1. Field of the Invention
This invention pertains in general to computer security and in particular to the scheduling of updates of malicious software definitions.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Many security computer systems and software for counteracting malware operate by seeking to identify malware using malware signatures. Malware signatures, also called malware “definitions”, contain data describing characteristics of known malware and can be used to determine whether an entity such as a computer file or a software application contains malware. Typically, malware signatures are generated by a provider of security software and provided to security software on a client computer. The malware signatures are then used by the security software to scan the client computer for malware.
As new malware threats are continuously being developed by attackers and deployed to computing environments, providers of the security software generate new malware signatures on a continuous basis. Providers of the security software generate hundreds of new malware signatures as often as every five minutes. The security software on the clients can then access a server maintained by the provider of the security software on which the newly generated malware signatures are stored to update their set of malware signatures with the newly-generated signatures. The security software uses the updated sets of malware signatures to scan the clients for new malware threats.
Updating the sets of malware signatures on the client requires the expense of computational resources from both the client and the server. The clients incur the expense of resources used in updating the set of malware signatures and re-scanning the clients with the updated set of malware signatures. The server incurs the expense of the computational resources associated with the network traffic caused by hundreds or thousands of clients simultaneously accessing the server to retrieve the set of malware signatures.
Often, this expense of computational resources can be avoided. While clients that are exposed to a large number of threats should update their signature set as often as possible, many clients have minimal exposure to threats and can afford to update their signature set on a less frequent basis without increased risk of undetected malware threat attacks. However, it is difficult to assess the frequency at which clients require malware signature set updates in order to prevent undetected malware threat attacks.
Accordingly, better methods of determining a client's likelihood of exposure to malware threats are required in order to better schedule updates of malware signature sets.