Conventional Anti-Virus (AV) applications attempt to prevent harmful or malicious transmissions such as viruses and worms from infiltrating a computer system. Typically, such applications operate on a network gateway or host and monitor incoming traffic. Host based applications monitor traffic into a particular computer system, or node, while server based applications monitor a physical or logical gateway point such as a firewall or mail server. Server based applications may provide broader protection by consolidating incoming traffic sooner, however may encounter difficulty with end-to-end encrypted transmissions to a host. Host based applications may have access to encrypted and/or obfuscated parts of a message, yet may be limited by the resources that can be devoted to the AV application, such as the ability to provide a large database (DB) of known harmful transmissions.
Conventional AV applications, whether server or host based, however, typically rely on a so-called fingerprint matching implementation. Such a fingerprint matching mechanism aggregates a set of unique indicators, or signatures, exhibited by known malicious transmissions. The unique indicators typically represent portions of files which a particular AV vendor has previously identified as malicious, such as a signature extracted from a particular byte range in the file, or a hash computed over a predetermined portion of a file. The result is a signature value substantially shorter that the entity (file) it represents yet which has a high likelihood of matching a signature computed from another similar instance of the file. A set of signatures of known malicious transmissions is readily comparable to an incoming transmission to determine malicious content in the incoming transmission. Typically, the AV application vendors regularly update and propagate such signature lists to subscribers to maintain the AV application against newly developed viruses and worms.