Antivirus accelerator

US 6,021,510 A
Filed: 11/24/1997
Issued: 02/01/2000
Est. Priority Date: 11/24/1997
Status: Expired due to Term

First Claim

Patent Images

1. A computer-based method for examining a file associated with a digital computer, said file containing a plurality of file sectors, to determine whether a computer virus is present within said file, the method comprising the steps of:

when the file is being examined an initial time;

scanning selected file sectors of the file by an antivirus module, the selected file sectors being fewer than all of the file sectors and defining a critical fixed set of sectors; and

storing into a first storage area the number of each file sector that is scanned and a hash value of each sector that is scanned; and

when the file is being examined a subsequent time;

computing a hash value only for each file sector in the critical fixed set of sectors;

comparing each computed hash value with the hash value stored within said first storage area for the corresponding sector; and

rescanning the file by the antivirus module when any computed hash value fails to match a corresponding stored hash value for any sector in the a critical fixed set of sectors.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for examining a file (1) associated with a digital computer (2) to determine whether a computer virus is present within the file (1). The file (1) contains at least one numbered sector. When the file (1) is examined for an initial time, the file (1) is scanned by an antivirus module (3, 5). At that time, the numbers of the sectors being scanned and a hash value for each scanned sector are stored into a critical sector file (4). The hash values can be calculated by an antivirus accelerator module (5). When the file (1) is examined a subsequent time, all of the file (1) sectors that were scanned the initial time are examined by the antivirus accelerator module (5). Each of these sectors again has its hash value calculated and compared with the hash value of the corresponding sector as stored within the critical sector file (4). When any calculated hash value fails to match a corresponding stored hash value for any sector, the antivirus scan module (3) is commanded to rescan the entire file (1)

Citations

11 Claims

1. A computer-based method for examining a file associated with a digital computer, said file containing a plurality of file sectors, to determine whether a computer virus is present within said file, the method comprising the steps of:
- when the file is being examined an initial time;
  
  scanning selected file sectors of the file by an antivirus module, the selected file sectors being fewer than all of the file sectors and defining a critical fixed set of sectors; and
  
  storing into a first storage area the number of each file sector that is scanned and a hash value of each sector that is scanned; and
  
  when the file is being examined a subsequent time;
  
  computing a hash value only for each file sector in the critical fixed set of sectors;
  
  comparing each computed hash value with the hash value stored within said first storage area for the corresponding sector; and
  
  rescanning the file by the antivirus module when any computed hash value fails to match a corresponding stored hash value for any sector in the a critical fixed set of sectors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 comprising the additional step of setting the entire contents of the first storage area to zero before the file is examined for the initial time.
  - 3. The method of claim 1 wherein, during the initial examination of the file, the sector numbers are automatically read into the first storage area by means of hooks associated with engines of the antivirus module.
  - 4. The method of claim 1 wherein, during the initial examination of the file, the antivirus module determines the size of the file and stores said size within the first storage area.
  - 5. The method of claim 4 wherein, during subsequent examinations of the file, the size of the file is computed, and when the computed file size differs from the file size stored in the first storage area, the entire file is scanned for viruses by the antivirus module.
  - 6. The method of claim 1, wherein the steps associated with a subsequent examination of the file are performed whenever the size of the file has not changed since the initial examination of the file.
  - 7. The method of claim 1, wherein, when the computed hash values respectively match all of the corresponding stored hash values, the antivirus module declares that the file is unchanged in a way that could allow for a viral infection.
  - 8. The method of claim 1, wherein, when the antivirus module fails to detect a virus in the file during the initial examination of the file, the contents of the first storage area are moved to a second storage area more permanent than the first storage area.
  - 9. The method of claim 8, wherein, during a subsequent examination of the file, hash values that are computed by the antivirus module are compared with contents of said second storage area.
  - 10. The method of claim 8, wherein, when the antivirus module is changed, the contents of the second storage area are deemed to be invalid and the file is reexamined for viruses.

11. Apparatus for speeding detection of computer viruses, the apparatus comprising:
- a first file associated with a digital computer and containing a plurality of numbered sectors;
  
  coupled to the first file, an antivirus scan module adapted to detect the presence of computer viruses only within selected file sectors of the first file, the selected files sectors being fewer than all of the file sectors and defining a critical fixed set of sectors;
  
  coupled to the antivirus scan module, an antivirus accelerator module;
  
  coupled to the antivirus accelerator module, a register means indicating whether the first file has already been scanned by the antivirus scan module; and
  
  a critical sectors file coupled to a module from the group of modules consisting of the antvirus accelerator module and the antivirus scan module, said critical sectors file containing the size of the first file, the number of the sectors from the first file scanned by the antivirus scan module, and a hash value only for each sector in the critical fixed set of sectors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Power Management Enterprises LLC (IPNav)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Hamdan, Wasseem H.

Application Number

US08/977,408
Time in Patent Office

799 Days
Field of Search

714/38, 714/48, 714/45, 714/46, 714/33, 714/2, 714/25, 395/704, 380/4, 713/200
US Class Current

714/38.14
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/6209   to a single file or object,...

G06F 21/645   using a third party

G06F 2221/033   Test or assess software

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2139   Recurrent verification

Antivirus accelerator

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Antivirus accelerator

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links