Dynamic and Adaptive Traffic Scanning

1. A method comprising: monitoring data traffic in a data network via an electronic interface with the data network, wherein monitoring comprises monitoring data packets traversing the data network at an appliance that is logically disposed between an end-point device and the Internet; calculating a first conditional probability that content in first given data traffic being monitored is malicious; calculating a second conditional probability that content in second given data traffic being monitored is malicious; ranking the first and second conditional probabilities with respect to each other resulting in ranked conditional probabilities; and performing at least one of anti-virus or anti-malware scanning of the content of the first or second given data traffic depending on whose conditional probability is ranked higher in the ranked conditional probabilities to the exclusion of the other of the first or second given data traffic; selecting a first one of a plurality of scanners for performing the at least one of anti-virus or anti-malware scanning, wherein selecting is based on an efficacy value associated with respective ones of the plurality of scanners for a given type of content that is being carried by the first or second given data traffic whose conditional probability is ranked higher in the ranked conditional probabilities; selecting a second one of the plurality of scanners for a performing a subsequent operation of performing at least one of anti-virus or anti-malware scanning after scanning by the first one of the plurality of scanners, wherein selecting of the second one of the plurality of scanners is based on a conditional probability that the second one of the plurality of scanners can catch malicious content not caught by the first one of the plurality of scanners, wherein a same content of the first or second given data traffic is processed by the first one of a plurality of scanners and the second one of a plurality of scanners, and wherein selecting the first one of a plurality of scanners is based on a data type of the content of the first or second given data traffic.

2. The method of claim 1 , wherein monitoring data traffic comprises monitoring data packets at a network security appliance that is logically disposed between an end-point device and a firewall that is in communication with the Internet.

3. The method of claim 1 , further comprising: performing at least one of anti-virus or anti-malware scanning of content of third given data traffic; determining, as a result of the anti-virus or anti-malware scanning, whether the content of the third given data traffic is malicious; and when the content of the third given data traffic is determined to be malicious, capturing characteristics of the third given data traffic, wherein the characteristics are employed to calculate conditional probabilities that content of still other given data traffic is malicious.

4. The method of claim 3 , wherein capturing characteristics comprises capturing a universal resource locator from which the third given data traffic was received.

5. The method of claim 1 , further comprising selecting the first one of a plurality of scanners for performing the at least one of anti-virus or anti-malware scanning based on available throughput of respective ones of the plurality of scanners.

6. An apparatus comprising: a network interface unit configured to communicate over a data network; a memory; and a processor configured to: monitor electronic data traffic in the data network via the interface, by monitoring data packets traversing the data network when the appliance is logically disposed between an end-point device and the Internet; calculate a first conditional probability that content in first given data traffic being monitored is malicious; calculate a second conditional probability that content in second given data traffic being monitored is malicious; rank the first and second conditional probabilities with respect to one another resulting in ranked conditional probabilities; and cause at least one of anti-virus or anti-malware scanning of the content of the first or second given data traffic to be performed depending on whose conditional probability is ranked higher in the ranked conditional probabilities to the exclusion of the other of the first or second given data traffic, wherein the processor is further configured to select a first one of a plurality of scanners for performing the at least one of anti-virus or anti-malware scanning based on an efficacy value associated with respective ones of the plurality of scanners for a given type of content that is being carried by the first or second given electronic data traffic whose conditional probability is ranked higher in the ranked conditional probabilities, wherein the processor is further configured to select a second one of the plurality of scanners for performing a subsequent operation of performing at least one of anti-virus or anti-malware scanning after scanning by the first one of the plurality of scanners, wherein the processor is configured to so select the second one of the plurality of scanners based on a conditional probability that the second one of the plurality of scanners can catch rate malicious content not caught by the first one of the plurality of scanners, wherein a same content of the first or second given data traffic is processed by the first one of a plurality of scanners and the second one of a plurality of scanners, and wherein the first one of a plurality of scanners is selected based on a data type of the content of the first or second given data traffic.

7. The apparatus of claim 6 , wherein the processor is further configured to: cause at least one of anti-virus or anti-malware scanning of content of third given data traffic to be performed; determine, as a result of the anti-virus or anti-malware scanning, whether the content of the third given data traffic is malicious; and when the content of the third given electronic data traffic is determined to be malicious, capture characteristics of the third given data traffic, wherein the characteristics are employed to calculate conditional probabilities that content of still other given data traffic is malicious.

8. The apparatus of claim 7 , wherein the capture of characteristics comprises capturing a universal resource locator from which the third given data traffic was received.

9. The apparatus of claim 6 , wherein the processor is further configured to select the first one of a plurality of scanners for performing the at least one of anti-virus or anti-malware scanning based on available throughput of respective ones of the plurality of scanners.

10. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to: monitor data traffic in a data network via an interface; calculate a first conditional probability that content in first given data traffic being monitored is malicious; calculate a second conditional probability that content in second given data traffic being monitored is malicious; rank the first and second conditional probabilities with respect to one another resulting in ranked conditional probabilities; and cause at least one of anti-virus or anti-malware scanning of the content of the first or second given data traffic to be performed depending on whose conditional probability is ranked higher in the ranked conditional probabilities to the exclusion of the other of the first or second given data traffic, wherein the instructions are further operable to select a first one of a plurality of scanners for performing the at least one of anti-virus or anti-malware scanning based on an efficacy value associated with respective ones of the plurality of scanners for a given type of content that is being carried by the first or second given electronic data traffic whose conditional probability is ranked higher in the ranked conditional probabilities, wherein the instructions are further operable to select a second one of the plurality of scanners for performing a subsequent operation of performing at least one of anti-virus or anti-malware scanning after scanning by the first one of the plurality of scanners, wherein the processor is configured to so select the second one of the plurality of scanners based on a conditional probability that the second one of the plurality of scanners can catch malicious content not caught by the first one of the plurality of scanners, wherein a same content of the first or second given data traffic is processed by the first one of a plurality of scanners and the second one of a plurality of scanners, and wherein the first one of a plurality of scanners is selected based on a data type of the content of the first or second given data traffic.

11. The computer readable storage media of claim 10 , wherein the instructions are further operable to: cause at least one of anti-virus or anti-malware scanning of content of third given data traffic to be performed; determine, as a result of the anti-virus or anti-malware scanning, whether the content of the third given data traffic is malicious; and when the content of the third given electronic data traffic is determined to be malicious, capture characteristics of the third given data traffic, wherein the characteristics are employed to calculate conditional probabilities that content of still other given data traffic is malicious.

12. The computer readable storage media of claim 10 , wherein the instructions are further operable to capture a universal resource locator from which the third given data traffic was received.

13. The computer readable storage media of claim 10 , wherein the instructions are further operable to select the first one of a plurality of scanners for performing the at least one of anti-virus or anti-malware scanning based on available throughput of respective ones of the plurality of scanners.