Modern disk drive processors are now capable of general purpose computation, and we can utilize this new power to implement malware detection directly on the disk drive. All data flowing to and from the hard drive must pass through the disk drive processor. This key property makes the disk processor the final line of defense against malware, since it is privy to the low-level behavior of viruses that wish to alter data on the host. Disk-level malware detection uses the disk processor to identify threats based on patterns of I/O requests. Read more about the advantages of disk-level malware detection.

String scanning is the traditional - and primary - method of virus detection. However, polymorphic and metamorphic viruses elude these detectors, and it is easy to hand-craft variants that evade detection. (Polymorphism and metamorphism automatically alter code structure between generations without changing the virus's behavior.) Emulation was designed in response to these complex viruses, but emulation is limited by its high computational cost and imprecision. Virus authors have also subsequently created anti-emulation techniques.

As has been recently highlighted, rootkits are rapidly becoming a large threat. Virtual machine-based rootkits, especially, are nearly impossible to detect using host-level techniques because they run below detectors.

Disk-level malware detection addresses both morphing viruses and layer-below attacks.

This work is supported by the National Science Foundation Cyber Trust Program ("Disk-Level Malware Detection and Response," NSF 0627527).