Providing break points in a malware scanning operation

US 6,968,461 B1
Filed: 10/03/2000
Issued: 11/22/2005
Est. Priority Date: 10/03/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of detecting computer viruses within a computer file, said method composing the steps of:

receiving a request to scan a computer file for computer viruses;

initiating a virus scanning operation upon said computer file;

calculating during said virus scanning operation a measurement value indicative of an amount of data processing performed during said virus scanning operation, wherein the measurement value is based, at least in part, on at least one of a data size of the computer file and a complexity of tests of the virus scanning operation;

comparing during said virus scanning said measurement value with a threshold value; and

triggering a break in said virus operation prior to completion of the tests to determine as to whether the computer file is infected, if said measurement value exceeds said threshold value to prevent overload of a virus scanner.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer virus scanning system is described in which during the scanning operation a measurement value indicative of the amount of data processing performed is calculated and this measurement value used to trigger breaks in the virus scanning operation. The triggered breaks can be used to perform a determination as to whether or not the virus scanning operations should be early terminated. One possibility is to measure the total size of the data processed during the virus scanning operation and calculate a ratio of this compared to the size of the computer file being virus scanned. If this calculated ratio exceeds a predetermined threshold, then virus scanning may be terminated. Another possibility is to associate a complexity value with each of a plurality of tests applied in the virus scanning operation. A total for these complexity values may be used to trigger the breaks and also to trigger early termination upon exceeding of respective threshold levels.

92 Citations

View as Search Results

30 Claims

1. A method of detecting computer viruses within a computer file, said method composing the steps of:
- receiving a request to scan a computer file for computer viruses;
  
  initiating a virus scanning operation upon said computer file;
  
  calculating during said virus scanning operation a measurement value indicative of an amount of data processing performed during said virus scanning operation, wherein the measurement value is based, at least in part, on at least one of a data size of the computer file and a complexity of tests of the virus scanning operation;
  
  comparing during said virus scanning said measurement value with a threshold value; and
  
  triggering a break in said virus operation prior to completion of the tests to determine as to whether the computer file is infected, if said measurement value exceeds said threshold value to prevent overload of a virus scanner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as claimed in claim 1, further comprising the step of, upon occurrence of said break, determining using said measurement value whether or not said virus scanning operation should be terminated prior to completion.
  - 3. A method as claimed in claim 2, wherein said measurement value yields a processed data size value for data processed during said virus scanning operation and step of determining is responsive to both said processed data size value and a computer file size value for said computer file when determining whether or not said virus scanning operation should be terminated prior to completion.
  - 4. A method as claimed in claim 3, wherein said step of determining calculates a measurement ratio of said processed data size value to said computer file size value and compares this with a termination size threshold ratio such that said virus scanning is terminated if said measurement ratio exceeds said termination size threshold ratio.
  - 5. A method is claimed in claim 2, wherein said virus scanning operation applies a plurality of the tests to said computer file, each test having a complexity value indicative of an amount of data processing associated with that test, said measurement value being a sum of complexity values for tests applied during said virus scanning operation and said step of determining terminating said virus scanning operation prior to completion if said sum of complexity values exceeds a termination complexity threshold value.
  - 6. A method as claimed in claim 1, wherein said measurement value yields a processed data size value for data processed during said virus scanning operation.
  - 7. A method as claimed in claim 1, wherein said amount of data processing performed includes data processing involved in any decompression of said computer file required for said virus scanning operation.
  - 8. A method as claimed in claim 1, wherein said amount of data processing performed includes data processing involved in any unpacking of said computer file required for said virus scanning operation.
  - 9. A method as claimed in claim 1, wherein said virus scanning operation applies a plurality of the tests to said computer file, each test having a complexity value indicative of an amount of data processing associated with that test and said measurement value is a sum of complexity values for tests applied during said virus scanning operation.
  - 10. A method as claimed in claim 9, wherein said plurality of test applied are selected in dependence upon said computer file.

11. Apparatus for detecting computer viruses within a computer file, said apparatus comprising:
- a receiver operable to receive a request to scan a computer file for computer viruses;
  
  initiating logic operable to initiate a virus scanning operation upon said computer file;
  
  calculating logic operable to calculate during said virus scanning operation a measurement value indicative of an amount of data processing performed during said virus scanning operation, wherein the measurement value is based, at least in part, on at least one of a data size of the computer file and a complexity of tests of the virus scanning operation;
  
  comparing logic operable during said virus scanning to compare said measurement value with a threshold value; and
  
  triggering logic operable to trigger a break in said virus operation prior to completion of the tests to determine as to whether the computer file is infected, if said measurement value exceeds said threshold value to prevent overload of a virus scanner.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. Apparatus as claimed in claim 11, wherein, upon occurrence of said break, determining logic operates using said measurement value to determine whether or not said virus scanning operation should be terminated prior to completion.
  - 13. Apparatus as claimed in claim 12, wherein said measurement value yields a processed data size value for data processed during said virus scanning operation.
  - 14. Apparatus as claimed in claim 12, wherein said measurement value yields a processed data size value for data processed during said virus scanning operation and said determining logic is responsive to both said processed data size value and a computer file size value for said computer file when determining whether or not said virus scanning operation should be terminated prior to completion.
  - 15. Apparatus as claimed in claim 14, wherein said determining logic is operable to calculate a measurement ratio of said processed data size value to said computer file size value and compare this with a termination size threshold ratio such that said virus scanning is terminated if said measurement ratio exceeds said termination size threshold ratio.
  - 16. Apparatus as claimed in claim 12, wherein said virus scanning operation applies a plurality of the tests to said computer file, each test having a complexity value indicative of an amount of data processing associated with that test, said measurement value being a sum of complexity values for tests applied during said virus scanning operation and said step of determining terminating said virus scanning operation prior to completion if said sum of complexity values exceeds a termination complexity threshold value.
  - 17. Apparatus as claimed in claim 11, wherein said amount of data processing performed includes data processing involved in any decompression of said computer file required for said virus scanning operation.
  - 18. Apparatus as claimed in claim 11, wherein said amount of data processing performed includes data processing involved in any unpacking of said computer file required for said virus scanning operation.
  - 19. Apparatus as claimed in claim 11, wherein said virus scanning operation applies a plurality of the tests to said computer file, each test having a complexity value indicative of an amount of data processing associated with that test and said measurement value is a sum of complexity values for tests applied during said virus scanning operation.
  - 20. Apparatus as claimed in claim 19, wherein said plurality of tests applied are selected in dependence upon said computer file.

21. A computer program product carrying a computer program for controlling a computer to detect computer viruses within a computer file, said computer program comprising:
- receiver code operable to receive a request to scan a computer file for computer viruses;
  
  initiating code operable to initiate a virus scanning operation upon said computer file;
  
  calculating code operable to calculate during said virus scanning operation a measurement value indicative of an amount of data processing performed during said virus scanning operation, wherein the measurement value is based, at least in part, on at least one of a data size of the computer file and a complexity of tests of the virus scanning operation;
  
  comparing code operable during said virus scanning to compare said measurement value with a threshold value; and
  
  triggering code operable to trigger a break in said virus operation prior to completion of the tests to determine as to whether the computer file is infected, if said measurement value exceeds said threshold value to prevent overload of a virus scanner.
- View Dependent Claims (22, 23, 24, 25, 27, 28, 29, 30)
- - 22. A computer program product as claimed in claim 21, wherein, upon occurrence of said break, determining code operates using said measurement value to determine whether or not said virus scanning operation should be terminated prior to completion.
  - 23. A computer program product as claimed in claim 22, wherein said measurement value yields a processed data size value for data processed during said virus scanning operation.
  - 24. A computer program product as claimed in claim 22, wherein said measurement value yields a processed data size value for data processed during said virus scanning operation and said determining code is responsive to both said processed data size value and a computer file size value for said computer file when determining whether or not said virus scanning operation should be terminated prior to completion.
  - 25. A computer program product as claimed in claim 24, wherein said determining code is operable to calculate a measurement ratio of said processed data size value to said computer file size value and compare this with a termination size threshold ratio such that said virus scanning is terminated if said measurement ratio exceeds said termination size threshold ratio.
  - 27. A computer program product as claimed in claim 21, wherein said amount of data processing performed includes data processing involved in any decompression of said computer file required for said virus scanning operation.
  - 28. A computer program product as claimed in claim 21, wherein said amount of data processing performed includes data processing involved in any unpacking of said computer file required for said virus scanning operation.
  - 29. A computer program product as claimed in claim 21, wherein said virus scanning operation applies a plurality of the tests to said computer file, each test having complexity value indicative of an amount of data processing associated with that test and said measurement value is a sum of complexity values for tests applied during said virus scanning operation.
  - 30. A computer program product as claimed in claim 29, wherein said plurality of the tests applied are selected in dependence upon said computer file.

26. A computer program product as claimed in 22, wherein said virus scanning operation applies a plurality of the tests to said computer file, each test having complexity value indicative of an amount of data processing associated with that test, said measurement value being a sum of complexity values for tests applied during said virus scanning operation and said step of determining terminating said virus scanning operation prior to completion if said sum of complexity values exceeds a termination complexity threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Lucas, Martin James, Wolff, Daniel Joseph
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US09/678,010
Time in Patent Office

1,876 Days
Field of Search

713/100, 713/104, 713/200, 713/201, 713/188, 713/189, 713/187, 713/202, 714/38, 395/183, 395/186
US Class Current

726/22
CPC Class Codes

G06F 21/564 by virus signature recognition

Providing break points in a malware scanning operation

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Providing break points in a malware scanning operation

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links