Generally, antivirus databases contain information necessary for the operation of antivirus software, which detects and removes viruses, worms, Trojans, spyware and other types of malware from computers and computer networks. The information stored in antivirus databases may include virus definitions, interpretable pseudocode and executable code for analyzing data objects using virus definitions and removing or disabling detected malware. Due to proliferation of new kinds of malware, antivirus database must be regularly updated with new virus definitions and other information to counter newly emerging threats.
Since antivirus databases are generally quite large (e.g., tens of megabytes), a full update by downloading the entire new version of the database on the user's computer may be impractical. An incremental updating of databases is preferred. In this method, the antivirus application downloads only update files and combines them with the previously downloaded content. Each update file usually contains different types of information associated with a new type of malware. This format of updates is convenient for modifying the database, but typically cannot be directly used by the antivirus application and may require conversion.
More specifically, during an antivirus database update, new files are added or one or more old files are replaced by the new content. During malware scan of the computer system, antivirus application generally loads the antivirus database into computer's RAM, reads database files into the system memory in succession and converts the data structure into an internal format that is convenient for program operation. This format conversion typically takes place in computer's RAM during antivirus program execution. This method is typically used because of the simplicity of maintaining the database, since individual database files may be easily modified independently during execution of the antivirus application.
However, there are several drawbacks of the existing database update techniques. For example, each time the antivirus engine is started, the antivirus database is loaded into the computer's RAM and data format conversion is performed. This process consumes significant system resources when loading antivirus application and may slow down booting of the operating system (OS) because antivirus application is typically started as a system service during OS startup. Another drawback is the inefficient use of memory when an antivirus database is used by several malware scanning processes. In this instance, a copy of the database files is typically loaded into RAM for each process. The more processes and the bigger are the database files, the more system memory is used. Accordingly, there is a need for an improved technique for updating malware databases and performing scan of computer systems for malware by an antivirus application.