As computer technology has advanced, so has the risk for contracting computer viruses. This risk is due, in part, to the computer's increased connectedness to various information sources, such as the Internet, local area networks (LANs), and wireless local area networks (WLANs), as well as to new types of computer readable media, such as compact discs (CDs), digital versatile discs (DVDs), and Flash memory devices.
In the art of computer security technology, a “computer virus” is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. In this manner, a computer virus behaves in a way that is similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a computer virus into a program is termed “infection,” and the infected file (or executable code that is not part of a file) is called a “host.”
While some viruses are simply mischievous in nature; other viruses can cause a significant amount of harm to a computer and its user, such as by stealing private data, deleting data, or causing a complete computer failure. A computer virus cannot directly damage hardware, but only software. Some viruses permit a third party to gain control of a user's computer without the knowledge of the user, while others utilize a user's computer to perform malicious activities such as launching attacks against other computers. However, the predominant negative effect of viruses is their uncontrolled self-reproduction that allows them to spread to other computers and files, which wastes resources and can overwhelm computer systems.
A computer virus is one of several types of malware, or malicious software. In common parlance, the term “virus” is often extended to refer to all types of malware, such as computer worms and any other malicious or otherwise surreptitious computer programs that perform undesirable activities on the computer. In the context of the present invention, the term “virus” is meant to encompass this broader definition that includes all types of malware.
Viruses can take many different forms, and can be spread in a wide variety of manners (e.g., as email attachments, macros, scripts, Trojan horses, worms, or logic bombs), all of which are generically referred to herein as “viruses”. Often, a virus will hide in, or infect, an otherwise healthy computer program so that the virus will be activated when the infected computer program is executed. A virus can even have a delayed payload, which is known as a bomb. A time bomb occurs on a particular date or at a particular time (for example, it could display a message on a specific day or wait until it has infected a certain number of hosts), and a logic bomb occurs when the user of a computer takes an action that triggers the bomb.
To address the risks associated with viruses, significant efforts have been directed toward the development of anti-virus computer programs that attempt to detect and remove a virus when the virus attempts to infect a computer. Such efforts have resulted in a virtual competition between the two sides with virus creators attempting to create increasingly sophisticated viruses and anti-virus developers attempting to protect computers from all of these new viruses.
Conventional anti-virus programs perform virus checking on virus-susceptible computer files only after such files have been received and stored on the computer system (e.g., after downloading an email attachment or an executable file from the Internet). That is, after the computer downloads or executes a file containing a virus, the anti-virus software detects the computer virus based on known virus “signatures” and tries to eliminate the detected virus.
Additionally, conventional virus checking is processor intensive and time consuming, and as a result, conventional anti-virus programs degrade the overall performance of the computer they are protecting.
To avoid affecting the performance of the computer, there have been developed anti-virus software applications that scan files that are stored in the computer's cache, which is an area of memory that is much smaller in size than the computer's hard drive. By scanning only the much smaller cache, the scan is performed quickly and does not consume a great deal of the computer system's resources. However, because the cache holds only a small amount of data, or only small portions of code, such cache scanning has disadvantages In particular, conventional cache scanning programs only scan an area of memory that may not wholly contain the virus at the time it is scanned, so that not the presence of a virus is not recognized.