There are many proven AV scanners in use today, and these scanners have gained considerable market acceptance for use in desktop, file server and gateway applications. Customers are able to rely on independent information and advice to select a scanner vendor, and then trust that vendor's product to reliably detect malware.
However, while the performance of these scanners is acceptable for desktop, server and gateway usage, it is not sufficient for use in high speed network infrastructures such as the core of the internet. The production of a new, high performance scanner presents not only technical difficulties but also issues of market acceptance (users are understandably unwilling to rely on untried products for their security). As such, it is advantageous to develop a solution incorporating existing scanners in such a manner that the overall performance of the solution is sufficient for deployment in these high speed network infrastructures.
It is known to use existing third party scanners within network applications. For example, organisations known as Managed Security Service Providers (MSSPs) offer services such as scanning all e-mail that passes through a subscriber's internet connection for viruses. Typically, this is done by diverting customer traffic through the MSSP's site. The traffic is then scanned by conventional software running on conventional personal computers (PCs). However, to scale the scanner performance to the required levels of both high throughput and low latency, it is often necessary to deploy of a large number of PCs operating scanners. Where this number of PCs grows large, the amount of external infrastructure such as switches and load balancers required to coordinate the system also increases. This results in both expense and unreliability.
Typically, in such an installation the large number of PCs all operate the same set of tasks. These tasks include:                receiving and transmitting data into and out of the PC;        decoding and operating the protocols that carry this data;        copying this decoded data to the computer's main memory or disk;        invoking one or more AV scanners;        sending the data to one or more AV scanners;        undertaking the scanning tasks such as decompression, content decode, signature matching, heuristics analysis;        processing the results from the scanners;        transmitting the data (if not infected), or an alternative to it (if infected), onto the intended destination; and,        finally collecting and storing any statistics or other logging information on the tasks undertaken.        
As such, the scanner on each PC receives data regardless of the type or level of threat from the content. However, the threat level depends on the application being used (e.g. web browsing, e-mail, peer to peer (P2P)) and the program being used to operate the application (for example, the Internet Explorer web browser). These factors are discussed further below:                the application for which the content is intended: there are numerous types of malware in existence today ranging from mass-mailers to Trojans. However some of these threats are specific to certain applications, such that they can only be propagated and become active through a single application but no other; for example a mass mailing virus cannot be picked up and propagated through web browsing;        the program by which the content is used: in addition to traditional forms of files based malware such as viruses, Trojans, worms etc., there exist a number of vulnerabilities in the programs (such as web browsers) that operate applications, and these vulnerabilities may be exploited by specially crafted pieces of content. These vulnerabilities are specific to each program. As such, a vulnerability in one program used as a web browser will not exist in a second program used as an e-mail client.In addition to the above, the type of content being supplied will have a bearing on the threat level. In this context, content will broadly fall into two categories, executable and non-executable. Executable content poses a significantly higher threat. Executable content is able, once executed, to gain control of a computer and subsequently can then execute any payload it chooses (for example, it could delete the contents of a hard drive). Moreover, executable content can come in many forms and can use complex techniques to disguise itself (such as encryption and metamorphism). In contrast, non-executable content can only pose a threat by exploiting vulnerabilities in the programs which use the content. As a result, the content cannot take variable forms since it exploits static vulnerabilities; consequently threats due to non-executable content are often easier to detect than those due to executable content.        