Detection and elimination of macro viruses

US 5,978,917 A
Filed: 08/14/1997
Issued: 11/02/1999
Est. Priority Date: 08/14/1997
Status: Expired due to Term

First Claim

Patent Images

1. Apparatus for detecting publicly identified and publicly unidentified macro viruses, said apparatus comprising:

a digital computer having at least one storage device;

an application program associated with said computer;

a global environment associated with said application program;

at least one local document generated by said application program and located within said storage device;

an emulator coupled to said global environment and to said local document(s), said emulator adapted to execute macros contained within said global environment and said local document(s) in a simulated manner; and

coupled to said emulator, a detection module adapted to detect the presence of publicly identified and publicly unidentified macro viruses based upon a preselected decision criterion and based upon information provided by said emulator to said detection module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and method for detecting the presence of macro viruses within a digital computer (1). An application program (5) is associated with the digital computer (1). A global environment (13) is associated with the application program (5). The application program (5) generates at least one local document (11). Macros contained within the global environment (13) and the local document(s) (11) are executed in a simulated manner by an emulator (15). At least one preselected decision criterion is used by a detection module (17) to declare when a macro virus is deemed to be present. Such a criterion is typically the presence of a bidirectional macro, i.e., a macro that copies from a local document (11) to the global environment (13) and vice-versa. Macros deemed to be viruses are preferably deleted by a repair module (19). Additional deletion criteria may include the presence of macros that have the same source name or the same destination name as a bidirectional macro. In the preferred emulation steps, emulator (15) tests all of the macros associated with computer (1) in two steps. The first step assumes that the macros reside within the global environment (13), regardless of whether they reside within the global environment (13) or within a local document (11). The second step assumes that the macros reside within a local document (11), regardless of whether they reside within a local document (11) or within the global environment (13).

Citations

12 Claims

1. Apparatus for detecting publicly identified and publicly unidentified macro viruses, said apparatus comprising:
- a digital computer having at least one storage device;
  
  an application program associated with said computer;
  
  a global environment associated with said application program;
  
  at least one local document generated by said application program and located within said storage device;
  
  an emulator coupled to said global environment and to said local document(s), said emulator adapted to execute macros contained within said global environment and said local document(s) in a simulated manner; and
  
  coupled to said emulator, a detection module adapted to detect the presence of publicly identified and publicly unidentified macro viruses based upon a preselected decision criterion and based upon information provided by said emulator to said detection module.
- View Dependent Claims (2)
- - 2. The apparatus of claim 1 further comprising:
    - coupled to said detection module, a repair module for eliminating macro viruses detected by said detection module.

3. A method for detecting the presence of publicly identified and publicly unidentified macro viruses within a digital computer, said method comprising the steps of:
- associating an application program with said digital computer;
  
  associating a global environment with said application program;
  
  causing said application program to generate at least one local document;
  
  emulating the execution of macros contained within said global environment and said local document(s); and
  
  applying at least one preselected decision criterion to results of said emulating step to declare when a publicly identified macro virus is deemed to be present and to declare when a publicly unidentified macro virus is deemed to be present.
- View Dependent Claims (4, 5, 6, 9, 10, 11, 12)
- - 4. The method of claim 3 further comprising the step of deleting a macro virus when said macro virus is deemed to be present.
  - 5. The method of claim 3 wherein a preselected decision criterion is the presence of a bidirectional macro that propagates, during the emulating step, from a local document to the global environment and from the global environment to a local document.
  - 6. The method of claim 5 further comprising the step of deleting each said bidirectional macro.
  - 9. The method of claim 5 wherein a first macro causes the bidirectional macro to propagate from a local document to the global environment, and a second macro distinct from the first macro causes the bidirectional macro to propagate from the global environment to a local document.
  - 10. The method of claim 9 wherein the first macro is the bidirectional macro.
  - 11. The method of claim 9 wherein the second macro is the bidirectional macro.
  - 12. The method of claim 3 wherein the emulating step comprises the substeps of:
    - performing a first emulation upon at least one test macro assuming that said test macro resides within said global environment, regardless of whether said test macro resides within said global environment or within a local document, while telling said test macro that there are no macros within said local document(s), regardless of whether there are any macros within said local document(s); and
      
      performing a second emulation upon at least one test macro assuming that said test macro resides within a local document, regardless of whether said test macro resides within a local document or said global environment, while telling said test macro that there are no macros within said global environment, regardless of whether there are any macros within said global environment.

7. A method for detecting the presence of macro viruses within a digital computer, said method comprising the steps of:
- associating an application program with said digital computer;
  
  associating a global environment with said application program;
  
  causing said application program to generate at least one local document;
  
  emulating the execution of macros contained within said global environment and said local document(s); and
  
  applying at least one preselected decision criterion to results of said emulating step to declare when a macro virus is deemed to be present;
  
  wherein a preselected decision criterion is the presence of a bidirectional macro that propagates, during the emulating step, from a local document to the global environment and from the global environment to a local document; and
  
  a preselected decision criterion is the presence of a macro having a same source name as any said bidirectional macro.

8. A method for detecting the presence of macro viruses within a digital computer, said method comprising the steps of:
- associating an application program with said digital computer;
  
  associating a global environment with said application program;
  
  causing said application program to generate at least one local document;
  
  emulating the execution of macros contained within said global environment and said local document(s); and
  
  applying at least one preselected decision criterion to results of said emulating step to declare when a macro virus is deemed to be present;
  
  wherein a preselected decision criterion is the presence of a bidirectional macro that propagates, during the emulating step, from a local document to the global environment and from the global environment to a local document; and
  
  a preselected decision criterion is the presence of a macro having a same destination name as any said bidirectional macro.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Chi, Darren
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
HAMDAN, WASSEEM H

Application Number

US08/911,298
Time in Patent Office

810 Days
Field of Search

395/187.01, 395/186, 380/3, 380/4, 713/201, 713/200
US Class Current

726/22
CPC Class Codes

A63B 21/028 made of material having hig...

A63B 23/16 for hands or fingers for te...

Detection and elimination of macro viruses

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and elimination of macro viruses

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links