The term “malware” is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Any computer device, such as a desktop personal computer (PC), laptop, personal data assistant (PDA) or mobile phone, can be at risk from malware.
When a device is infected by malware the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware.
Computer devices make use of anti-virus software to detect and possibly remove malware. This anti-virus software can make use of various methods to detect malware including scanning data on the computer. Malware scanning generally involves examining files for a virus fingerprint or “signature” that is characteristic of an individual malware program.
The speed at which new malware is created and distributed is increasing. As such, it is desirable that malware scanning software is able to identify an increasing number of different malware, while not making excessive demands on CPU consumption. Additionally, the increasing number of different malware increases the size of malware databases. For example, on one estimate there were about 40 million unique malware at the end of 2010. If each malware signature has a size of just 50 bytes, the total disc space required to store the resulting malware signature database is 200 MB. Given that the growth in number of malware is presently about exponential, one would expect the size of the database to double every year.
It has been proposed that so-called ‘white-lists’ of files known not to include malware can be created and used to optimise the malware scanning process. While, in some cases, the use of ‘white-lists’ improves performance, their use requires additional data storage thus worsening the data storage problems described above.
Indeed, while various techniques have been proposed to improve malware scanning efficiency, there is a need for a method which can be used to effectively determine which technique can be most effectively used to scan a particular file.