US Patent 9838418 Detecting malware in mixed content files

Computer systems and methods in various embodiments are configured to determine whether a file is likely to be malware-free or include malware. In an embodiment, a computer system configured to improve security of client computers, and comprising: a memory; one or more processors coupled to the memory; a malware detection logic coupled to the memory and the one or more processors, and configured to: receive a first file from a viewer program that is executing on the client computer, wherein the first file is a mixed content file comprising a combination of both executable instructions and data in one or more formats, and/or one or more data sets stored in one or more other formats; determine that the first file is formatted according to a first specification and that the first specification is associated with one or more first malware tests of a plurality of malware tests, wherein each test in the plurality of malware tests is associated with a score; execute each test in the first one or more malware tests, and add, to a first total score, the score associated with the test if the first file satisfies the test; determine the first total score satisfies a first threshold, and in response, send data to the viewer program indicating that the first file is likely to include malware.