Data driven detection of viruses
First Claim
1. A virus detection system for detecting if a computer file is infected by a virus, the file having a plurality of potential virus entry points, the system comprising:
- an engine for controlling operation of the virus detection system responsive to instructions stored in an intermediate language, the instructions adapted to examine the plurality of potential virus entry points and post for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus;
an emulating module coupled to the engine for emulating the posted entry points of the file in a virtual memory responsive to the engine, wherein the virus may become apparent during the emulation of an entry points of the file infected by the virus; and
a scanning module coupled to the engine for scanning regions of the virtual memory for a signature of the virus responsive to the engine and the emulating module, wherein presence of the virus signature in a scanned region indicates that the file is infected by the virus.
2 Assignments
0 Petitions
Accused Products
Abstract
A virus detection system (VDS) (400) operates under the control of P-code to detect the presence of a virus in a file (100) having multiple entry points. P-code is an intermediate instruction format that uses primitives to perform certain functions related to the file (100). The VDS (400) executes the P-code, which provides Turing-equivalent capability to the VDS. The VDS (400) has a P-code data file (410) for holding the P-code, a virus definition file (VDF) (412) for holding signatures of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating entry points of the file. When executed, the P-code examines the file (100), posts (514) regions that may be infected by a virus for scanning, and posts (518) entry points that may be infected by a virus for emulating. The P-code can also detect (520) certain viruses algorithmically. Then, the posted regions and entry points of the file (100) are scanned (526) and emulated (534) to determine if the file is infected with a virus. This technique allows the VDS (400) to perform sophisticated analysis of files having multiple entry points in a relatively brief amount of time. In addition, the functionality of the VDS (400) can be changed by changing the P-code, reducing the need for burdensome engine updates.
-
Citations
20 Claims
-
1. A virus detection system for detecting if a computer file is infected by a virus, the file having a plurality of potential virus entry points, the system comprising:
-
an engine for controlling operation of the virus detection system responsive to instructions stored in an intermediate language, the instructions adapted to examine the plurality of potential virus entry points and post for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus;
an emulating module coupled to the engine for emulating the posted entry points of the file in a virtual memory responsive to the engine, wherein the virus may become apparent during the emulation of an entry points of the file infected by the virus; and
a scanning module coupled to the engine for scanning regions of the virtual memory for a signature of the virus responsive to the engine and the emulating module, wherein presence of the virus signature in a scanned region indicates that the file is infected by the virus. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting a virus in a computer file, the file having a plurality of potential virus entry points, the method comprising the steps of:
executing instructions stored in an intermediate language representation, the instructions performing the steps of;
examining regions of the file for possible infection by viruses and posting for scanning any regions exhibiting characteristics indicating a possible virus infection;
examining the plurality of potential virus entry points of the file for possible infections by viruses and posting for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus infection; and
examining the posted regions of the file to algorithmically determine whether the file is infected with a virus. - View Dependent Claims (9, 10, 11, 12, 13)
-
14. A computer program product comprising:
a computer usable medium having computer readable code embodied therein for determining if a computer file is infected by a virus, the file having a plurality of potential virus entry points, the computer readable code comprising;
an engine for controlling the operation of the computer program product responsive to instructions stored in an intermediate language, the instructions adapted to examine the plurality of potential virus entry points and post for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus infection;
an emulating module for emulating the posted entry points of the file in a virtual memory responsive to the engine, wherein the virus may become apparent during emulation of an entry points of the file infected by the virus; and
a scanning module for scanning regions of the virtual memory for a signature of the virus responsive to the engine and the emulating module, wherein presence of the virus signature indicates that the file is infected by the virus. - View Dependent Claims (15, 16, 17, 18, 19, 20)
Specification