Small, mobile, limited-resource computers, such as personal desktop assistants, including hand-held and palm-type computers, are becoming increasingly popular for use by business people and others who must travel and thus cannot readily access information stored on their desktop computer or office network workstation. Although laptop computers are capable of running virtually all of the application programs that execute on desktop computers, laptop computers are often either too large and/or too heavy to carry around. There is thus an increased demand for small, limited resource computers that are able to run business applications of less complexity than those designed to run on a desktop computer that enable a user to quickly access all types of personal and business related data, such as addresses, telephone numbers, scheduled appointment times, etc.
Increasingly, limited resource computers are configured to access data on various networks, such as the Internet. As a consequence, limited resource computers have become susceptible to invasions or attacks delivered over the network. As those skilled in the art and others will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will recognize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs that spread on computer networks, such as the Internet, will be generally referred to hereinafter as computer malware or, more simply, malware.
When a limited resource computer is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer; or causing the computer to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer may be used to infect other computers that are communicatively connected by a network connection.
On a general purpose computer, such as desktop or laptop computer, a traditional defense against computer malware and, particularly, against computer viruses and worms, is commercially available antivirus software. Most antivirus software that is designed for a general purpose computer implements a scan engine that identifies malware by matching patterns within data to what is referred to as a “signature” of the malware. More specifically, one known method for identifying malware with a scan engine includes obtaining a copy of the malware “in the wild.” The program code or a characteristic subset of the program code that implements the malware is processed with a hash function that converts the program code into a signature. Then, in response to an event, the scan engine searches data associated with the event for a match to a malware signature.
The malware detection techniques employed by general purpose computers are not well suited for limited resource computers. For example, in the signature-based malware detection system described above, antivirus software is updated frequently, with a malware signature being transmitted to a general purpose computer whenever a new malware is identified. However, typically, a limited resource computer connects to a network, such as the Internet, through a bandwidth-constrained network connection. In this instance, obtaining and storing the data required to identify new malware, as occurs on some general purpose computers, is not possible given the limited resources (e.g., storage space, bandwidth, processing power, etc.) that are available on limited resource computers.