Selective detection of malicious computer code
First Claim
Patent Images
1. A method for detecting infection of a computer file by an attacking agent, the method comprising the steps of:
- generating a new hash of a critical viral target region of the file;
comparing the new hash of the critical viral target region to a previously generated hash of the critical viral target region;
determining whether the file has been scanned for infection by the attacking agent with a most recent version of a detection module; and
determining that the file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the file has been scanned with the most recent version of the detection module.
2 Assignments
0 Petitions
Accused Products
Abstract
System, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral target region. The scanning engine (205) determines whether the file (340) has been scanned by the most recent version of a detection module (425) associated with the attacking agent. If the hashes are identical and the file (340) has been scanned by the most recent version of the detection module (425), the scanning engine (205) determines that the file (340) is free of infection by the attacking agent.
167 Citations
20 Claims
-
1. A method for detecting infection of a computer file by an attacking agent, the method comprising the steps of:
-
generating a new hash of a critical viral target region of the file;
comparing the new hash of the critical viral target region to a previously generated hash of the critical viral target region;
determining whether the file has been scanned for infection by the attacking agent with a most recent version of a detection module; and
determining that the file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the file has been scanned with the most recent version of the detection module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for detecting infection of a computer file by an attacking agent, the system comprising:
-
a detection module configured to check the computer file for infection by the attacking agent, the detection module including an identifier of a most recent version of a scanning engine to include an update to the detection module;
a database, in communication with the detection module, and storing entries, each entry associated with a file and containing a previously generated hash of a critical viral target region and an identifier indicating a most recent version of the scanning engine to scan the file for the presence of malicious code;
a hash generator, in communication with the database, and configured to generate a new hash of the critical viral target region;
a selection module, in communication with the database and the hash generator, and configured to;
compare the new hash of the critical viral target region to the previously generated hash of the critical viral target region;
compare the identifier of the most recent version of the scanning engine to scan the file to the identifier of the most recent version of the scanning engine to include an update of the detection module; and
determine that the file has not been infected by an attacking agent when the new hash and the previously generated hash are identical, and the most recent version of the scanning engine to scan the file is not an earlier version than the most recent version of the scanning engine to include an update of the detection module. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer-readable medium containing computer code instructions for detecting infection of a file by an attacking agent, the computer code comprising instructions for:
-
generating a new hash of a critical viral target region of the file;
comparing the new hash of the critical viral target region to a previously generated hash of the critical viral target region;
determining whether the file has been scanned for infection by the attacking agent with a most recent version of a detection module; and
determining that the file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the file has been scanned with the most recent version of the detection module. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A method for detecting infection of a file by a plurality of attacking agents, the method comprising:
-
comparing, for each attacking agent, a new hash of a critical viral target region to a previously generated hash of the critical viral target region;
determining, for each attacking agent, whether the file has been scanned for infection by the attacking agent with a most recent version of a detection module associated with the attacking agent;
determining, for each attacking agent, that the file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the file has been scanned with the most recent version of the detection module;
determining that the file does not contain malicious code when the file has not been infected by any attacking agents.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
-
Original AssigneeSymantec Corporation (NortonLifeLock Inc.)
-
InventorsNachenberg, Carey, Szor, Peter
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current713/200
-
CPC Class CodesG06F 21/564 by virus signature recognition
