Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Any client device, such as a desktop personal computer (PC), laptop, personal data assistant (PDA) or mobile phone, can be at risk from malware.
When a device is infected by malware the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware.
Detecting malware is challenging as the malware authors design their software to be difficult to detect, often employing technology that deliberately hides the presence of malware on a system, i.e. the malware application may not show up on the operating system tables that list currently running processes.
Client devices make use of anti-virus applications to detect and possibly remove malware. This anti-virus application can make use of various methods to detect malware including scanning, integrity checking and heuristic analysis. Of these methods, malware scanning involves the anti-virus application examining files for a virus fingerprint or “signature” that is characteristic of an individual malware program. Typically, this requires that the anti-virus application has a database containing the signatures. When the provider of the anti-virus application identifies a new malware threat, the threat is analysed and its signature is extracted. The malware is then “known” and its signature can be supplied as updates to the anti-virus application database. However, scanning files for malware can consume significant processing resources potentially resulting in a reduction in the performance of a computing device. As the number more malware applications are identified, the size of the database grows. This leads to slower scanning times, increased memory consumption and makes boot up times for client devices longer.
Various anti-virus applications are available on the market today. These tend to work by maintaining a database of signatures or fingerprints for known viruses. With a “real time” scanning application, when a user tries to perform an operation on a file, e.g. open, save, or copy, the request is redirected to the anti-virus application. If the application has no existing record of the file, the file is scanned for known virus signatures. If a virus is identified in a file, the anti-virus application reports this to the user, for example by displaying a message in a pop-up window. The anti-virus application may then add the identity of the infected file to a register of infected files. Access to the file is denied. When a subsequent operation on the file is requested, the anti-virus application first checks the register to see if the file is infected. If it is infected, the access is denied. If the file is not infected, access is permitted (the anti-virus application may re-check the file if it detects that the file has changed since the previous check was performed).
One way to avoid the problems of storing a large malware database at the client device is to implement remote anti-virus scanning. An anti-virus application is run at the client device, and if suspected files are identified a request is made to a remote server. The request may include any number of different signatures calculated from the file and other metadata such as the location of the file. The remote server has access to a set of signatures and their categorization, and can respond to the application with a relevant category for the file (for example, “clean” or “infected”).
A problem with remote anti-virus scanning is that the number of requests made to the server will typically be very large. Each request has an in-built latency because communications are exchanged between the server and the client device, which increases scanning times. Furthermore, the server must have a great deal of redundancy built into its bandwidth and processing capabilities in order to handle large numbers of requests at peak times.
Similar problems are encountered by other security applications, such as “safe surf” applications that allow web browsers to access certain websites.