Method and apparatus for detecting computer viruses through the use of a scan information cache

US 5,649,095 A
Filed: 10/04/1993
Issued: 07/15/1997
Est. Priority Date: 03/30/1992
Status: Expired due to Term

First Claim

Patent Images

1. A method for increasing the speed at which a computer, which has files including more than one fork, scans for the presence of a computer virus, said method comprising the steps of:

creating a scan information cache on a non-volatile storage medium;

gathering identifying information, which includes at least one length of some portion of a file, about an initial state of said file;

storing said identifying information in said scan information cache;

gathering current state information, which includes at least one length of some portion of said file, about a current state of said file;

determining how said identifying information stored in said scan information cache differs from said current state information thereby indicating a presence or absence of one or more subsets of computer viruses, said one or more subsets each including one or more viruses which affect state information of said file in certain characteristic manners;

scanning said file for one or more of said subsets of computer viruses of a type of computer viruses that are determined to be present.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is provided for scanning files for computer viruses which use the length of at least one portion (such as a fork) of a file. This length information is stored in a cache. During a scan, the then current size of the file portion is compared to the length stored in the cache and if there is a size difference, the file is then scanned for viruses which can change that portion of the file'"'"'s size.

142 Citations

12 Claims

1. A method for increasing the speed at which a computer, which has files including more than one fork, scans for the presence of a computer virus, said method comprising the steps of:
- creating a scan information cache on a non-volatile storage medium;
  
  gathering identifying information, which includes at least one length of some portion of a file, about an initial state of said file;
  
  storing said identifying information in said scan information cache;
  
  gathering current state information, which includes at least one length of some portion of said file, about a current state of said file;
  
  determining how said identifying information stored in said scan information cache differs from said current state information thereby indicating a presence or absence of one or more subsets of computer viruses, said one or more subsets each including one or more viruses which affect state information of said file in certain characteristic manners;
  
  scanning said file for one or more of said subsets of computer viruses of a type of computer viruses that are determined to be present.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method for increasing the speed at which a computer, which has files including more than one fork, scans for the presence of a computer virus of claim 1 further comprising the step of scanning files for which said identifying information is not found in said scan information cache for a subset of those viruses which infect said computer, said subset including viruses that can infect said files.
  - 3. The method for increasing the speed at which a computer, which has files including more than one fork, scans for the presence of a computer virus of claim 1 further comprising the step of updating said scan information cache by placing a specific indicative value in some part of each location in said scan information cache which corresponds to a file in which a virus is found.
  - 4. The method for increasing the speed at which a computer, which has files including more than one fork, scans for the presence of a computer virus of claim 1 further comprising the step of updating said scan information cache with new information concerning a state of a file for each file in which no virus is found.
  - 5. The method for increasing the speed at which a computer, which has files including more than one fork, scans for the presence of a computer virus of claim 1 further comprising the step of updating said scan information cache with new information concerning a state of a file for each file in which a virus is found.
  - 6. The method for increasing the speed at which a computer, which has files including more than one fork, scans for the presence of a computer virus of claim 1 further comprising the step of comparing the difference between said at least one length in said scan information cache for the initial state of said file and said at least one length of said current state of said file to a tolerance.

7. An apparatus that can rapidly scan for the presence of a computer virus on a computer, which has files including more than one fork, said apparatus comprising:
- a scan information cache on a non-volatile storage medium;
  
  means for gathering identifying information, which includes at least one length of some portion of a file, about an initial state of said file;
  
  means for storing said identifying information in said scan information cache;
  
  means for gathering state information, which includes at least one length of some portion of said file, about a current state of said file;
  
  means for determining how said identifying information stored in the scan information cache differs from said current state information for said file thereby indicating a presence or absence of one or more subsets of computer viruses, said one or more subsets each including one or more viruses which affect state information of said file in certain characteristic manners;
  
  means for scanning said file for one or more of said subsets of computer viruses of a type of computer viruses that are determined to be present.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus that can rapidly scan for the presence of a computer virus of claim 7 further comprising means for scanning files for which said identifying information is not found in said scan information cache for a subset of those viruses which infect said computer, said subset including viruses that can infect said files.
  - 9. The apparatus that can rapidly scan for the presence of a computer virus of claim 7 further comprising means for updating said scan information cache by placing a specific indicative value in some part of each location in said scan information cache which corresponds to a file in which a virus is found.
  - 10. The apparatus that can rapidly scan for the presence of a computer virus of claim 7 further comprising means for updating said scan information cache with new information concerning a state of a file for each file in which no virus is found.
  - 11. The apparatus that can rapidly scan for the presence of a computer virus of claim 7 further comprising means for updating said scan information cache with new information concerning a state of a file for each file in which a virus is found.
  - 12. The apparatus that can rapidly scan for the presence of a computer virus of claim 7 further comprising means for comparing the difference between said at least one length in said scan information cache for the initial state of said file and said at least one length of said current state of said file to a tolerance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Paul D. Cozza
Inventors
Cozza, Paul D.
Primary Examiner(s)
Nguyen, Hoa T.

Application Number

US08/131,333
Time in Patent Office

1,380 Days
Field of Search

395/183.15, 395/440, 395/184.01, 395/185.02, 395/185.03, 395/185.07, 380/4, 364/550, 371/67.1
US Class Current

714/39
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

H04L 51/212   using filtering or selectiv...

Method and apparatus for detecting computer viruses through the use of a scan information cache

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

142 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting computer viruses through the use of a scan information cache

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links