Security systems often employ security risk-assessment tools, i.e. “scanners,” to protect against an attack against computer systems. Such scanners can probe for weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses. Further, scanners are used for content filtering to enforce an organization's operational policies [i.e. detecting harassing or pornographic content, junk e-mails, misinformation (virus hoaxes), etc.].
Prior art FIG. 1 illustrates an anti-virus multiprocessor system 100 including a scanning co-processor 102 attached to a first processor 104 for monitoring the performance thereof, and intervening if predefined behavior is detected. The multiprocessor system 100 further includes memory 106 and various input/output devices 108.
Prior art FIG. 2 illustrates the method 200 by which the anti-virus multiprocessor system 100 of FIG. 1 operates. The scanning co-processor 102 includes logic for carrying out the various steps of method 200. In use, the co-processor 102 continuously supervises the operation of the first processor 104 to detect virus-related activities therein. Note operation 202. In particular, actual performed instructions in the first processor 104 are compared with instruction sequences corresponding to known viruses or to predefined suspect behavior. Note operation 204.
In operation 206, the co-processor 102 stops the logic running on the first processor 104 after a virus detection. Specifically, actions are taken in real time when a forbidden action takes place, to prevent damage to applications running on the first processor 104. More information regarding such method 200 may be found with reference to a PCT application entitled “ANTIVIRUS SYSTEM AND METHOD” filed Apr. 8, 1998 under PCT application number PCT/IL98/00170.
Unfortunately, the foregoing system 100 does not read the malicious code and does not make any attempt to repair or quarantine the same. Further, the system 100 does not address the fact that virus scanning inherently uses up a large proportion of system resources in the form of cycles in the first processor 104. The system 100 of FIG. 1 merely serves to supervise the operation of the first processor 104, and is not designed to effectively offload the first processor 104 to improve overall system performance.