This invention relates to a system and method for protecting computer files and/or objects against computer viruses, including malware. In the context of computers and machines, a virus is a self-replicating/self-reproducing-automation program that spreads by inserting copies of itself into other executable code or documents. Though the term “virus” may be defined as a type of malware (malicious software), it is common to use “virus” to refer to any kind of malware, including worms, Trojan horses, spyware, adware, etc.
Computer antivirus (AV) programs are commonly used to detect, clean, and remove computer viruses from infected objects such as data files. Such antivirus programs are ubiquitous and are run on nearly every personal computer and server, ranging from large corporations to home computers. One form of detection typically used is scanning of objects resident on a hosting computer system's storage device(s). Objects are scanned for the presence of an embedded virus, and the scanning may be signature-based or heuristic (such as watching for suspicious behavior). Signature-based virus scanning typically relies on signatures obtained from previously-identified viruses.
Generally speaking, antivirus applications provide two primary forms of protection. One form is On Access Scanning (OAS), which scans for malware whenever a file or data object is accessed. This provides for real-time protection using the most current and up to date malware signatures. Another form of protection is system scanning (SS) which scans disks and other data repositories for malware. Unlike OAS, which scans every time a file or data object is accessed, SS scans files and data objects while they are “at rest.”
OAS and SS are typically used in combination. OAS protects the computer from threats as they occur. SS protects the computer from files which were infected before an AV signature was created for that particular malware. In other words, as new malware is created, there is a time lag between when the malware first appears and when the AV vendor responds with an appropriate signature and countermeasure. During such time, the malware may infect systems while the AV system is unaware of the infection. System scanning is used to perform an AV scan of previously created files and data objects.
System scanning, however, is typically resource-intensive and has a large impact on the performance of the host system for significant periods of time. In many cases, the performance impact is so large as to render the host system practically unusable while performing the scan. As a result, many users choose to disable the SS functionality. Others may choose to stop using their computers while the SS is running, thereby losing productivity. Because of this, enterprise IT (Information Technology) and security managers have difficulty enforcing their AV policies and thus, the enterprise may be placed at risk.
There is a need, therefore, for an improved method, article of manufacture, and apparatus for protecting information against viruses on a computer system.