Selective detection of malicious computer code
First Claim
1. A method for detecting infection of a computer file by an attacking agent, the method comprising the steps of:
- generating and storing a new hash of a critical viral target region of the computer file, wherein the critical viral target region comprises a region of the file that is changed when the file is infected;
comparing the new hash of the critical viral target region to a hash of the critical viral target region previously generated based on an earlier version of the computer file;
determining whether the computer file has been scanned for infection by the attacking agent with a most recent version of a detection module; and
determining that the computer file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the computer file has been scanned with the most recent version of the detection module.
2 Assignments
0 Petitions
Accused Products
Abstract
System, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral target region. The scanning engine (205) determines whether the file (340) has been scanned by the most recent version of a detection module (425) associated with the attacking agent. If the hashes are identical and the file (340) has been scanned by the most recent version of the detection module (425), the scanning engine (205) determines that the file (340) is free of infection by the attacking agent.
95 Citations
20 Claims
-
1. A method for detecting infection of a computer file by an attacking agent, the method comprising the steps of:
-
generating and storing a new hash of a critical viral target region of the computer file, wherein the critical viral target region comprises a region of the file that is changed when the file is infected; comparing the new hash of the critical viral target region to a hash of the critical viral target region previously generated based on an earlier version of the computer file; determining whether the computer file has been scanned for infection by the attacking agent with a most recent version of a detection module; and determining that the computer file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the computer file has been scanned with the most recent version of the detection module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 20)
-
-
10. A computer system for detecting infection of a computer file by an attacking agent, the system comprising:
-
a detection module configured to check the computer file for infection by the attacking agent, the detection module including an identifier of a most recent version of a scanning engine to include an update to the detection module; a database, in communication with the detection module, and storing entries, each entry associated with a file and containing a hash of a critical viral target region previously generated based on an earlier version of the computer file, wherein the critical viral target region comprises a region of the file that is changed when the file is infected and an identifier indicating a most recent version of the scanning engine to scan the file for the presence of malicious code; a hash generator, in communication with the database, and configured to generate a new hash of the critical viral target region; a selection module, in communication with the database and the hash generator, and configured to; compare the new hash of the critical viral target region to the previously generated hash of the critical viral target region; compare the identifier of the most recent version of the scanning engine to scan the file to the identifier of the most recent version of the scanning engine to include an update of the detection module; and determine that the file has not been infected by an attacking agent when the new hash and the previously generated hash are identical, and the most recent version of the scanning engine to scan the file is not an earlier version than the most recent version of the scanning engine to include an update of the detection module. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer-readable storage medium containing executable computer code instructions for detecting infection of a file by an attacking agent, the computer code comprising instructions for:
-
generating and storing a new hash of a critical viral target region of the file, wherein the critical viral target region comprises a region of the file that is changed when the file is infected; comparing the new hash of the critical viral target region to a hash of the critical viral target region previously generated based on an earlier version of the computer file; determining whether the file has been scanned for infection by the attacking agent with a most recent version of a detection module; and determining that the file has not been infected by the attacking agent when the new hash and the previously generated hash are identical, and the file has been scanned with the most recent version of the detection module. - View Dependent Claims (16, 17, 18, 19)
-
Specification