Using telemetry to reduce malware definition package size

摘要

Clients send telemetry data to a cloud server, where the telemetry data includes security-related information such as file creations, timestamps and malware detected at the clients. The cloud server analyzes the telemetry data to identify malware that is currently spreading among the clients. Based on the analysis of the telemetry data, the cloud server segments malware definitions in a cloud definition database into a set of local malware definitions and a set of cloud malware definitions. The cloud server provides the set of local malware definitions to the clients as a local malware definition update, and replies to cloud definition lookup requests from clients with an indication of whether a file identified in a request contains malware. If the file is malicious, the client remediates the malware using local malware definition update.

主权项

1. A computer-implemented method of providing malicious software (malware) definitions to clients, comprising:
receiving, at a computer processor, telemetry data from a plurality of clients, the telemetry data describing files created on the clients; analyzing, by the computer processor, the telemetry data to identify malware that is currently spreading among the plurality of clients, the analyzing comprising:
determining a size of a malware definition in a set of malware definitions; andconsidering the size of the malware definition in a determination of whether malware associated with the malware definition is currently spreading; segmenting, by the computer processor, the set of malware definitions into a set of local malware definitions responsive to the analysis of the telemetry data, the set of local malware definitions including malware definitions for malware identified as currently spreading among the plurality of clients; and providing, by the computer processor, the set of local malware definitions to the plurality of clients, wherein the plurality of clients are adapted to store the local malware definitions and use the set of local malware definitions to detect malware at the clients.