Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include computer viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Any client device, such as a desktop personal computer (PC), laptop, tablet or mobile phone, can be at risk from malware.
When a device is infected by a malware program the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware. Furthermore, even if a malware infection does not cause a perceptible change in the performance of a device, it may be performing other malicious functions such as monitoring and stealing potentially valuable commercial, personal and/or financial information, or hijacking a device so that it may be exploited for some illegitimate purpose.
Many end users make use of anti-virus software to detect and possibly remove malware. In order to detect a malware file, the anti-virus software must have some way of identifying it amongst all the other files present on a device. Typically, this requires that the anti-virus software has access to a locally-stored database containing the “signatures” or “fingerprints” that are characteristic of individual malware program files. When the supplier of the anti-virus software identifies a new malware threat, the threat is analysed and its signature is generated. The malware is then “known” and its signature can be distributed to end users as updates to their local anti-virus software databases.
One example of a known method of updating locally-stored anti-virus software is shown in FIG. 1. As can be seen, software installed on device periodically transmits requests for an update over a network connection to a server. If an update is available on the server, it is immediately downloaded to the device and used by the device. This model of operation is able to keep all subscribing machines up to date with anti-virus updates.
This method of updating the anti-virus software necessarily uses a network connection. As the size of anti-virus databases has grown substantially over the years, a number of mechanisms have been employed to reduce the bandwidth needed for such updates in order to minimize costs. This reduction in update size has been handled by sending diffs (a file showing the difference between the updated file and the original file) rather than an entire copy of an updated file and using compression on the updates themselves.
The bandwidth of network connections to fixed points, such as a PC, has increased in recent years. However, anti-virus software solutions are also used on devices that may only utilize mobile broadband, which is still quite heavily limited. Mobile broadband is typically much slower than fixed broadband, and customers may have a small cap on monthly data usage. This means that the method of updating anti-virus software is still an important consideration.