On Improving Antivirus Scanning Engines: Memory On-Access Scanner

Abstract

The Antivirus (AV) products are utilized by home user's community to attain protection. To some extent, the AV meets users' expectations by detecting previously known malware samples. In this study, we question the set of events which should trigger the AV to scan data. Scanning every single piece of data as it moves from one location into another could be a demanding and performance-killing task. The AV faces a design challenge when deciding what kind of data to scan and when to do so. Typically, the on-access scanner component of the AV scans data upon moving from/to hard drives. Other occurrences of data movements are of equal importance. For example, data moves between different memory locations or between memory and network. In this study, we are motivated to explore what it needs to be done by the AV upon various data movements. We design and implement a system that has a capability of scanning memory when necessary. We recognize and intercept the most effective API calls that involve memory. Afterwards, we extract involved data and scan it if it has not been scanned before. We test our system against 15 real malware and find out that our system is capable of detecting all malware samples. Furthermore, we provide a thorough performance study to present the overhead of our system.