The instinct in malware defense is to scan everything the instant it touches the system. It feels safest, but it's expensive: scanning every file the moment it's written imposes a constant performance tax, much of it wasted on files that will never be executed. The naive approach trades a great deal of overhead for protection against threats that, in many cases, were never going to fire.
The grant US10997294B2, "Deferred malware scanning" (issued May 4, 2021, assigned to Sophos Limited), questions the timing. Its CPC classifications sit in the malware-detection classes G06F 21/566, G06F 21/52, and G06F 21/554 — a scanning strategy, not a new detection engine, that asks when scanning should happen rather than how.
The mechanism that matters is decoupling presence from execution. A file that exists but is never run poses no immediate threat; the danger arrives when it executes. Deferring the full scan to a more opportune moment — and gating the file's ability to act in the meantime — lets the system avoid the cost of scanning everything up front while still ensuring nothing dangerous runs unscanned.
For defenders, the practical takeaway is that security and performance aren't always in tension if you're smart about timing. Deferred scanning is a way to get strong protection at the points that matter — execution — without paying the full scanning cost at every point that doesn't. On busy systems, that difference is the line between a security tool people keep enabled and one they turn off because it's too slow.
The risk the patent has to manage is the gap: a deferred scan is only safe if the file genuinely can't cause harm before it's scanned. The engineering is in guaranteeing that interim control. It's a reminder that practical security is full of these timing and resourcing trade-offs, and that getting them right is as much a part of defense as the detection logic itself.