Method and apparatus for detection of computer viruses
First Claim
1. A computer system configured to monitor the execution of a target program intended to run on a target computer, said target computer having an instruction set, said computer system comprising:
- a processing unit;
instruction emulation means for operating said processing unit to emulate instructions in said target program corresponding to said instruction set as if said instructions were running on said target computer;
monitor means, coupled to said instruction emulation means, for emulating execution of said target program as if said target program were running on said target computer and for monitoring said emulated target program execution to detect a predetermined behavior by said target program; and
means, coupled to said monitor means, for logging said predetermined behavior when detected.
2 Assignments
0 Petitions
Accused Products
Abstract
A behavior analyzing antivirus program detects viral infection of a target program by emulating the execution of the target program and analyzing the emulated execution to detect viral behavior. The antivirus monitor program contains both variables corresponding to the CPU'"'"'s registers and emulation procedures corresponding to the CPU'"'"'s instructions. The target program is loaded into memory and its execution is emulated by the antivirus monitor program. Intelligent procedures contained in the monitor program are given control between every instruction emulated so as to detect aberrant or dangerous behavior in the target program in which case the danger of a viral presence is flagged and emulation is terminated.
223 Citations
27 Claims
-
1. A computer system configured to monitor the execution of a target program intended to run on a target computer, said target computer having an instruction set, said computer system comprising:
-
a processing unit; instruction emulation means for operating said processing unit to emulate instructions in said target program corresponding to said instruction set as if said instructions were running on said target computer; monitor means, coupled to said instruction emulation means, for emulating execution of said target program as if said target program were running on said target computer and for monitoring said emulated target program execution to detect a predetermined behavior by said target program; and means, coupled to said monitor means, for logging said predetermined behavior when detected. - View Dependent Claims (2, 3, 4, 5)
-
-
6. In a computer system, a method for monitoring execution of a target program intended to run on a target computer comprising the steps of:
-
emulating the target program as if it were running on said target computer; and monitoring emulation of the target program to detect a predetermined behavior indicating presence of a computer virus. - View Dependent Claims (7)
-
-
8. In a computer system including a processing unit and a viral behavior monitor, a method for monitoring execution of a target program intended to run on a target computer comprising the steps of:
-
using said processing unit to emulate execution of an instruction as if said instruction were running on said target computer; using said viral behavior monitor to control access by said instruction to memory; using said viral behavior monitor to control access by said instruction to procedures; and repeating said step of using said processing unit for successive instructions of the target program. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer system configured to monitor the execution of a target program intended to run on a target computer, said target computer having an instruction set, said computer system comprising:
-
a processing unit; an instruction emulator for operating said processing unit to emulate instructions corresponding to the instruction set as if said instructions were executed by said target computer; an entry point access controller for controlling access to operating system entry points; and a logger for logging improper access by said instructions to operating system entry points. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
Specification