A method for combating
malware monitors all attempts by any
software executing on a computer to write data to the computer's
digital storage medium and records details of the attempts in a
system database having a causal
tree structure. The method also intercepts unauthorized attempts by executing objects to modify the memory allocated to other executing objects or to modify a selected set of protected objects stored on the
digital storage medium, and may also intercept write attempts by executing objects that have a
buffer overflow or that are executing in a
data segment of memory. The method may include a procedure for switching the computer into a quasi-safe mode that disables all non-essential processes. Preferably, the
database is automatically organized into
software packages classified by
malware threat level. Entire or packages or portions thereof may be easily selected and neutralized by a local or remote user.