1. Field of the Invention
The present invention is related to anti-malware technology, and more particularly, to a method and system for optimization of anti-virus scanning of a file system.
2. Description of the Related Art
Over a past decade malware components and viruses have become more sophisticated. They can access a lot of files of a computer system in a very short time. A file system of a computer system needs to be scanned by an anti-virus (AV) application in order to maintain file system objects intact if malicious programs attempt to change them. A separate task is a periodic scanning of the entire file system, when the AV typically scans hundreds of thousands of files. This is a lengthy and costly process.
Most of AV scanning methods are based on detection of file modifications. The log containing information related to file modifications is kept. AV references the modification log during AV scan of a computer system. This method is described in U.S. Patent Publication No. 2006/0294589, U.S. Patent Publication No. 2007/289019 and in U.S. Pat. No. 7,114,184.
Typically, the AV maintains a database of all the files checked by the AV.
Considering a number of files in a typical computer system, this database can be very large, especially in the case of file servers. Prior to scanning, the AV application has to query the database in order to know which files have already been checked and do not need to be checked again at this point. After scanning the files, the AV has to update the database.
Querying the database containing millions of records takes a long time and produces a significant computational overhead, due to database synchronization. Scanning some extra files causes additional load on the file system and slows down a computer system, especially on huge servers. It is also desirable to know which files (out of previously checked files) have been modified since the last AV scan.
Existing systems do not provide this information, and the AV performs a lot of unnecessary scanning of thousands of files. When the AV checks a file, it compares it against a database of known viruses. This database is also quite large and continuously grows larger. Thus, the comparison process takes extra time and imposes additional costs.
Accordingly, it is desirable to reduce a number of files that need to be checked using the AV signature database and to reduce overhead associated with AV processes.