Heavyweight anti-malware updates on lightweight platforms

Alexander Vukcevic, 2 years ago 2 min read

In the 1990s, Avira’s first Virus Definition File (VDF) comprised just a single container file of known malware signatures. Updates to the VDF took place every few weeks and were shipped to customers on floppy disks sent through the post. Malware as we now know it did not exist, and cybercrime wasn’t the $1.5 trillion business that it is today.

If you’re too young to remember this period, the critically acclaimed American fictional period drama ‘Halt and Catch Fire’ presents an entertaining view of the computer industry at the time, and even shows the 5½ inch floppy disks that were used to both spread viruses and issue AV software.

To stay effective, anti-malware scan engines need regular updates. This ensures they have access to the most up-to-date database of known malware. In the 1990’s, when viruses spread (relatively) slowly, updates were issued at a frequency that would be inconceivable today. Avira’s own ‘FUSE’ – Fast Update Service – shipped a new virus definition file fortnightly! Updates were small in file size and comprised signatures files to keep systems up to date and protected.

growth in malicious threats
Graph: Growth in malicious threats per quarter

Fast forward to today and tens of millions of files are scanned daily, and hundreds of thousands of new attacks are detected and blocked by Avira’s technology. This occurs both within the endpoint and in the cloud. Signature files alone are no longer sufficient to detect malicious threats. They are joined by smart detection rules to root out both original and variant threats. However, this creates a problem. These modern database updates (still called a VDF) now have a file size that is large enough to impact system performance.  Unfortunately their size can preclude them from being used by platforms with limited processor or memory. Protecting mobile devices and cost-optimized networking technology such as home routers requires a new approach.

Applying machine learning to the scan engine

Here, machine learning offers a solution. It creates highly efficient generic rules, rules that are individually more effective at identifying malware than the thousands of original signatures they replace.  This results in scan engine databases that are much smaller in size – a reduction of at least 70%. Delivered faster and with greater frequency, smaller scan updates ensure minimal system impact and allow  unrelated processes to run better.

Graph: Relative impact on system performance
Graph: Relative impact on system performance

Deploying anti-malware scanning engines on devices with limited RAM requires a smaller memory footprint. This includes home routers, mail gateways and proxy servers. Increasingly used on mobile devices, Windows will make lightweight, fast and highly accurate malware scanning an even more important capability.

For more information on Avira’s scan engine SDK, and an overview of our latest ‘lightweight’ VDF for a range of platforms take a look at the Anti-malware SDK datasheet. To learn more about how an SDK like SAVAPI can be deployed to deliver complete protection, have a look at this blog article from my colleague Daniel Steiner


Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
Heavyweight anti-malware updates on lightweight platforms

Alexander Vukcevic

Alexander joined Avira in 2000 and leads the Protection Labs & QA teams. He is passionate and enthusiastic about always delivering the best protection and highest quality to customers and partners. With more than 19 years of experience in the anti-malware industry Alex leads, guide and motivates his team to deliver market-leading detection for millions of customers.

You might like

Expert Perspectives

Vulnerability update – May 2020

Vulnerability update – May 2020

In this report we will take a look at some of the more interesting vulnerabilities of early 2020.

4 months ago 3 min read