1. Field of the Invention
This invention pertains in general to software for detecting viruses and other malicious software and in particular to techniques for scanning a computer file for the presence of the malicious software.
2. Description of the Related Art
Caching is a well-known technology for optimizing access to data stored by a computer. Typically, a computer uses a relatively large yet slow memory device for long term storage of data. Examples of slow memories include hard drives, CD-ROMs, and DVDs. Additionally, the computer uses a relatively small yet fast memory for short term storage of data. An example of such a fast memory is the computer's random access memory (RAM). Caching accelerates the operation of the computer by anticipating which data in the slow memory will be used by the computer, and moving those data to the fast memory before they are needed.
Modern file systems include a cache manager that performs file caching for processes executing on the computer. The cache manager identifies the files and/or parts of the files that are likely to be accessed by a process, and loads those files or portions into a fast memory in anticipation of the process's request for access. The NTFS and WinFS file systems from MICROSOFT CORP. of Redmond, Wash. are examples of operating systems having cache managers.
To facilitate selection of the correct caching strategy, file systems allow a process to specify a “cache hint” when requesting access to a file. The cache hint indicates the manner in which the process expects to access the data. For example, a process can use a cache hint to specify whether it is reading a file sequentially. The cache manager receives the hint and uses it to select a caching mode that is optimized for the expected data accesses.
Antivirus and other types of security scanners scan files on a computer's storage device to detect the presence of viruses and/or other malicious software. In most instances, a security scanner scans all files of certain types accessed by other processes executing on the computer. This scanning allows the security scanner to proactively detect malicious software and quarantine or remove it before the software has a chance to perform malicious actions.
One way that a security scanner implements its scanning is by intercepting file access requests from other processes. Under this technique, however, the caching mode for the file is based on the cache hint in the original file access request, and is not necessarily the mode that is optimal for security scanning. The use of a suboptimal caching mode can make the scanning process inefficient, which is undesirable because security scanning is performed frequently and even minor inefficiencies can have an impact on the overall performance of the computer. Therefore, there is a need in the art to use the optimal caching mode when a security scanner is scanning a file for the presence of malicious software.