Heavyweight anti-malware updates on lightweight platforms
Alexander Vukcevic, 1 year ago 2 min read
In the 1990s, Avira’s first Virus Definition File (VDF) comprised just a single container file of known malware signatures. Updates to the VDF took place every few weeks and were shipped to customers on floppy disks sent through the post. Malware as we now know it did not exist, and cybercrime wasn’t the $1.5 trillion business that it is today.
If you’re too young to remember this period, the critically acclaimed American fictional period drama ‘Halt and Catch Fire’ presents an entertaining view of the computer industry at the time, and even shows the 5½ inch floppy disks that were used to both spread viruses and issue AV software.
To stay effective, anti-malware scan engines need regular updates. This ensures they have access to the most up-to-date database of known malware. In the 1990’s, when viruses spread (relatively) slowly, updates were issued at a frequency that would be inconceivable today. Avira’s own ‘FUSE’ – Fast Update Service – shipped a new virus definition file fortnightly! Updates were small in file size and comprised signatures files to keep systems up to date and protected.
Fast forward to today and tens of millions of files are scanned daily, and hundreds of thousands of new attacks are detected and blocked by Avira’s technology. This occurs both within the endpoint and in the cloud. Signature files alone are no longer sufficient to detect malicious threats. They are joined by smart detection rules to root out both original and variant threats. However, this creates a problem. These modern database updates (still called a VDF) now have a file size that is large enough to impact system performance. Unfortunately their size can preclude them from being used by platforms with limited processor or memory. Protecting mobile devices and cost-optimized networking technology such as home routers requires a new approach.
Applying machine learning to the scan engine
Here, machine learning offers a solution. It creates highly efficient generic rules, rules that are individually more effective at identifying malware than the thousands of original signatures they replace. This results in scan engine databases that are much smaller in size – a reduction of at least 70%. Delivered faster and with greater frequency, smaller scan updates ensure minimal system impact and allow unrelated processes to run better.
Deploying anti-malware scanning engines on devices with limited RAM requires a smaller memory footprint. This includes home routers, mail gateways and proxy servers. Increasingly used on mobile devices, Windows will make lightweight, fast and highly accurate malware scanning an even more important capability.
For more information on Avira’s scan engine SDK, and an overview of our latest ‘lightweight’ VDF for a range of platforms take a look at the Anti-malware SDK datasheet. To learn more about how an SDK like SAVAPI can be deployed to deliver complete protection, have a look at this blog article from my colleague Daniel Steiner
Alexander joined Avira in 2000 and leads the Protection Labs & QA teams. He is passionate and enthusiastic about always delivering the best protection and highest quality to customers and partners. With more than 19 years of experience in the anti-malware industry Alex leads, guide and motivates his team to deliver market-leading detection for millions of customers.
This article is the second in our series looking at machine learning techniques. In the first, we explored supervised and unsupervised machine learning, how they differ and when to apply them. Here we consider what’s meant by Deep Learning and its application to cyber-security.