This invention relates to a system and method for scanning computer files and/or objects for computer viruses or other malware. In the context of computers and machines, malware is a broad term that encompasses viruses and includes but is not limited to self-replicating/self-reproducing-automation programs that perform actions that are generally unwanted by the computer's user and may spread by inserting copies of themselves into the computer directly or into other executable code or documents on the same or other computers. The terms “virus” and “malware” may be used interchangeably herein.
Computer antivirus programs are commonly used to detect, clean, and remove computer viruses from infected objects such as data files. One form of detection typically used is file scanning of files resident on a hosting computer system's storage device(s). Files are scanned for the presence of an embedded virus, and the scanning may be either signature-based or heuristic (such as watching for suspicious behavior). However, virus scanning consumes significant processing cycles on the hosting computer, as well as increasing loads on the storage device being scanned.
Current antivirus products support on demand, on access, and on schedule scan operations. Scheduled scan operations scan a selected set of targets that may include all files residing on all storage devices (such as hard drives) attached to the computer platform being scanned. Filtering techniques for target selection are typically very limited, however. The user can manually enter a list of named files or select full hard drives for the scheduled scan. Manually entering a long list of named files is time consuming, and may require frequent manual updates by the user as the contents of the storage devices change. Further, a scheduled scan of all hard drive contents degrades the performance of the computer platform for a long period of time. All resources involved in a scan will be affected during the scan. For example, if the scan is being performed over a network, scanning all storage devices increases network utilization with consequent possible decrease in network performance.
Because antivirus scan operations degrade the host computer platform performance during the period of time that the scan operation is executing, it is desirable to shorten the scan operation period. If the scan operation period is shortened, the computer will be subject to less performance degradation—either lower load while scanning, or scanning for a shorter period of time. It is also desirable to shorten the scan operation period without weakening protection of the host computer platform.
There is a need, therefore, for an improved method, article of manufacture, and apparatus for efficiently detecting viruses on a computer system.