State-based cache for antivirus software

US 5,854,916 A
Filed: 11/27/1996
Issued: 12/29/1998
Est. Priority Date: 09/28/1995
Status: Expired due to Term

First Claim

Patent Images

1. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:

simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions;

suspending the simulated execution;

constructing a current state record of the CPU emulator;

comparing the current state record to state records previously stored in a state-based cache;

indicating that no virus is detected when the current state record matches one of the previously stored state records;

wherein each state record includes a total number of data writes to a virtual memory performed during the simulated execution of the computer file by the CPU emulator; and

wherein each state record includes a cyclic redundancy check value calculated from the data writes to the virtual memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for executing a computer file in a CPU emulator (154) to detect a computer virus. The method includes simulating (302) the execution of a predetermined number of instructions of the computer file in the CPU emulator (154), suspending (303) the execution, constructing (304) a state record, temporarily storing (305) the state record in memory, comparing (306) the constructed state record to state records stored in a state cache (158), and indicating (308) that the file is virus free when the constructed state record matches one of the stored state records.

Citations

5 Claims

1. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
- simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions;
  
  suspending the simulated execution;
  
  constructing a current state record of the CPU emulator;
  
  comparing the current state record to state records previously stored in a state-based cache;
  
  indicating that no virus is detected when the current state record matches one of the previously stored state records;
  
  wherein each state record includes a total number of data writes to a virtual memory performed during the simulated execution of the computer file by the CPU emulator; and
  
  wherein each state record includes a cyclic redundancy check value calculated from the data writes to the virtual memory.

2. A computer program product comprising a computer-usable medium having computer-readable code embodied therein for detecting computer viruses in a computer file, comprising:
- computer-readable program code devices configured to simulate execution of the computer file on a CPU emulator for a first predetermined number of instructions wherein the first predetermined number of instructions is less than 20;
  
  computer-readable program code devices configured to suspend the simulated execution;
  
  computer-readable program code devices configured to construct a current state record of the CPU emulator;
  
  computer-readable program code devices configured to compare the current state record to state records previously stored in a state-based cache; and
  
  computer-readable program code devices configured to indicate that no virus is detected when the current state record matches one of the previously stored state records.

3. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
- simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions, wherein the first predetermined number of instructions is less than 20suspending the simulated execution;
  
  constructing a current state record of the CPU emulator;
  
  comparing the current state record to state records previously stored in a state-based cache; and
  
  indicating that no virus is detected when the current state record matches one of the previously stored state records.

4. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
- simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions;
  
  suspending the simulated execution;
  
  constructing a current state record of the CPU emulator;
  
  comparing the current state record to state records previously stored in a state-based cache;
  
  indicating that no virus is detected when the current state record matches one of the previously stored state records;
  
  wherein each state record includes a value of a virtual instruction pointer within the CPU emulator; and
  
  wherein each state record includes a byte from a virtual memory address nearby an address corresponding to the value of the virtual instruction pointer.

5. A computer-implemented method for detecting computer viruses in a computer file, the method comprising:
- simulating execution of the computer file by a CPU emulator in a computer memory for a first predetermined number of instructions;
  
  suspending the simulated execution;
  
  constructing a current state record of the CPU emulator;
  
  comparing the current state record to state records previously stored in a state-based cache;
  
  indicating that no virus is detected when the current state record matches one of the previously stored state records; and
  
  wherein each state record includes a byte from a virtual memory address nearby an address corresponding to a value of a virtual stack pointer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S.
Primary Examiner(s)
Teska, Kevin J.
Assistant Examiner(s)
Fiul, Dan

Application Number

US08/757,935
Time in Patent Office

762 Days
Field of Search

395/500, 395/183.14, 395/181, 364/578, 364/580, 364/550, 364/579, 380/4
US Class Current

703/21
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

State-based cache for antivirus software

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

State-based cache for antivirus software

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links