1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the field of malware scanning, such as computer virus scanning or e-mail content scanning, as applied in network environments.
2. Description of the Prior Art
Networked computer systems are becoming increasingly common and complex. A large organisation will typically have a considerable investment in terms of time and effort in its network topology design and configuration. A large network may typically contain one or more gateways, routers and bridges operating in conjunction with one or more network segments. Once the topology of such a network has been established, changes in the topology, such as segment division and address changes, are time consuming and expensive to implement.
As computer systems and computer networks become increasingly important to their users, the threat posed by malware, such as computer viruses, Trojans, worms, banned computer programs or abusive e-mails, becomes increasingly significant. Malware scanners are an important form of defence against such problems.
FIG. 1 of the accompanying drawings schematically illustrates a simple network in the form of a server 2, a plurality of client computers 4, 6, 8 and a gateway 10 all connected upon a single network segment using the IP addresses 192.168.1.x. The gateway computer 10 separates this segment from the outside world and performs any necessary IP address translation as required.
FIG. 2 of the accompanying drawings illustrates how the system of FIG. 1 may be modified to include a malware scanner 12. The malware scanner 12 is physically interposed between the gateway computer 10 and the rest of the network. This divides the original single segment into two portions requiring a change in the network topology downstream of the gateway computer 10. The malware scanner 12 requires programming with appropriate IP addresses at each of its interfaces and the gateway computer 10 requires programming with a new IP address to reflect its new segment. Further changes may also be required in the client computers 4, 6, 8. Whilst the malware scanner 12 may provide effective malware defence, it brings with it a disadvantageous need to reconfigure the network which it is protecting. Often specialist knowledge is required to make such reconfiguration changes and in a more sophisticated and complex network environment the difficulties can be considerable.
Another way in which a malware scanner may be added (although this is not illustrated) may be such that it is not physically interposed in the path of the network traffic, but instead forms a node on the segment which it protects. Whilst this may avoid the need for changes in the segment topology, there will typically be required significant other changes elsewhere in the system in order to ensure that network traffic is routed via the malware scanner that has been introduced. Thus, such alternative arrangements also carry with them similar significant disadvantages as those discussed in relation to FIG. 2.
It is known to provide network analysis tools that may be attached to a network to monitor the network traffic thereupon. Such network analysis tools are often used to help in diagnosing network problems. Typical functions provided by such network analysis tools are to record all the traffic on a network, identify the network addresses exchanging data packets and statistically analyse the data flow. If required, a detailed analysis of the particular messages being exchanged by one or more nodes within the network may also be monitored.
The components that are often used to provide network infrastructure include gateways, routers, switches and bridges. Network bridges can be used to effectively isolate different portions of a network segment to reduce the occurrence of data collisions upon the network segments. As network bandwidths have increased and the use of switches has become more common, the need for network bridges has reduced.