The time required to scan files on a volume for malicious code is a significant performance issue for anti-malicious code software. As volumes become increasingly large, scan times become slower. Decreasing the amount of time required for such scanning would be highly desirable.
The only time that a volume actually needs to be scanned is upon the receipt of new or updated malicious code signatures. Thus scheduled scans (e.g., weekly scans) are not optimal, as they can be executed unnecessarily, when no new malicious code signatures have arrived, and/or fail to be executed when new signatures are received. This shortcoming can be addressed by scanning the volume whenever a new malicious code signature is received. However, scanning the entire volume every time signatures are received is slow. The only files which are likely to be malicious are recently modified or arrived files, since infection of a file by malicious code necessitates modifying the file, or if a worm arrives, then it must be created on the volume. Therefore, only the more recently modified files need to be scanned when new malicious code signatures arrive.
Using the file system modification date to determine which files to scan or the order in which to scan files is not reliable, because this data is not secure. Malicious code can and often does set this date back, so as to attempt to hide the infection or arrival of the file. Thus, scanning only files that appear to be recently modified according to the file system could result in overlooking infected files. The volume change log (where one exists) is also insecure, and thus cannot be relied on for the same reasons.
What is needed are computer implemented methods, computer readable media and computer systems for scanning files on a volume at a priority corresponding to the actual most recent modification time, upon receipt of new malicious code signatures.