Selective detection of malicious computer code

US 7,337,471 B2
Filed: 10/07/2002
Issued: 02/26/2008
Est. Priority Date: 10/07/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting infection of a computer file by an attacking agent, the method comprising the steps of:

generating and storing a new hash of a critical viral target region of the computer file, wherein the critical viral target region comprises a region of the file that is changed when the file is infected;

comparing the new hash of the critical viral target region to a hash of the critical viral target region previously generated based on an earlier version of the computer file;

determining whether the computer file has been scanned for infection by the attacking agent with a most recent version of a detection module; and

determining that the computer file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the computer file has been scanned with the most recent version of the detection module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral target region. The scanning engine (205) determines whether the file (340) has been scanned by the most recent version of a detection module (425) associated with the attacking agent. If the hashes are identical and the file (340) has been scanned by the most recent version of the detection module (425), the scanning engine (205) determines that the file (340) is free of infection by the attacking agent.

95 Citations

View as Search Results

20 Claims

1. A method for detecting infection of a computer file by an attacking agent, the method comprising the steps of:
- generating and storing a new hash of a critical viral target region of the computer file, wherein the critical viral target region comprises a region of the file that is changed when the file is infected;
  
  comparing the new hash of the critical viral target region to a hash of the critical viral target region previously generated based on an earlier version of the computer file;
  
  determining whether the computer file has been scanned for infection by the attacking agent with a most recent version of a detection module; and
  
  determining that the computer file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the computer file has been scanned with the most recent version of the detection module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 20)
- - 2. The method of claim 1, further comprising the step of applying the detection module to the computer file in response to a determination that the new hash and the previously generated hash are identical and a determination that the computer file has not been scanned by the most recent version of the detection module.
  - 3. The method of claim 2, further comprising the step of updating an indicator of a most recent version of a scanning engine applied to the computer file to indicate a current version of the scanning engine.
  - 4. The method of claim 1, wherein the step of determining whether the computer file has been scanned for infection by the attacking agent with a most recent version of the detection module comprises the sub-steps of:
    - determining a most recent version of a scanning engine applied to the computer file;
      
      determining a most recent version of the scanning engine to include an updated version of the detection module; and
      
      determining that the computer file has been scanned with the most recent version of the detection module when the most recent version of the scanning engine applied to the computer file was not created earlier than the most recent version of the scanning engine to include an updated version of the detection module.
  - 5. The method of claim 1, further comprising the step of applying the detection module to the computer file in response to a determination that the new hash and the previously generated hash are not identical.
  - 6. The method of claim 5, further comprising the step of replacing the previously generated hash of the critical viral target region with the new hash of the critical viral target region.
  - 7. The method of claim 1, wherein the critical viral target region includes an executable file header in the computer file.
  - 8. The method of claim 1, wherein the critical viral target region includes a start of a relocation section in the computer file.
  - 9. The method of claim 1, wherein the critical viral target region includes a region around a program entry point in the computer file.
  - 20. The method of claim 1, wherein the critical viral target region comprises a region of the file that is less than the entire file.

10. A computer system for detecting infection of a computer file by an attacking agent, the system comprising:
- a detection module configured to check the computer file for infection by the attacking agent, the detection module including an identifier of a most recent version of a scanning engine to include an update to the detection module;
  
  a database, in communication with the detection module, and storing entries, each entry associated with a file and containing a hash of a critical viral target region previously generated based on an earlier version of the computer file, wherein the critical viral target region comprises a region of the file that is changed when the file is infected and an identifier indicating a most recent version of the scanning engine to scan the file for the presence of malicious code;
  
  a hash generator, in communication with the database, and configured to generate a new hash of the critical viral target region;
  
  a selection module, in communication with the database and the hash generator, and configured to;
  
  compare the new hash of the critical viral target region to the previously generated hash of the critical viral target region;
  
  compare the identifier of the most recent version of the scanning engine to scan the file to the identifier of the most recent version of the scanning engine to include an update of the detection module; and
  
  determine that the file has not been infected by an attacking agent when the new hash and the previously generated hash are identical, and the most recent version of the scanning engine to scan the file is not an earlier version than the most recent version of the scanning engine to include an update of the detection module.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the selection module is further configured to:
    - apply the detection module to the file in response to a determination that the new hash and the previously generated hash are identical and a determination that the most recent version of the scanning engine to scan the file is an earlier version than the most recent version of the scanning engine to include an update of the detection module.
  - 12. The system of claim 11, further comprising an update module, in communication with the database and with the selection module, and configured to update the identifier of the most recent version of the scanning engine to scan the file to indicate that the most recent version of the scanning engine to scan the file is the current version of the scanning engine.
  - 13. The system of claim 10, wherein the selection module is further configured to apply a detection module to the file in response to a determination that the new hash and the previously generated hash are not identical.
  - 14. The system of claim 13, wherein the update module is further configured to update the database to store the new hash of the critical viral target region.

15. A computer-readable storage medium containing executable computer code instructions for detecting infection of a file by an attacking agent, the computer code comprising instructions for:
- generating and storing a new hash of a critical viral target region of the file, wherein the critical viral target region comprises a region of the file that is changed when the file is infected;
  
  comparing the new hash of the critical viral target region to a hash of the critical viral target region previously generated based on an earlier version of the computer file;
  
  determining whether the file has been scanned for infection by the attacking agent with a most recent version of a detection module; and
  
  determining that the file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the file has been scanned with the most recent version of the detection module.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer readable medium of claim 15, wherein the instructions for detecting infection of the file by an attacking agent further comprise instructions for applying the detection module to the file in response to a determination that the new hash and the previously generated hash are identical and a determination that the file has not been scanned by the most recent version of the detection module.
  - 17. The computer readable medium of claim 16, wherein the instructions for detecting infection of the file by an attacking agent further comprise instructions for updating an indicator of a most recent version of a scanning engine applied to the file to indicate a current version of the scanning engine.
  - 18. The computer readable medium of claim 15, wherein the instructions for detecting infection of the file by an attacking agent further comprise instructions for applying the detection module to the file in response to a determination that the new hash and the previously generated hash are not identical.
  - 19. The computer readable medium of claim 18, wherein the instructions for detecting infection of the file by an attacking agent further comprise instructions for replacing the previously generated hash of the critical viral target region with the new hash of the critical viral target region.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey, Szor, Peter
Primary Examiner(s)
TRUONG, THANHNGA B

Application Number

US10/266,365
Publication Number

US 20040068664A1
Time in Patent Office

1,968 Days
Field of Search

713/188, 713/194, 726 22- 25, 709223-224, 707/4, 707/10
US Class Current

726/23
CPC Class Codes

G06F 21/564 by virus signature recognition

Selective detection of malicious computer code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Selective detection of malicious computer code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links