System, apparatus and method for the detection and removal of viruses in macros
First Claim
1. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
- obtaining comparison data including information for detecting a virus;
retrieving a macro;
decoding the macro to produce a decoded macro; and
scanning the decoded macro for a virus by comparing the decoded macro to the comparison data;
wherein the comparison data includes a first suspect instruction identifier and a second suspect instruction identifier;
wherein the scanning the decoded macro comprises;
determining whether the decoded macro includes a first portion which corresponds to the first suspect instruction identifier;
determining whether the decoded macro includes a second portion which corresponds to the second suspect instruction identifier;
determining that the decoded macro includes the virus if the decoded macro includes the first and second portions; and
wherein the first suspect instruction identifier identifies a macro virus enablement instruction.
2 Assignments
0 Petitions
Reexaminations
Accused Products
Abstract
The detection and removal of viruses from macros is disclosed. A macro virus detection module includes a macro locating and decoding module, a macro virus scanning module, a macro treating module, a file treating module, and a virus information module. The macro locating and decoding module determines whether a targeted file includes a macro, and, where a macro is found, locates and decodes it to produce a decoded macro. The macro virus scanning module accesses the decoded macro and scans it to determine whether it includes any viruses. Unknown macro viruses are detected by the macro virus scanning module by obtaining comparison data that includes sets of instruction identifiers from the virus information module and determining whether the decoded macro includes a combination of suspect instructions which correspond to instruction identifiers. The macro treating module locates suspect instructions in the decoded macro using the comparison data and removes the suspect instructions to produce a treated macro. The file correcting module accesses a targeted file with an infected macro and replaces the infected macro with the treated macro produced by the macro treating module.
-
Citations
25 Claims
-
1. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
-
obtaining comparison data including information for detecting a virus; retrieving a macro; decoding the macro to produce a decoded macro; and scanning the decoded macro for a virus by comparing the decoded macro to the comparison data; wherein the comparison data includes a first suspect instruction identifier and a second suspect instruction identifier; wherein the scanning the decoded macro comprises; determining whether the decoded macro includes a first portion which corresponds to the first suspect instruction identifier; determining whether the decoded macro includes a second portion which corresponds to the second suspect instruction identifier; determining that the decoded macro includes the virus if the decoded macro includes the first and second portions; and wherein the first suspect instruction identifier identifies a macro virus enablement instruction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
-
obtaining comparison data including information for detecting a virus; retrieving a macro; decoding the macro to produce a decoded macro; scanning the decoded macro for a virus by comparing the decoded macro to the comparison data; and removing the virus from the macro to produce a treated macro if the step of scanning the decoded macro indicates that the macro is infected with the virus; verifying the integrity of the treated macro; and replacing the infected macro in a targeted file with the treated macro dependent upon the integrity verification of the treated macro.
-
-
10. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
-
obtaining comparison data including information for detecting a virus; retrieving a macro; decoding the macro to produce a decoded macro; scanning the decoded macro for a virus by comparing the decoded macro to the comparison data; wherein the comparison data includes a first suspect instruction identifier and a second suspect instruction identifiers; and wherein a first set of respective first and second suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 67 C2 80. - View Dependent Claims (11)
-
-
12. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
-
retrieving a macro; obtaining comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; scanning the macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier; scanning the macro to determine whether the macro includes a second portion which corresponds to the second suspect instruction identifier; and determining that the macro is infected with the virus if the macro includes the first and second portions; wherein the first suspect instruction identifier includes the string 73 CB 00 0C 6C 01 00 and the second suspect instruction identifier includes the string 67 C2 80. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
-
retrieving a macro; obtaining comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; scanning the macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier; scanning the macro to determine whether the macro includes a second portion which corresponds to the second suspect instruction identifier; determining that the macro is infected with the virus if the macro includes the first and second portions, wherein the comparison data includes a plurality of sets of respective first and second suspect instruction identifiers; and wherein a first set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 67 C2 80, a second set of suspect instruction comprises the strings 73 CB 00 0C 6C 01 00 and 64 6F 02 67 DE 00 73 87 01 12 73 7F, a third set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 6D 61 63 72 6F 73 76 08, a fourth set of suspect instruction identifiers comprises the strings 12 6C 01 00 and 64 67 C2 80 6A 0F 47, and a fifth set of suspect instruction identifiers comprises the strings 79 7C 66 6F 72 6D 61 74 20 63 6A and 80 05 6A 07 43 4F 4D.
-
-
19. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
-
retrieving a macro; obtaining comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; scanning the macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier; scanning the macro to determine whether the macro includes a second portion which corresponds to the second suspect instruction identifier; determining that the macro is infected with the virus if the macro includes the first and second portions; and treating the macro to produce a treated macro if it is determined that the macro includes the firs and second portions, further comprising; accessing a targeted file; locating a macro within the targeted file; removing the macro from the targeted file; and adding the treated macro to the targeted file to produce a corrected file.
-
-
20. An apparatus for detecting viruses in macros, the apparatus comprising:
-
a virus information module, for storing comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; a macro virus scanning module, in communication with the virus information module, for receiving the comparison data and scanning a macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier and a second portion which corresponds to the second suspect instruction identifier; a macro locating and decoding module, in communication with the macro virus scanning module, for accessing a targeted file, determining whether the targeted file is a template file, determining whether the targeted file includes an embedded macro, and decoding the macro to produce a decoded macro; a macro treating module, in communication with the virus information module, for accessing the decoded macro and removing a first macro instruction which corresponds to the first suspect instruction identifier and a second macro instruction which corresponds to the second suspect instruction identifier to produce a treated macro; and a file correcting module, in communication with the macro treating module, for accessing the targeted file, locating the macro within the targeted file, removing the macro from the targeted file and adding the treated macro to the targeted file to produce a corrected file. - View Dependent Claims (21)
-
-
22. An apparatus for detecting viruses in macros, the apparatus comprising:
-
a virus information module, for storing comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; and a macro virus scanning module, in communication with the virus information module, for receiving the comparison data and scanning a macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier and a second portion which corresponds to the second suspect instruction identifier, wherein the first instruction identifier includes the string 73 CB 00 0C 6C 01 00 and the second suspect instruction identifier includes the string 67 C2 80.
-
-
23. An apparatus for detecting viruses in macros, the apparatus comprising:
-
a virus information module, for storing comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; and a macro virus scanning module, in communication with the virus information module, for receiving the comparison data and scanning a macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier and a second portion which corresponds to the second suspect instruction identifier; wherein the comparison data includes a plurality of sets of respective first and second suspect instruction identifiers; and wherein a first set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 67 C2 80, a second set of suspect instruction comprises the strings 73 CB 00 0C 6C 01 00 and 64 6F 02 67 DE 00 73 87 01 12 73 7F, a third set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 6D 61 63 72 6F 73 76 08, a fourth set of suspect instruction identifiers comprises the strings 12 6C 01 00 and 64 67 C2 80 6A 0F 47, and a fifth set of suspect instruction identifiers comprises the strings 79 7C 66 6F 72 6D 61 74 20 63 6A and 80 05 6A 07 43 4F 4D.
-
-
24. An apparatus for detecting viruses in macros, the apparatus comprising:
-
means for obtaining comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; means for scanning the macro to determine whether a macro includes a first portion which corresponds to the first suspect instruction identifier; means for scanning the macro to determine whether the macro includes a second portion which corresponds to the second suspect instruction identifier; means for determining that the macro is infected with the virus if the macro includes the first and second portions; means for accessing a targeted file and determining whether the targeted file includes a macro; and means for correcting a file, the means for correcting a file including means for accessing the targeted file, means for removing the macro from the targeted file and means for adding the treated macro to the targeted file to produce a corrected file. - View Dependent Claims (25)
-
Specification