Centralized scanner database with optimal definition distribution using network queries
First Claim
1. A computer-implemented method for detecting malware, comprising:
- locally storing on a client device, a filter based on a set of known malware definitions, and locally storing on the client device a subset of known malware definitions from the set of known malware definitions, the subset selected based on a determined likelihood of malware corresponding to the known malware definitions being detected on the client device;
applying the filter to an input file to detect if the input file has characteristics matching those of a malware definition in the set of known malware definitions;
responsive to the input file having characteristics matching those of the malware definition based on applying the filter, determining if the malware definition is stored locally in the subset of known malware definitions;
responsive to the input file having characteristics matching those of the malware definition and the malware definition not being stored locally, obtaining the malware definition from a central server;
scanning the input file using the obtained malware definition;
determining if the input file comprises malware based on the scanning; and
responsive to the input file not comprising the malware based on the scanning, sending a report to the central server identifying the input file; and
receiving from the central server in response to the report, a modified filter to reduce a likelihood of a false positive occurring in a future application of the filter if the input file is determined not to comprise the malware based on the scanning.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method detects malware on client devices based on partially distributed malware definitions from a central server. A server stores malware definitions for known malware. The server generates one or more filters based on the malware definitions and distributes the filter(s) to client devices. The server also distributes full definitions to the clients for a subset of the most commonly detected malware. The client device scans files for malware by first applying the filter to a file. If the filter outputs a positive detection, the client scans the file using the full definition to determine if the file comprises malware. If the full definition is not stored locally by the client, the client queries the server for the definition and then continues the scanning process.
-
Citations
20 Claims
-
1. A computer-implemented method for detecting malware, comprising:
-
locally storing on a client device, a filter based on a set of known malware definitions, and locally storing on the client device a subset of known malware definitions from the set of known malware definitions, the subset selected based on a determined likelihood of malware corresponding to the known malware definitions being detected on the client device; applying the filter to an input file to detect if the input file has characteristics matching those of a malware definition in the set of known malware definitions; responsive to the input file having characteristics matching those of the malware definition based on applying the filter, determining if the malware definition is stored locally in the subset of known malware definitions; responsive to the input file having characteristics matching those of the malware definition and the malware definition not being stored locally, obtaining the malware definition from a central server; scanning the input file using the obtained malware definition; determining if the input file comprises malware based on the scanning; and responsive to the input file not comprising the malware based on the scanning, sending a report to the central server identifying the input file; and receiving from the central server in response to the report, a modified filter to reduce a likelihood of a false positive occurring in a future application of the filter if the input file is determined not to comprise the malware based on the scanning. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product for detecting malware, the computer program product comprising a non-transitory computer-readable storage medium containing computer program code for:
-
locally storing on a client device, a filter based on a set of known malware definitions, and locally storing on the client device a subset of known malware definitions from the set of known malware definitions, the subset selected based on a determined likelihood of malware corresponding to the known malware definitions being detected on the client device; applying the filter to an input file to detect if the input file has characteristics matching those of a malware definition in the set of known malware definitions; responsive to the input file having characteristics matching those of the malware definition based on applying the filter, determining if the malware definition is stored locally in the subset of known malware definitions; responsive to the input file having characteristics matching those of the malware definition and the malware definition not being stored locally, obtaining the malware definition from a central server; scanning the input file using the obtained malware definition; determining if the input file comprises malware based on the scanning; responsive to the input file not comprising the malware based on the scanning, sending a report to the central server identifying the input file; and receiving from the central server in response to the report, a modified filter to reduce a likelihood of a false positive occurring in a future application of the filter if the input file is determined not to comprise the malware based on the scanning. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for distributing malware definitions to a client device, comprising:
-
generating a filter from a set of known malware definitions, wherein the filter detects if an input file has characteristics matching those of the set of known malware definitions; distributing the filter to the client device; selecting a subset of malware definitions from the set of known malware definitions used to generate the filter distributed to the client device, wherein the subset of malware comprises fewer than all of the set of known malware definitions, and wherein the subset is selected based on a determined likelihood of malware corresponding to the known malware definitions being detected on the client device; distributing by a server, the selected subset of malware definitions to the client device together with the filter; receiving a query from the client device for a malware definition which is not found in the subset of known malware definitions distributed to the client upon applying the filter to an input file by the client device; and responsive to the query, transmitting the queried malware definition to the client device to be used in scanning of the input file; receiving a report from the client device indicating that the queried malware definition is not present in the input file; responsive to the receiving the report, modifying the filter to reduce a likelihood of a false positive occurring in a future application of the filter; and transmitting the modified filter to the client device. - View Dependent Claims (18, 19, 20)
-
Specification