State-based cache for antivirus software
First Claim
Patent Images
1. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
- simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions;
suspending the simulated execution;
constructing a current state record of the CPU emulator;
comparing the current state record to state records previously stored in a state-based cache;
indicating that no virus is detected when the current state record matches one of the previously stored state records;
wherein each state record includes a total number of data writes to a virtual memory performed during the simulated execution of the computer file by the CPU emulator; and
wherein each state record includes a cyclic redundancy check value calculated from the data writes to the virtual memory.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented method for executing a computer file in a CPU emulator (154) to detect a computer virus. The method includes simulating (302) the execution of a predetermined number of instructions of the computer file in the CPU emulator (154), suspending (303) the execution, constructing (304) a state record, temporarily storing (305) the state record in memory, comparing (306) the constructed state record to state records stored in a state cache (158), and indicating (308) that the file is virus free when the constructed state record matches one of the stored state records.
-
Citations
5 Claims
-
1. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
-
simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions; suspending the simulated execution; constructing a current state record of the CPU emulator; comparing the current state record to state records previously stored in a state-based cache; indicating that no virus is detected when the current state record matches one of the previously stored state records; wherein each state record includes a total number of data writes to a virtual memory performed during the simulated execution of the computer file by the CPU emulator; and wherein each state record includes a cyclic redundancy check value calculated from the data writes to the virtual memory.
-
-
2. A computer program product comprising a computer-usable medium having computer-readable code embodied therein for detecting computer viruses in a computer file, comprising:
-
computer-readable program code devices configured to simulate execution of the computer file on a CPU emulator for a first predetermined number of instructions wherein the first predetermined number of instructions is less than 20; computer-readable program code devices configured to suspend the simulated execution; computer-readable program code devices configured to construct a current state record of the CPU emulator; computer-readable program code devices configured to compare the current state record to state records previously stored in a state-based cache; and computer-readable program code devices configured to indicate that no virus is detected when the current state record matches one of the previously stored state records.
-
-
3. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
-
simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions, wherein the first predetermined number of instructions is less than 20 suspending the simulated execution; constructing a current state record of the CPU emulator; comparing the current state record to state records previously stored in a state-based cache; and indicating that no virus is detected when the current state record matches one of the previously stored state records.
-
-
4. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
-
simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions; suspending the simulated execution; constructing a current state record of the CPU emulator; comparing the current state record to state records previously stored in a state-based cache; indicating that no virus is detected when the current state record matches one of the previously stored state records; wherein each state record includes a value of a virtual instruction pointer within the CPU emulator; and wherein each state record includes a byte from a virtual memory address nearby an address corresponding to the value of the virtual instruction pointer.
-
-
5. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
-
simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions; suspending the simulated execution; constructing a current state record of the CPU emulator; comparing the current state record to state records previously stored in a state-based cache; indicating that no virus is detected when the current state record matches one of the previously stored state records; and wherein each state record includes a byte from a virtual memory address nearby an address corresponding to a value of a virtual stack pointer.
-
Specification