The invention relates to systems and methods for detecting viruses and other malware, and in particular to anti-malware detection systems using server-side scanning.
Known methods of scanning for malicious software (malware) such as viruses, worms, and Trojan horses include behavior-based methods and content-based methods.
Behavior-based methods typically involve allowing a suspected program to execute in an isolated virtual environment, commonly called a sandbox, and observing the program's resulting behavior. Programs that exhibit malicious behavior are identified and removed or contained. Conventional behavior-based methods are usually computationally intensive and may compete for resources with other software, thus reducing a user's productivity.
In content-based methods, the contents of a suspected file are commonly compared to a database of known malware-identifying signatures. If a known virus signature is found in the suspected file, the file is labeled as infected. The malware signature database is stored on the user's local hard drive, and is updated by downloading the signatures of newly discovered malware from a server. The size of such signature databases has been increasing rapidly. Such databases may comprise millions of malware signatures, amounting to several tens of megabytes of data or more. The performance of common content-based methods may depend on the capability to deliver signature updates from an anti-malware software producer's servers to a large number of customers on a regular basis—sometimes several times a day—in order to keep pace with rapidly-evolving threats.