With the advent of general access computer networks, such as the Internet, people may now easily exchange application programs and application data between computer systems. Unfortunately, some people have taken advantage of such easy data exchange by developing computer “viruses” designed to spread among and sometimes attack interconnected devices, such as networked computers. A virus is application code that executes on one's computer without one's knowledge, and against one's interests. Viruses tend to replicate themselves within all interconnected devices, allowing an exponential “infection” of other devices.
In response to the security threat intrinsic to viruses, anti-virus programs were developed to identify and remove viruses. Anti-virus programs periodically check a computer system for known viruses, or application code that appears to perform undesired activities, such as reformatting a hard disk. Typically, virus scanners install themselves as part of an operating system, and then scan files, according to user preferences, as the files are created and accessed. Some virus scanners attach themselves to communication input and/or output pathways to inspect data that might not be easily identifiable to an operating system's file based scanning. For example, an E-mail scanner may be attached to a communication port, such as an E-mail transfer port, so as to allow scanning of incoming and outgoing E-mails and their attachments.
E-mail is a common way for a virus to enter into a system otherwise protected by an operating system based scanner, as the E-mail program may receive and store an infected E-mail message without providing opportunity to the operating system scanner to scan the E-mail. For example, an infected E-mail may be received and stored in a database such that there is no individual data, or recognizable data, available for scanning. Thus, an E-mail scanner is used to scan E-mails, and their attachments, as they are received (or sent) by a system.
However, one complication is that an attachment can be any data, and frequently, to reduce data transfer requirements, attachments are compressed and stored as archives. The term archive as used herein includes traditional archive data formats such as ZIP, ZOO, LHA, ARC, JAR, LZW, etc. compressed collections of data files, in addition to other data formats that may embed other files, e.g., Microsoft Word (e.g., “.DOC”) documents, Rich Text Format (RTF) files, Object Linking and Embedding (OLE) containers, etc. Scanning archives takes additional time and resources to scan.
Unfortunately, virus developers have recently begun to manufacture “malicious” archives (see FIG. 4) designed to overwhelm viral scanners, such as those used to scan E-mail. The goal is to overwhelm the scanner, and cause it to crash and leave a system undefended against subsequent attacks, or to cause the scanner to “crash” and block further processing of data. That is, in this latter example, if E-mail or file processing is routed through a scanner, and the scanner has crashed, then a “denial of service” for E-mail or file activity occurs until the scanner is restarted.