A system and method for efficiently determining that a received file is
not malware is presented. In operation, when a file is received at a
computing device, an evaluation is made as to whether the file includes
user-modifiable, or superficial, data areas, i.e., areas of the file that
by their nature do not typically carry or embed malware. If the file
includes superficial data areas, those superficial data areas are
filtered out and a file signature is generated based on the remaining
portions of the received file. The file can then be compared to a list of
know malware to determine if the file is malware. Alternatively, the file
can be compared to a list of known, trusted files to determine whether
the file is trustworthy.