Browse Prior Art Database

Spreading the Antivirus Load

IP.com Disclosure Number: IPCOM000114551D
Original Publication Date: 2005-Mar-29
Included in the Prior Art Database: 2005-Mar-29
Document File: 3 page(s) / 61K

Publishing Venue

IBM

Abstract

This invention defines a virus checker that will take a checksum of each file (including complete zip/jar files) and pass the file's details (checksum and filename perhaps) to a neighbouring machine. The neighbouring computer will check a self-maintained database of files, and their last virus scan date. If the file exists and has been scanned within a specified period (one week say) can return an 'already scanned' message to the original computer which can then mark the file as 'scanned' and set its most recent scan date to the one provided by the second computer, improving scanning performance and reducing individual processor loads considerably.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 46% of the total text.

Page 1 of 3

Spreading the Antivirus Load

Antivirus companies recommend computer users to scan their computers at least once a week to ensure no viruses have found their way on to the system. They work by scanning through every file on the system and ensuring none of them contain any of the antivirus software's listed viruses.

    Due to the increasing size of storage space available on each system, it can now take hours to process all files on a given system. If done intensively this can render the system virtually unusable for that period as the work is very processor intensive. Also, many systems contain compressed files, which the virus checker must decompress (taking processor time) and check each for viruses.

    This article provides a technique for decreasing the processor load considerably, while still ensuring all files are scanned at least weekly (or whatever time period is required).

    Many computers running on the same operating system or applications (even between versions) have many files that are identical. This proposal uses this key fact to share the load between multiple 'similar' computers.

    The virus checker will take a checksum of each file (including complete zip/jar files) and pass the file's details (checksum and filename perhaps) to a neighbouring machine. The neighbouring computer will check a self-maintained database of files, and their last virus scan date. If the file exists and has been scanned within a specified period (one week say) can return an 'already scanned' message to the original computer which can then mark the file as 'scanned' and set its most recent scan date to the one provided by the second computer.

    This solution spreads the load much more evenly between processor and network - freeing up the processor for better use and leaving enough bandwidth available to continue using a reasonable network load.

file id

checksum

last scan date

"jdk.windows.ia32.zip"

xxxxxxxx

not scanned

"London Calling.mp3"

"nnotesws.dll"

"Application.jar"

COMPUTER A

file id checksum last scan date

"jdk.windows.ia32.zip" xxxxxxxx 11/01/2005 "Application.jar" wwwwwwww 10/01/2005 "nnotesws.dll" zzzzzzzz 06/01/2005 ... ... ...

yyyyyyyy

zzzzzzzz

uuuuuuuu

COMPUTER B

    Given the virus scanner's databases from the two computers above, we can demonstrate how the system would work.

Assume COMPUTER A (to be known as 'A' in future) has its virus scanner set to run at least every week, and the current date is 14/01/05.

For each file, the scanner goes through the following process:
a. Checks the last date scanned and, if it was more recent than 07/01/05 (1 week previously), then continues to the next file.

08/01/2005

02/12/2001

07/12/2001

...

...

...

Page 2 of 3

b. Calculates a checksum (using Hamming Codes for example) for the file and sends the checksum along with a unique identifier to neighbouring machine, COMPUTER
B. 'B' checks to see if the file identifier is in its database and if so, confirms the checksum and looks at its last scan date. If the...