In recent years, authors of malicious software (“malware”) have attempted to proliferate malware by generating thousands or potentially millions of variations of a malicious file. For example, a malware author may create a unique version of a malicious file for each intended target by repacking (i.e., compressing, encrypting, and/or otherwise obfuscating) the file on a server before distributing the same. Unfortunately, because many existing antivirus technologies detect malware by detecting or identifying unique digital signatures or fingerprints associated with known-malicious files, malware authors may avoid detection by only distributing new (i.e., unique), repacked versions of malicious files.
In light of this, at least one security-software vendor has begun investigating and implementing reputation-based security systems. In a reputation-based security system, a security-software vendor may attempt to determine the trustworthiness and/or legitimacy of a file by collecting, aggregating, and analyzing data from potentially millions of user devices within a community, such as the security-software vendor's user base. For example, by determining a file's origin, age, and prevalence within the community (such as whether the file is predominantly found on at-risk or “unhealthy” machines within the community), among other details, a security-software vendor may gain a fairly accurate understanding as to the trustworthiness of the file.
Current reputation-based security systems typically rely on the ability to connect to remote servers (e.g., central authorities, distributed systems, and/or upstream caches) in order to obtain reputation information for each encountered file. This characteristic, however, may prevent reputation-based security systems from being utilized in scenarios where network access is restricted (e.g., “dark” networks), prohibited (e.g., during air travel), and/or unavailable (due, e.g., to network limitations and/or failures). As such, the instant disclosure identifies a need for systems and methods for utilizing reputation information in disconnected environments.