1. Field of the Invention
The present invention is related to anti-malware technology, and more particularly, to optimization of anti-malware processing.
2. Description of the Related Art
Detection of viruses and malware has been a concern throughout the era of the personal computer. With the growth of communication networks such as the Internet and increasing interchange of data, including the rapid growth in the use of e-mail for communications, the infection of computers through communications or file exchanges is an increasingly significant consideration. Infections take various forms, but are typically related to computer viruses, Trojan programs, or other forms of malicious code (i.e., malware).
One conventional approach to detecting viruses is signature scanning. Signature scanning systems use sample code patterns extracted from known malware code and scan for the occurrence of these patterns in other program code. A primary limitation of the signature scanning method is that only known malicious code is detected, that is, only code that matches the stored sample signatures of known malicious code is identified as being infected. All viruses or malicious code not previously identified, and all viruses or malicious code created after the last update to the signature database, will not be detected.
Another virus detection strategy is integrity checking. Integrity checking systems extract a code sample from known, benign application program code. The code sample is stored, together with information from the program file, such as the executable program header and the file length, as well as the date and the time stamp of the sample. The program file is checked at regular intervals against this database to ensure that the program file has not been modified.
A main disadvantage of an integrity check-based virus detection system is that a great many warnings of virus activity issue whenever any modification of an application program is performed. It is difficult for a user to determine when a warning represents a legitimate attack on the computer system.
An effective conventional approach uses so-called white lists—the lists of known “clean” software components, links, libraries and other clean objects. In order to compare a suspect object against the white list, hash values can be used. In order to be effective, the white lists have to be constantly updated. When white lists are used, some false-positive determinations are inevitably made.
It is important to detect the false-positives, as they can cause perhaps almost as much harm as a malware. For example, a legitimate component can be “recognized” by the AV software to be malware, causing severe damage to the reputation of the AV software vendor, and annoyance and wasted time for many users. Another scenario is when a malware is mistakenly considered to be a “clean” component and harms a system. However, conventional systems do not provide an effective and robust update of the white lists based on detected false-positives.
Another conventional approach is collection and analysis of heuristic data of executable files or processes. U.S. Pat. No. 7,530,106 discloses a system for analyzing the behavior of executed files based on a set of rules. The malware is detected using ratings of computer processes calculated according to the rules. The rules are generated based on analyses of known malware processes. Each rule has a following structure: a rule identifier, an API function invoked by the rule, rule parameters and a danger level. The rule is invoked, if the process calls the API function with rule parameters. Then, a rating of the process is increased according to the rule value.
The rules are stored in updatable databases. As new viruses appear, the rule databases are updated. Creation of the new rules or modification of the old ones is an effortful and expensive task. So, it is important that the rules are tested for correctness of application. New rules can have some errors in their code (i.e., bugs) or they can generate errors when applied by an AV module during malware scanning. Thus, some rules can have zero effectiveness. These rules are stored in the rule database, but never work in the AV process. The rules with zero effectiveness may not work due to a number of factors. For example, a rule can have excessively strict (i.e., narrow) parameters, the rule can have errors or the processes detected by this rule are no longer found in the modern malware objects or applications.
The AV system uses an entire set of rules from the database for checking the suspect objects. Thus, zero effectiveness rules do not affect the overall rating, but reduce the effectiveness of the AV system. Also, these rules occupy the space in the database which makes frequent updates more difficult. Therefore, the new rules need to be tested prior to being applied in the AV system. Conventional systems, however, do not offer automatic testing of the new rules.
Any AV system has a probability of errors raised during its operation. The errors can be of two types. The errors of the first type occur if the AV system detects a malware object when this object is actually harmless. In other words, the system produces a false-positive determination. A second type of error occurs when the AV system does not detect a real malware object. In order to make the AV system more efficient, it is necessary to reduce a probability of both types of errors.
Accordingly, there is a need in the art for an optimized system and method that addresses the need for testing and automatic correction of the rules used in AV processing.