Computing and communication networks typically include network devices, such as routers, firewalls, switches, or gateways, which transfer or switch data, such as packets, from one or more sources to one or more destinations. Network devices may operate on the packets as the packets traverse the network, such as by forwarding or filtering the packet-based network traffic.
A network device may be particularly vulnerable to harmful traffic (e.g., incorrect protocols, signaling, etc.), nefarious information (e.g., viruses, worms, spy ware, malware, etc.), and/or electronic attack (e.g., spoofing, denial of service attacks, etc.) being transmitted via the network device. Network devices implement antivirus software to combat against such harmful traffic, nefarious information, and/or electronic attack.
Some antivirus software in network devices put heavy demands on internal buffer resources of the network devices. For example, some antivirus scanning methods, such as a store-and-forward method, buffer all data provided in a data transaction (e.g., data content of a packet) until a virus scanning of the data transaction is complete. The store-and-forward method will forward the data transaction on to a destination (or endpoint) when a virus is not detected. If the virus scanning detects a virus in the data transaction (i.e., the data transaction is infected), the store-and-forward method may ensure that none of the infected content reaches a destination since all data associated with the data transaction is buffered. The store-and-forward method is a highly secure mechanism for blocking traffic with known viruses. However, the store-and-forward method requires large amounts of information to be stored in a limited amount of data buffer memory provided in a network device. The store-and-forward method may cause the data buffer memory to reach its capacity, which may create congestion in the network device and may cause the network device to drop connections utilizing the antivirus scanning and/or connections handling non-antivirus traffic.
Another antivirus scanning method, a simple inline method, buffers a portion of a data transaction (e.g., provided in a packet) until virus scanning of the portion of the data transaction is complete. The simple inline method will forward the portion of the data transaction on to a destination when a virus is not detected. If the virus scanning detects a virus in the portion of the data transaction (i.e., the portion of the data transaction is infected), the simple inline method will drop a connection, associated with the portion of the data transaction, in order to prevent the data transaction from reaching a destination.
However, the simple inline method is less effective than the store-and-forward method in preventing know viruses from reaching a destination. The simple inline method may also increase the risk of data rendering. For example, if a web browser executes a download of script file, the simple inline method may not prevent an infected portion of the downloaded script file from causing harm to a destination. The simple inline method may not prevent a destination from receiving and using a partial file that is infected since a partial file (e.g., an executable file, such as script file) may still be executed on the destination. Furthermore, the simple inline method may enable a protocol layer caching scheme to permit a partial virus signature to be received by a destination during a retry of a download.