1. Technical Field
The present invention relates generally to computer systems and more specifically to protecting computer systems from malicious software. Still more particularly, the present invention relates to a method and system for efficiently scanning computer systems for malicious software.
2. Description of the Related Art
Many types of malicious software (e.g., virus, worms, spyware) exist in today's computing environment. These “malicious” or “hostile” software provide code designed or modified to intentionally corrupt or steal data or programs from the computer system or network on which it runs. Protecting from hostile code is a challenging problem, since there is no way to programmatically distinguish positive and negative program actions, other than knowing whether they are ultimately good for the user or not. For example, a program may delete a file because the user has explicitly asked it to, but a malicious program could also delete a file against the user's will. In other words, there is no proper technical definition of “malicious” or “hostile” code—these being defined according to the behavior expected from a computer by its legitimate user.
Although it is possible to authenticate authorized users with password, trusted users themselves may endanger the system and network's security by unknowingly running programs that contain malicious instructions such as “viruses,” “Trojan horses,” “malicious macros,” “malicious scripts,” “worms,” “spying programs” and “backdoors.” A computer virus is a program that replicates by attaching itself to other programs. A Trojan horse is a program that in a general way claims to do what the user expects it to do, but instead performs malicious actions such as data destruction, data dissemination and system corruption.
All of the above programs, and others not mentioned, can compromise computer systems and a company's confidentiality by corrupting data, propagating from one file to another, or sending confidential data to unauthorized persons, in spite of the user's will. To combat these attacks, various protection techniques (both hardware and software) have been put in place to protect the computer systems. For example, one hardware technique involves using the virtual memory support provided by most operating systems. This approach may involve mapping the entire database in a protected mode, and selectively un-protecting and re-protecting pages as they are updated. However, this mapping can be very expensive, for example, on standard UNIX systems.
Software techniques provide an alternative to the above hardware approach. Traditionally, the protection mechanisms focused solely on scanning the system for the presence of the malicious software. These scans were carried out after the malicious software had entered the base system and in some instances, after the corruption of the base system files had begun. Along that line of software protection, several different software have been developed to combat certain types of malicious software.
Virus signature scanners, for example, detect viruses by using a pre-defined list of “known viruses.” They scan each file for each virus signature listed in their known virus database. Each time a new virus is found within the global computing community, the virus is added to that database. However, more and more new viruses are created every day, and these newer viruses are designed with more intelligent capabilities/functions to combat conventional virus scan techniques.
Antivirus scans typically take a lot of time to perform periodic scans (e.g., daily or weekly) of the entire filesystem. Even with simple filesystems, these antivirus scans may take anywhere from 30-90 minutes to complete. Various methods to reduce the amount of time required to complete antivirus scanning have been proposed. For example, U.S. Pat. No. 6,763,466 describes virus scanning where antivirus state information is stored within an associated data structure that is created or maintained by the filesystem of the computer. U.S. Pat. No. 5,502,815 describes a method for increasing the speed of detecting computer viruses by storing the initial state information of the file that has been examined for viruses, and then comparing the file's current state information to the initial state information to determine the level of scanning required. These methods assume that certain viruses change the state information of the file and that the change is detectable. Only the small subset of viruses that do not change the state information are checked against the file when the state information remains the same. Otherwise, the virus scan completes a scan of the entire system for all viruses. U.S. Pat. No. 5,473,769 describes a similar method by which the length (or other characteristic) of the file is checked to determine when a change has occurred within the file. This method assumes that a virus changes a pre-existing length of the file.
Various other methods have been proposed to speed up antivirus scanning. However, as shown in the examples below, none of these methods overcome the problems encountered with viruses developed with smarter anti-detection functionality. As an example, current optimizations involve storing a checksum of directories/files to know if a file has been touched since the last scan. However, these methods have the drawback that the checksum files can be compromised by a virus which is intelligent enough to know the data directory of the virus software. With antivirus systems that utilized/rely on a checksum, “smart” viruses have been developed that can infect/change the files and then reset the checksum to its correct value. Other types of current optimizations (for speeding up the virus scan) involve the user specifying a set of “safe” files not to be scanned. However, this method is inherently risky because the viral activity may be clever enough to disguise itself as a safe file.
The present invention thus recognizes that it would be desirable to reduce the length of time required to perform virus scans (or other similar file/system protection functions) while providing full protection of the computer system from malicious software.