As more and more computers and other computing devices are interconnected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will recognize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs that spread on computer networks, such as the Internet, will be generally referred to hereinafter as computer malware or, more simply, malware.
When a computer system is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other computer systems that are communicatively connected by a network connection.
A traditional defense against computer malware and, particularly, against computer viruses and worms, is commercially available antivirus software that is available from numerous software vendors. Most antivirus software identifies malware by matching patterns within data to what is referred to as a “signature” of the malware. Typically, antivirus software scans for malware signatures when certain events are scheduled to occur, such as when data is going to be written or read from an input/output (“I/O”) device. As known to those skilled in the art and others, computer users have on-going needs to read and write data to I/O devices, such as hard drives, floppy disks, compact disks (“CDs”), etc. For example, a common operation provided by some software applications is to open a file stored on an I/O device and display the contents of the file on a computer display. However, since opening a file may cause malware associated with the file to be executed, antivirus software typically performs a scan or other analysis of the file before the open operation is satisfied. If malware is detected, the antivirus software that performed the scan may prevent the malware from being executed, for example, by causing the open operation to fail.
As known to those skilled in the art and others, scanning a file for malware is a resource intensive process. As a result, modern antivirus software optimizes the process of scanning for malware. For example, some antivirus software implement a scan cache that tracks the state of files on a computing device with regard to whether the files are infected with malware. Tracking the state of files with a scan cache or equivalent mechanism prevents unnecessary scans from being performed. More specifically, when a file is scanned for malware, a variable is associated with the file in the scan cache that is indicative of whether the file is infected with malware. In instances when a file is not infected, a successive scan of the file is not performed unless the file is modified or the antivirus software is updated. Since user applications will frequently make successive I/O requests directed to the same file, implementing a scan cache may result in significant improvement in the speed in which antivirus software executes.
Numerous software vendors market antivirus software applications and maintain an ever-growing database of malware signatures. In fact, one of the most important assets of antivirus software vendors is the knowledge base of signatures collected from known malware. Typically, when a new malware is identified, software vendors provide a software update to antivirus software that contains a signature for the new malware. When the update is installed on a computing device, the antivirus software is able to identify the new malware. However, the antivirus software is not able to quickly determine if previously scanned files that maintain an entry in a scan cache are infected with the new malware. Thus, when a software update is installed that is able to recognize a new malware, entries in the scan cache are reset. As a result, the performance benefit provided by the scan cache is not available until files on the computing device are re-scanned, which is a resource intensive process. Stated differently, by resetting entries in a scan cache, every file on a computing device will be scanned for malware even in instances when the new malware is not able to infect certain types of files.