1. Field of the Invention
The present invention is related to optimization of anti-virus (AV)/file security check/file trust check processing of disk files, and more particularly, to caching a list of trusted files in order to reduce AV scanning time.
2. Description of the Related Art
Advances in computer science produce a large number of applications employed by users. However, this also produces a number of malware applications that hinder functionality of other useful applications. Modern malware includes a variety of viruses, Trojans, worms, spyware, etc. The malware applications infect user computers, which results in malfunctions or malicious use of these computers. Additionally, the malware, such as network worms, migrates to other computers, infecting them as well.
Means of anti-virus (AV) protection are developed and perfected constantly in order to combat advances of the malware. User files located on disk need to be scanned for malware presence. Typically, such scanning is done by user request, i.e., on-demand scanning. The AV application checks the files against databases of signatures, heuristics, etc. However, the main shortcoming of these methods is disk overuse during the AV scan due to increases in volumes of the AV databases.
File AV processing can be optimized using, for example, white lists and black lists based on file modification time stamps. US Patent Publication No. 2009/083852 A1 describes an on demand scanning method where a system sends data (e.g., a list of file hashes) to a white/black list server, indicating the time of last successful connection to the server. The server responds to a request and returns information about the data found during the AV scan. The system decides, based on the information provided from the server, if the file in question is a trusted file or malware. The main shortcoming of this method is necessity to send repeated requests to the server regarding which files are changed and/or are trustworthy.
Another method for optimization of AV scanning is provided in the U.S. Pat. No. 7,591,019 B1. The system checks files and records their checksums and stores them into a special table. One feature of this system is preliminary collection/calculation of control sums, since, with a long time between checks, the number of files that potentially needs to be scanned becomes very large. When the file is checked for the next time, the current checksum is compared against the checksum stored in the table. If the checksum has changed, the file had been modified and needs to be scanned for malware. In order for this system to be effective, the files need to be checked frequently. Otherwise, many files can be modified and scanning will take a long time. At the same time, frequent file scans overload the disk.
Conventional scanning methods normally rely on checking every file on a disk, which takes a long time. A method for optimization of the AV/security check scanning of disk files is desired. Accordingly, a system and method for reducing the time of the AV/security check scanning of the disk files by creating a cache of trusted file control sums or identifiers is provided.