Heuristic detection of malicious computer code by page tracking
First Claim
Patent Images
1. A computer-implemented method for detecting malicious code in a host file, the method comprising the steps of:
- emulating the host file in a virtual machine having a virtual memory;
tracking access of the virtual memory by the host file; and
detecting potential malicious code responsive to an access of the virtual memory within a non-normal address range.
3 Assignments
0 Petitions
Accused Products
Abstract
To detect a computer virus in a host file (100), an emulating module (414) emulates the host file (100) in a virtual machine (422) having a virtual memory (426). While emulating the host file (100), the system (400) tracks the host file'"'"'s access of the virtual memory (426). Responsive to an access in a non-normal address range of the virtual memory (426) by the host file (100), a flag recording module (522) sets a flag. A virus reporting module (526) declares a potential virus based on whether the flag is set.
474 Citations
28 Claims
-
1. A computer-implemented method for detecting malicious code in a host file, the method comprising the steps of:
-
emulating the host file in a virtual machine having a virtual memory;
tracking access of the virtual memory by the host file; and
detecting potential malicious code responsive to an access of the virtual memory within a non-normal address range. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product comprising a computer-readable medium containing computer program code for detecting malicious code in a host file, the computer program code comprising instructions for performing the steps of:
-
emulating the host file in a virtual machine having a virtual memory;
tracking access of the virtual memory by the host file; and
detecting potential malicious code responsive to an access of the virtual memory within a non-normal address range. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product comprising a computer-readable medium containing computer program code for detecting malicious code in a host file, the computer program code comprising:
-
an emulating module for emulating the host file in a virtual machine having a virtual memory;
a flag recording module adapted to set a flag responsive to an access of a non-normal address range of the virtual memory by the host file; and
a virus reporting module adapted to declare potential malicious code based on whether the flag is set. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A virus detection system for detecting malicious code in a host file, the system comprising:
-
an emulating module for emulating the host file in a virtual machine having a virtual memory;
a flag recording module coupled to the emulating module, the flag recording module adapted to set a flag responsive to an access of a non-normal address range of the virtual memory by the host file; and
a virus reporting module coupled to the flag recording module, the virus reporting module adapted to declare potential malicious code based on whether the flag is set. - View Dependent Claims (24, 25, 26, 27, 28)
-
Specification