Method and apparatus for detection of computer viruses

US 5,398,196 A
Filed: 07/29/1993
Issued: 03/14/1995
Est. Priority Date: 07/29/1993
Status: Expired due to Term

First Claim

Patent Images

1. A computer system configured to monitor the execution of a target program intended to run on a target computer, said target computer having an instruction set, said computer system comprising:

a processing unit;

instruction emulation means for operating said processing unit to emulate instructions in said target program corresponding to said instruction set as if said instructions were running on said target computer;

monitor means, coupled to said instruction emulation means, for emulating execution of said target program as if said target program were running on said target computer and for monitoring said emulated target program execution to detect a predetermined behavior by said target program; and

means, coupled to said monitor means, for logging said predetermined behavior when detected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A behavior analyzing antivirus program detects viral infection of a target program by emulating the execution of the target program and analyzing the emulated execution to detect viral behavior. The antivirus monitor program contains both variables corresponding to the CPU'"'"'s registers and emulation procedures corresponding to the CPU'"'"'s instructions. The target program is loaded into memory and its execution is emulated by the antivirus monitor program. Intelligent procedures contained in the monitor program are given control between every instruction emulated so as to detect aberrant or dangerous behavior in the target program in which case the danger of a viral presence is flagged and emulation is terminated.

223 Citations

27 Claims

1. A computer system configured to monitor the execution of a target program intended to run on a target computer, said target computer having an instruction set, said computer system comprising:
- a processing unit;
  
  instruction emulation means for operating said processing unit to emulate instructions in said target program corresponding to said instruction set as if said instructions were running on said target computer;
  
  monitor means, coupled to said instruction emulation means, for emulating execution of said target program as if said target program were running on said target computer and for monitoring said emulated target program execution to detect a predetermined behavior by said target program; and
  
  means, coupled to said monitor means, for logging said predetermined behavior when detected.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer system of claim 1, wherein said computer system is configured to detect viral activity associated with said target program, wherein said predetermined behavior is chosen to be indicative of effects of said viral activity.
  - 3. The computer system of claim 1 wherein said instruction emulation means comprises:
    - a register emulator for emulating registers of said target computer; and
      
      a procedure controller for substituting emulation procedures for procedures accessed by said target program during emulation.
  - 4. The computer system of claim 1 wherein said instruction emulation means comprises:
    - a memory access controller for controlling access by said instructions to memory.
  - 5. The computer system of claim 1 wherein said target computer is said computer system.

6. In a computer system, a method for monitoring execution of a target program intended to run on a target computer comprising the steps of:
- emulating the target program as if it were running on said target computer; and
  
  monitoring emulation of the target program to detect a predetermined behavior indicating presence of a computer virus.
- View Dependent Claims (7)
- - 7. The method of claim 6 wherein said target computer is said computer system.

8. In a computer system including a processing unit and a viral behavior monitor, a method for monitoring execution of a target program intended to run on a target computer comprising the steps of:
- using said processing unit to emulate execution of an instruction as if said instruction were running on said target computer;
  
  using said viral behavior monitor to control access by said instruction to memory;
  
  using said viral behavior monitor to control access by said instruction to procedures; and
  
  repeating said step of using said processing unit for successive instructions of the target program.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 9. The method of claim 8 wherein said step of using said viral behavior monitor to control access by the instruction to memory comprises the substeps of:
    - substituting an alternative memory address for a memory address to which the instruction intends access and which has been preselected for controlled access; and
      
      logging an attempted access to the memory address to which the instruction intends access.
  - 10. The method of claim 8 wherein said target computer is said computer system.
  - 11. The method of claim 8 wherein said step of using said vital behavior monitor to control access by the instruction to procedures comprises the substep of:
    - upon a determination that the instruction is located at a controlled procedure entry point, logging an access attempt to the controlled procedure entry point.
  - 12. The method of claim 11 wherein said step of using said viral behavior monitor to control access by the instruction to procedures further comprises the substeps of:
    - upon a determination that the controlled procedure entry point belongs to a special case list, performing a special case emulation of the instruction; and
      
      upon a determination that the controlled procedure entry point does not belong to a special case list, performing a standard emulation of the instruction.
  - 13. The method of claim 12 wherein said step of performing a special case emulation of the instruction comprises substituting an alternate procedure for the procedure which begins at the controlled procedure entry point.
  - 14. The method of claim 8 further comprising the step of:
    - using said viral behavior monitor to control access by the instruction to operating system access points.
  - 15. The method of claim 14 wherein said step of using said vital behavior monitor to control access by the instruction to operating system access points comprises the substep of:
    - upon a determination that an operating system entry point has changed, logging an operating system entry point change.
  - 16. The method of claim 15 wherein said step of using said viral behavior monitor to control access by the instruction to operating system access points further comprises the substeps of:
    - opening a guinea pig file;
      
      closing the guinea pig file;
      
      examining the guinea pig file to check if contents of the guinea pig file have changed; and
      
      upon a determination that contents of the guinea pig file have changed, logging unauthorized access to the guinea pig file.
  - 17. The method of claim 15 wherein said step of using said viral behavior monitor to control access by the instruction to operating system access points comprises the substeps of:
    - executing a guinea pig file;
      
      examining the guinea pig file to check if contents of the guinea pig file have changed; and
      
      upon a determination that contents of the guinea pig file have changed, logging unauthorized access to the guinea pig file.
  - 18. The method of claim 16 wherein said step of using said viral behavior monitor to control access to operating system entry points further comprises the substeps of:
    - upon a determination that contents of the guinea pig file have changed, loading the guinea pig file for emulation as a new target program and proceeding through said steps of emulating execution and controlling access to operating system entry points, thereby creating a second guinea pig file; and
      
      upon a determination that the new target program has written to the second guinea pig file, logging a virus.
  - 19. The method of claim 17 wherein said step of using said viral behavior monitor to control access to operating system entry points further comprises the substeps of:
    - upon a determination that contents of the guinea pig file have changed, loading the guinea pig file for emulation as a new target program and proceeding through said steps of emulating execution and controlling access to operating system entry points, thereby creating a second guinea pig file; and
      
      upon a determination that the new target program has written to the second guinea pig file, logging a replicative virus.

20. A computer system configured to monitor the execution of a target program intended to run on a target computer, said target computer having an instruction set, said computer system comprising:
- a processing unit;
  
  an instruction emulator for operating said processing unit to emulate instructions corresponding to the instruction set as if said instructions were executed by said target computer;
  
  an entry point access controller for controlling access to operating system entry points; and
  
  a logger for logging improper access by said instructions to operating system entry points.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The computer system of claim 20 further comprising a procedure access controller for controlling access to procedures during instruction emulation, wherein said logger logs improper access by said instructions to procedures.
  - 22. The computer system of claim 20 further comprising a memory access controller for controlling access by said instructions to memory during instruction emulation wherein said logger logs improper access by said instructions to memory.
  - 23. The computer system of claim 20 wherein said target computer is said computer system.
  - 24. The computer system of claim 20 wherein said entry point access controller checks if a viral interrupt has been installed.
  - 25. The computer system of claim 24 wherein said entry point access controller opens and closes a guinea pig file and tests for modification of the guinea pig file to determine if a viral interrupt has been installed.
  - 26. The computer system of claim 24 wherein said entry point access controller executes a guinea pig file and tests for modification of the guinea pig file to determine if a viral interrupt has been installed.
  - 27. The computer system of claim 26 wherein said entry point access controller executes the guinea pig file as a new target program, thereby creating a second guinea pig file, and tests for modification of the second guinea pig file to determine if a replicative viral interrupt has been installed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
David A Chambers
Inventors
Chambers, David A.
Primary Examiner(s)
Cosimano, Edward R.

Application Number

US08/099,368
Time in Patent Office

593 Days
Field of Search

364/550, 364/578, 364/579, 364/580, 364/286.4, 371/16.2, 371/19, 395/500
US Class Current

714/28
CPC Class Codes

G06F 11/261 by simulating additional ha...

G06F 21/566 Dynamic detection, i.e. det...

Method and apparatus for detection of computer viruses

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

223 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detection of computer viruses

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

223 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links