Customers always complain that anti-virus soft- wares bog down their computers by consuming much of PC memories and resources. With the popularity and variety of zero- day threats over the Internet, security companies have to keep on inserting new virus signatures into their databases. However, is the increasing size of the signature file the sole reason to drag computers to a crawl during the virus scan? This paper outlines other three reasons for slowing down software-protected computers, which actually are not directly related to the signature file. First, the rising time consumption of de-obfuscating binary payloads by using the emulation technology requires anti-virus softwares take more time to scan a packed file than an unpacked file. Second, New Technology File System causes self-similarity in file index searching and data block accessing. Even if file sizes fit the log-normal distribution, there are still many "spikes" of high virus-scanning latency which cannot be ignored. Last but not least, temporal changes in file size, file type, and storage capacity in modern operation systems are slowing down virus scan. The paper also discusses the cloud-based security infrastructure for deploying a light-weight and fast anti-virus products.
[1]
Murad S. Taqqu,et al.
On the Self-Similar Nature of Ethernet Traffic
,
1993,
SIGCOMM.
[2]
Jacob R. Lorch,et al.
A five-year study of file-system metadata
,
2007,
TOS.
[3]
Walter Willinger,et al.
On the self-similar nature of Ethernet traffic
,
1993,
SIGCOMM '93.
[4]
Rajeev Nagar,et al.
Windows NT File System Internals
,
1997
.
[5]
Christopher Krügel,et al.
Detecting kernel-level rootkits through binary analysis
,
2004,
20th Annual Computer Security Applications Conference.
[6]
William J. Bolosky,et al.
A large-scale study of file-system contents
,
1999,
SIGMETRICS '99.
[7]
Nirwan Ansari,et al.
Revealing Packed Malware
,
2008,
IEEE Security & Privacy.