1. Field of Art
The disclosure generally relates to computer security, and more specifically to detecting malware.
2. Description of the Related Art
Malware such as computer viruses, worms, Trojan horses, and spyware pose a constant threat to modern computer systems. In order to combat malicious files, computer systems typically run antivirus software that attempts to detect, identify, and remove the malicious files. Conventional antivirus software stores a database of definitions with each definition corresponding to known malware. The antivirus software periodically scans files on the client machine to detect malware matching the stored definitions. The detected malware can then be neutralized or eliminated.
While anti-virus programs are able to detect and remove malware, new malware designed to work around existing programs is constantly being produced. Thus, it is important to frequently update these antivirus definitions so that newly released malware can be detected. These updates are typically provided by vendors of the antivirus programs.
In recent years, the number of new known malware has increased dramatically, making the distribution of updates an increasingly challenging problem. The frequent updates can create data overload problems for client machines that must constantly receive and store new definitions while continuing to store and maintain all of the older definitions. This is particularly problematic for client machines with limited physical memory such as, for example, Automated Teller Machines (ATMs), or for machines with limited network bandwidth. Furthermore, distributing large numbers of definitions to client machines results in significant costs to the definition distributers.
One approach to this problem is to reduce the number of active definitions used by the antivirus software by eliminating older definitions that are no longer deemed to pose a continuous threat. However, this approach leaves the client vulnerable to attack should these older threats reappear. Another conventional approach is to provide a central antivirus server to store all of the definitions rather than distributing the definitions to local machines. However, while this approach reduces local storage requirements, it significantly increases network traffic between the client and server and does not provide significant improvement in overall performance and cost. Therefore, what is needed is an improved system for distributing malware definitions to client devices.