1. Field of the Invention
This invention pertains in general to detecting computer viruses and in particular to techniques for enabling faster antivirus scanning.
2. Background Art
Modern computer systems are under constant threat of attack from computer viruses and other malicious code. Viruses often spread through the traditional route: a computer user inserts a disk or other medium infected with a virus into a computer system. The virus infects the computer system when data on the disk are accessed.
Viruses also spread through new routes. A greater number of computer systems are connected to the Internet and other communications networks than ever before. These networks allow a computer to access a wide range of programs and data, but also provide a multitude of new avenues by which a computer virus can infect the computer. Some viruses exploit the broad reach of the networks and can spread rapidly to thousands or millions of computer systems.
In order to prevent the spread of viruses, it is common practice for end-users to install antivirus software on their computer systems. The software monitors the files stored on the computer system and detects files that are infected with a virus. This task has become more difficult in recent times because the number of files on a typical computer system has increased dramatically. A few years ago, an average computer system might have stored 10,000 files. Now, such a computer system might store more than 100,000 files. Thus, there is a much larger pool of potentially-infected files that the antivirus software must scan.
Moreover, scanning an individual file for the presence of a virus takes longer now than in the past. When viruses first became a problem, antivirus software could use relatively quick techniques such as string scanning to determine whether a file was infected. Now, viruses use very sophisticated techniques, such as polymorphism, to hide their presence. As a result, antivirus software must use more advanced and time consuming technologies, such as software emulation, to detect the presence of viruses. The increased pool of potentially-infected files and the need to perform time consuming virus detection techniques have resulted in a major increase in the amount of time required to scan a computer system for a virus.
This time increase becomes especially apparent when a network-based virus outbreak occurs. In the event of an outbreak, the antivirus vendor usually distributes to the end-user computer systems a virus definition that describes how to detect and, in some cases, remove the virus. The end-user must perform a full system scan of the computer system to determine if any files are infected. This scan can tie up the computer system for hours or, in extreme cases, days. Since virus outbreaks occur frequently, the lost productivity associated with antivirus scanning is significant. Therefore, there is a need in the art for a technique that can more quickly determine whether a computer system is infected with a virus.