and grayware. “Malware behavior” is defined as any behavior that qualifies an application as malware or grayware. Some prior art systems are configured to identify and block malware, for example by maintaining databases of known malware.