Malware analysis and recovery

What is claimed is: 1 . A method comprising: receiving baseline snapshots of a remote client and/or a remote server from a remote image capture utility; receiving from the remote client and/or the remote server a notification of a suspected malware intrusion on the remote client and/or the remote server; constructing an image of the suspected malware intrusion at the remote client and/or the remote server; linking by the remote image capture utility the image of the suspected malware intrusion to the baseline snapshots at the remote client and/or the remote server before the malware intrusion is confirmed; propagating the image of the suspected malware intrusion across a first network and a second network; and distinguishing malicious code, device state, and files from benign code, device state, and files. 2 . The method of claim 1 wherein the image of the suspected malware intrusion is linked to the baseline snapshots via attachment. 3 . The method of claim 1 wherein the image of the suspected malware intrusion is linked to the baseline snapshots via a pointer. 4 . The method of claim 1 wherein the act of receiving baseline snapshots of the remote client and/or the remote server occurs in response to an asynchronous event. 5 . The method of claim 1 wherein receiving baseline snapshots of the remote client and/or the remote server occurs in response to a synchronous schedule. 6 . The method of claim 1 wherein the notification of the suspected malware intrusion is generated by a remote intrusion detection system. 7 . The method of claim 1 wherein the notification of the suspected malware intrusion is generated by a distributed intrusion detection system. 8 . The method of claim 1 wherein the notification of the suspected malware intrusion is generated by a network intrusion detection system that detects the suspected malware intrusion by monitoring only network traffic. 9 . The method of claim 1 further comprising evaluating the notification of the suspected malware intrusion based on state information from other remote clients and/or other remote servers. 10 . A non-transitory machine-readable medium encoded with machine-executable instructions, wherein execution of the machine-executable instructions is for: receiving baseline snapshots of a remote client and/or a remote server from a remote image capture utility; receiving from the remote client and/or the remote server a notification of a suspected malware intrusion on the remote client and/or the remote server; constructing an image of the suspected malware intrusion at the remote client and/or the remote server; linking by the remote image capture utility the image of the suspected malware intrusion to the baseline snapshots at the remote client and/or the remote server before the malware intrusion is confirmed; propagating the image of the suspected malware intrusion across a first network and a second network; and distinguishing malicious code and files from benign code and files. 11 . The non-transitory machine-readable medium of claim 10 wherein the image of the suspected malware intrusion is linked to the baseline snapshots via attachment. 12 . The non-transitory machine-readable medium of claim 10 wherein the image of the suspected malware intrusion is linked to the baseline snapshots via a pointer. 13 . The non-transitory machine-readable medium of claim 10 wherein the act of receiving baseline snapshots of the remote client and/or the remote server occurs in response to an asynchronous event. 14 . The non-transitory machine readable medium of claim 10 wherein receiving baseline snapshots of the remote client and/or the remote server occurs in response to a synchronous schedule. 15 . The non-transitory machine-readable medium of claim 10 wherein the notification of the suspected malware intrusion is generated by a remote intrusion detection system. 16 . The non-transitory machine-readable medium of claim 10 wherein the notification of the suspected malware intrusion is generated by a distributed intrusion detection system. 17 . The non-transitory machine-readable medium of claim 10 wherein the notification of the suspected malware intrusion is generated by a network intrusion detection system that detects the suspected malware intrusion by monitoring only network traffic. 18 . The non-transitory machine-readable medium of claim 10 further comprising evaluating the notification of the suspected malware intrusion on the remote client and/or the remote server based on state information from other remote clients and/or the remote servers. 19 . A system comprising: an application program interface configured to receive baseline snapshots of a remote client and/or a remote server; an intrusion detection system configured to transmit a notification of a suspected malware intrusion on the remote client and/or the remote server; a remote image capture utility configured to construct an image of the suspected malware intrusion at the remote client and/or the remote server; and a malware impact engine configured to receive the image of the suspected malware attack from a first network and a second network; where the malware impact engine is configured to distinguish malicious code and files from benign code and files; and where the remote image capture utility is further configured to link the image of the suspected malware intrusion to the baseline snapshots of the remote client and/or the remote server. 20 . The system of claim 19 wherein the notification of the suspected malware intrusion is generated by a network intrusion detection system that detects the suspected malware intrusion by monitoring only network traffic. 21 . The system of claim 19 further comprising a malware recovery system that executes machine learning and heuristic that reverts the remote client and/or a remote server to the baseline image.