Antivirus and antispyware solutions generally employ traditional scan-based technologies to identify viruses, worms, Trojan horses, spyware, and other malware on an endpoint device. Typical antivirus and antispyware solutions may detect these threats by searching a system for files that match characteristics (e.g., malware signatures) of a known threat. Once it detects the threat, the solution may remediate it, typically by deleting or quarantining it.
As the number of malware threats increase, the sizes of signature databases that identify these threats also increase. Large malware signature databases may be undesirable for a variety of reasons. For example, adding malware signatures to a signature database on a client device may result in increased disk footprint and additional consumption of CPU cycles and memory during malware scans. Similarly, server-side lookups may take longer and consume more resources as server-side signature databases grow. Furthermore, the larger the database, the higher the likelihood of triggering false positive detections. What is needed, therefore, is a more efficient and effective mechanism for managing malware databases.