Processor emulator module having a variable pre-fetch queue size for program execution
First Claim
1. A computer-implemented method for emulating a computer file in a processor emulator having a selectable pre-fetch queue size, to detect a computer virus, the method comprising the steps of:
- selecting a pre-fetch queue size for the emulator;
emulating instructions of the computer file;
setting a first flag when an emulated instruction modifies another instruction within the selected pre-fetch queue size and the modified instruction is executed;
scanning the emulated computer file for a virus signature;
reducing the pre-fetch queue size and repeating the emulating, setting, and scanning steps when the first flag is set and no virus signature is found; and
indicating a virus is not present when the first flag is not set and no virus signature is found.
2 Assignments
0 Petitions
Accused Products
Abstract
An emulation module (110) includes a pre-fetch queue (116) having an adjustable size (126) to eliminate any dependence of virus decryption routines on the size of the pre-fetch queue (116) when emulating executable files to test for the presence of virus infections. An executable file is tested by setting (210, 258) the size of the emulator'"'"'s pre-fetch queue (116) and emulating (220) the file under the guidance of an emulation control module (130). Emulated instructions are monitored and a flag is set (230) when any instructions are modified (224) after being copied to the pre-fetch queue and subsequently executed (228). Emulation continues until the emulation control module (130) indicates (230) that the file should be scanned for virus signatures. If no virus signatures are detected (234) and the flag is set (244), the size of the pre-fetch queue is reduced (258) and the process is repeated. An executable file is declared virus-free (250) if the file is emulated (220) without setting the flag (230) and no virus signatures are detected (234). The executable file is declared virus-infected (240) when virus signatures are detected (234), independent of whether the flag is set (230). For Intel processors, pre-fetch queue sizes of 32, 16, 8, and zero bytes may be emulated.
135 Citations
11 Claims
-
1. A computer-implemented method for emulating a computer file in a processor emulator having a selectable pre-fetch queue size, to detect a computer virus, the method comprising the steps of:
-
selecting a pre-fetch queue size for the emulator; emulating instructions of the computer file; setting a first flag when an emulated instruction modifies another instruction within the selected pre-fetch queue size and the modified instruction is executed; scanning the emulated computer file for a virus signature; reducing the pre-fetch queue size and repeating the emulating, setting, and scanning steps when the first flag is set and no virus signature is found; and indicating a virus is not present when the first flag is not set and no virus signature is found. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method for detecting a virus in a computer file using a processor emulator having a pre-fetch queue characterized by a queue size, the method comprising the steps of:
-
emulating instructions of the computer file; setting a first flag when an emulated instruction modifies another instruction in the pre-fetch queue and the modified instruction is subsequently emulated; scanning the emulated computer file for a virus signature; indicating a virus is detected if the virus signature is found; indicating no virus is detected if no virus signature is found and the flag is not set; and
;decrementing the pre-fetch queue size and repeating the emulating, setting, and scanning steps when the first flag is set and no virus signature is found. - View Dependent Claims (7, 8, 9)
-
-
10. A processor emulation module for emulating executable computer files running on versions of a processor having different size pre-fetch queues, the emulation module comprising:
-
a pre-fetch queue module for receiving a plurality of instructions from the executable computer file, the pre-fetch queue module having an adjustable size; a decoder module coupled to the pre-fetch queue module for identifying an instruction received from the pre-fetch queue module; an execution module coupled to the decoder module and including a plurality of instruction routines corresponding to instructions supported by the processor versions, the instruction routines being activated when the corresponding instruction is identified by the decoder module; and a plurality of register modules coupled to the plurality of instruction routines for tracking a state of the emulated processor version according to instructions emulated by the execution module.
-
-
11. A computer-readable storage medium on which is stored data for simulating versions of a processor as a processor emulator having different pre-fetch queue sizes, the data being suitable for implementation by a processor to perform the steps of:
-
selecting a pre-fetch queue size for the emulator; emulating instructions of the computer file; setting a first flag when an emulated instruction modifies another instruction within the selected pre-fetch queue size and the modified instruction is executed; scanning the emulated computer file for a virus signature; reducing the pre-fetch queue size and repeating the emulating, setting, and scanning steps when the first flag is set and no virus signature is found; and indicating a virus is not present when the first flag is not set and no virus signature is found.
-
Specification
-
- Resources
-
Current AssigneeNortonLifeLock Inc.
-
Original AssigneeSymantec Corporation (NortonLifeLock Inc.)
-
InventorsNachenberg, Carey S., Marcus, Kevin R.
-
Primary Examiner(s)Beausoliel, Jr., Robert W.
-
Assistant Examiner(s)Wright, Norman M.
-
Application NumberUS08/684,580Time in Patent Office690 DaysField of Search395/183.01, 395/183.09, 395/183.14, 395/186, 395/187.01, 395/188.01, 380/3, 380/4, 380/22, 380/25, 380/49.1, 380/45, 380/50US Class Current714/33CPC Class CodesG06F 21/564 by virus signature recognitionG06F 21/566 Dynamic detection, i.e. det...
