Data driven detection of viruses

US 6,851,057 B1
Filed: 11/30/1999
Issued: 02/01/2005
Est. Priority Date: 11/30/1999
Status: Expired due to Term

First Claim

Patent Images

1. A virus detection system for detecting if a computer file is infected by a virus, the file having a plurality of potential virus entry points, the system comprising:

an engine for controlling operation of the virus detection system responsive to instructions stored in an intermediate language, the instructions adapted to examine the plurality of potential virus entry points and post for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus;

an emulating module coupled to the engine for emulating the posted entry points of the file in a virtual memory responsive to the engine, wherein the virus may become apparent during the emulation of an entry points of the file infected by the virus; and

a scanning module coupled to the engine for scanning regions of the virtual memory for a signature of the virus responsive to the engine and the emulating module, wherein presence of the virus signature in a scanned region indicates that the file is infected by the virus.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virus detection system (VDS) (400) operates under the control of P-code to detect the presence of a virus in a file (100) having multiple entry points. P-code is an intermediate instruction format that uses primitives to perform certain functions related to the file (100). The VDS (400) executes the P-code, which provides Turing-equivalent capability to the VDS. The VDS (400) has a P-code data file (410) for holding the P-code, a virus definition file (VDF) (412) for holding signatures of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating entry points of the file. When executed, the P-code examines the file (100), posts (514) regions that may be infected by a virus for scanning, and posts (518) entry points that may be infected by a virus for emulating. The P-code can also detect (520) certain viruses algorithmically. Then, the posted regions and entry points of the file (100) are scanned (526) and emulated (534) to determine if the file is infected with a virus. This technique allows the VDS (400) to perform sophisticated analysis of files having multiple entry points in a relatively brief amount of time. In addition, the functionality of the VDS (400) can be changed by changing the P-code, reducing the need for burdensome engine updates.

Citations

20 Claims

1. A virus detection system for detecting if a computer file is infected by a virus, the file having a plurality of potential virus entry points, the system comprising:
- an engine for controlling operation of the virus detection system responsive to instructions stored in an intermediate language, the instructions adapted to examine the plurality of potential virus entry points and post for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus;
  
  an emulating module coupled to the engine for emulating the posted entry points of the file in a virtual memory responsive to the engine, wherein the virus may become apparent during the emulation of an entry points of the file infected by the virus; and
  
  a scanning module coupled to the engine for scanning regions of the virtual memory for a signature of the virus responsive to the engine and the emulating module, wherein presence of the virus signature in a scanned region indicates that the file is infected by the virus.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The virus detection system of claim 1, further comprising:
    - a custom module coupled to the engine for executing custom virus-detection code responsive to invocation by the engine.
  - 3. The virus detection system of claim 1, wherein the intermediate language is P-code and the engine comprises:
    - a P-code interpreter for interpreting the P-code and controlling the operation of the virus detection system responsive thereto.
  - 4. The virus detection system of claim 3, wherein the engine further comprises:
    - primitives for performing operations with respect to the file and the virtual memory responsive to invocations of the primitives by the P-code.
  - 5. The virus detection system of claim 1, further comprising:
    - a virus definition file coupled to the scanning module for holding virus signatures for use by the scanning module.
  - 6. The virus detection system of claim 1, wherein the instructions stored in the intermediate language post regions of the file for scanning by the scanning module.
  - 7. The virus detection system of claim 6, wherein postings identifying overlapping regions are merged into a single posting identifying the regions of the merged postings.

8. A method for detecting a virus in a computer file, the file having a plurality of potential virus entry points, the method comprising the steps of:
- executing instructions stored in an intermediate language representation, the instructions performing the steps of;
  
  examining regions of the file for possible infection by viruses and posting for scanning any regions exhibiting characteristics indicating a possible virus infection;
  
  examining the plurality of potential virus entry points of the file for possible infections by viruses and posting for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus infection; and
  
  examining the posted regions of the file to algorithmically determine whether the file is infected with a virus.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the instructions further perform the steps of:
    - merging overlapping regions posted for scanning.
  - 10. The method of claim 8, wherein the instructions further perform the step of:
    - calling a custom executable program to determine when the file is infected with a virus.
  - 11. The method of claim 8, further comprising the step of:
    - scanning the regions of the file posted for scanning for signatures of known viruses.
  - 12. The method of claim 8, further comprising the steps of:
    - emulating the posted entry points in a virtual memory to allow the viruses to become apparent;
      
      scanning the virtual memory for signatures of the viruses; and
      
      examining stochastic information obtained during emulation to detect the presence of the known viruses.
  - 13. The method of claim 8, wherein the step of examining the plurality of potential virus entry points of the file for possible infections by viruses and posting for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus infection comprises the step of:
    - determining if a main entry point of the file has known non-viral code;
      
      wherein the main entry point is posted for emulating responsive to a determination that the main entry point does not have known non-viral code.

14. A computer program product comprising:
- a computer usable medium having computer readable code embodied therein for determining if a computer file is infected by a virus, the file having a plurality of potential virus entry points, the computer readable code comprising;
  
  an engine for controlling the operation of the computer program product responsive to instructions stored in an intermediate language, the instructions adapted to examine the plurality of potential virus entry points and post for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus infection;
  
  an emulating module for emulating the posted entry points of the file in a virtual memory responsive to the engine, wherein the virus may become apparent during emulation of an entry points of the file infected by the virus; and
  
  a scanning module for scanning regions of the virtual memory for a signature of the virus responsive to the engine and the emulating module, wherein presence of the virus signature indicates that the file is infected by the virus.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program product of claim 14, further comprising:
    - a custom module for executing custom virus-detection code responsive to invocation by the engine.
  - 16. The computer program product of claim 14, wherein the intermediate language is P-code and the engine comprises:
    - a P-code interpreter for interpreting the P-code and controlling the operation of the engine responsive thereto.
  - 17. The computer program product of claim 16, wherein the engine further comprises:
    - primitives for performing operations with respect to the file and the virtual memory responsive to invocations of the primitives by the P-code.
  - 18. The computer program product of claim 14, further comprising:
    - a virus definition file for holding virus signatures for use by the scanning module.
  - 19. The computer program product of claim 14, wherein the instructions stored in the intermediate language post regions of the file for scanning by the scanning module.
  - 20. The computer program product of claim 19, wherein postings identifying overlapping regions are merged into a single posting identifying the regions of the merged postings.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US09/451,632
Time in Patent Office

1,890 Days
Field of Search

713/188, 713/200, 713/201, 914/38, 703/23, 703/26, 380/4, 380/25
US Class Current

726/24
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

Data driven detection of viruses

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data driven detection of viruses

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links