1. Technical Field
This application relates generally to antivirus products, and particularly to improving antivirus product performance using in-kernel cache of file states.
2. Description of the Related Art
Many anti-virus products include a kernel-level component that intercepts an attempt to access a file and passes information about that attempt as an event to a user-space component that makes a decision whether the file has to be scanned for viruses. Processing an event is an expensive operation that involves multiple context switches. For example, a substantial latency exists between the time file access is identified and the time the operation is allowed to proceed.
In the traditional approach, events for a file will be generated even when that file has been previously scanned and it is known to be safe to let the operation proceed. The latency experienced when processing an event may be multiplied owing to the fact that a single file may have linked libraries that may also generate events when the single file is processed. For example, even for a simple program that works with one file, there may be multiple hidden events generated for each of the libraries with which the executable is linked.