In recent years, there has been a marked increase in the number of harmful programs, such as viruses, worms, Trojans and other types of malware. Malware causes significant damage and financial losses to businesses and individual computer users. One of the most effective methods of countering these threats is using antivirus software. Antivirus software detects and removes malicious programs from computers and protects computers and networks from spread of malware. To detect malicious programs, antivirus software performs individual file scans or comprehensive scans of files on computer or network drive.
One of the common methods of malware detection is signature scanning. Usually, in antivirus software, the signature scanning of files is typically carried out using a complete list of the signatures (templates) of harmful code contained in an antivirus database of the antivirus software. The antivirus database constantly increases in size as signature of new type of malware are added to it, which lead to an increase in the time it takes to perform signature scanning. In order to optimize signature scanning method (e.g., to increase the speed of file analysis), it has now become common to perform a preliminary file analysis.
The preliminary analysis enables the main antivirus check to be optimized subsequently, and may consist, for example, of the filtering of the files according to specified criteria; the prioritization of files before checking; the detection of the necessary file parameters for subsequent antivirus checking; and the conversion of files into a specified form. During preliminary analysis, antivirus software uses various evaluation criteria, such as the file type, the hash sum of the file, the file size, the date of creation of the file, the name, and the like. On the basis of the chosen criterion or combination of criteria, the antivirus application detects the files and then performs a preliminary analysis of the detected files according to the specified settings. Thus, for example, if the preliminary analysis consists in the prioritization of files, a file checking sequence is created according to the detected criteria. In another example, if the preliminary analysis consists of file filtering, the files will be filtered (passed for further checking or eliminated) according to the detected criteria.
Cases in which the preliminary analysis involves file filtering are examined below. With this approach, antivirus file analysis can be accelerated by eliminating from the analysis those files that do not match the filter criteria. For example, filtering can be based on the identification of file types and the elimination of safe file types from further checking, because these file types do not require checking. A safe type is a file type among whose files no harmful file and no file containing harmful code has been previously discovered. In other words, the file type in question is a legitimate (or “clean”) type.
A further consideration is that antivirus software used in mobile devices is subject to a number of limitations due to the more limited resources of these mobile devices. As a rule, these limitations are due to the operating speed, memory capacity, and period of use of mobile devices, in view of the need to charge their batteries periodically. The aim of the antivirus software is therefore to use the available resources of mobile devices in an efficient manner. For example, the number of technologies used by antivirus software can be reduced by using different methods of preliminary analysis or filtering of files during their antivirus analysis.
Additionally, when preliminary analysis involves filtering by previously chosen file parameters, the speed of antivirus scan can be increased further by dividing the antivirus database according to corresponding file parameters. Thus, antivirus databases containing malware signatures, such as harmful code patterns or hash sums of harmful code or parts thereof. Thus, if such database is divided, for example, by file type, it will be a distributed database enabling the file analysis speed to be optimized (increased), since checking will only take place in a relevant part of the database, rather than across the whole database.
However, it should be taken into account that, given the very large and constantly increasing number of new file types and new patterns (signatures) of harmful code, antivirus databases are also constantly expanding, leading to an increase in antivirus analysis time. Consequently, in order to make efficient use of the advantages of preliminary analysis (filtering) by file type, for example, and the benefits of a distributed antivirus databases, the set of file types used for the preliminary antivirus analysis must be adaptively modified for the computer system on which the antivirus software performs the antivirus analysis of computer files.