The number of malicious programs is constantly increasing. Internet worms, Trojan horses, computer viruses and other malicious programs (commonly known as malware) are causing great harm to users and companies. One of the most effective ways of counteracting malware is using antivirus software, which detects and removes malicious programs from a computer. For the detection of malicious programs, the antivirus software may perform a complete or selective checking of the files present on the hard drives and network drives.
For detection of malware, the antivirus software may perform synchronous and asynchronous scanning of files on the computer. In the synchronous mode, when a file access attempt occurs all actions by other programs on the file being scanned are blocked at the driver level by the antivirus software until such time when the scan is complete. The blocking of the files also allows the execution of malicious code from the file to be prevented and enables a timely isolation of a malicious program. Asynchronous file scanning is typically used in those cases where the threat of execution of malicious code during access to a file is minimal and there is no need for blocking of files. In the asynchronous mode, there is no blocking upon access to the file, and the file itself is scanned in parallel with other actions on the file.
The differences between synchronous and asynchronous file scanning modes are shown in greater detail in FIG. 1A and FIG. 1B. FIG. 1A shows the order of interaction with a file by processes requesting access to the file, and by the antivirus program during a synchronous scan. At time 101, the antivirus program receives a command to scan a particular file. This command may be triggered, for example, by an attempt of the user to open the indicated file. In the case of the synchronous mode of scanning, any processes for access to the file are stopped for the period of time 102, during which the antivirus program is scanning the file for malicious content. As an example of an access process is the process of the text editor Microsoft Word, which waits until completion of the antivirus scanning of the document file before proceeding to open it. The process requesting access may only obtain access to the file during step 104, after the antivirus program completes the scan of the file at time 103.
FIG. 1B shows the order of interaction with a file by access processes and an antivirus program during an asynchronous scan. At time 101, the antivirus program receives a command to scan a particular file. In the case of the asynchronous mode, any given access processes continue working with the file in step 104. The antivirus program begins to scan the file at time 102 in parallel, independently of the actions of other applications on the file.
Periodically situations arise when repeated scans of files are required, for example, when a previously unknown malicious application infects user's computer. During the first scan, which the antivirus program always performs in synchronous mode for unknown applications, the harmfulness might not be verified. In this case, the malicious application will be given permission to start running. After a certain time, antivirus libraries containing information about this malicious application are updated. In order to detect such a case, which is encountered more and more frequently in recent times, all recently detected files should be scanned each time when the antivirus libraries are updated.
After the update of the antivirus libraries, the applications scanned may be considered to be unknown. But in this case, when performing the repeat scan the synchronous mode is not justified, as it may decrease the speed or performance of the device. Therefore, it makes sense to perform an asynchronous scan. Different solutions exist for configuring synchronous and asynchronous antivirus scans and assessing their effect on system performance. However, one common drawback of known solutions is the inability to determine the size and the content of the antivirus libraries, which will be used in the antivirus scan.