In memory heuristic system and method for detecting viruses
First Claim
Patent Images
1. A method comprising:
- determining that a call module originating a critical operating system function call has indications of suspicious content comprising;
determining a host application of said call module;
logging an instance of said critical operating system function call;
determining a total number of logged call instances for a session of said host application; and
determining that said total number is significantly greater than a total number of at least one previous session of said host application; and
incrementing a virus threshold counter.
2 Assignments
0 Petitions
Accused Products
Abstract
Characteristics of a call module originating a critical operating system function call are analyzed for indications of suspicious content and a virus threshold counter is incremented appropriately. For example, the memory image to the file image of the call module are compared for indications of suspicious content. If a determination is made that the virus threshold counter exceeds a virus threshold, there is a significant probability that malicious code is executing on the host computer system. Thus, the user of the host computer system and/or an administrator are notified that malicious code is possibly executing on the host computer system.
-
Citations
28 Claims
-
1. A method comprising:
-
determining that a call module originating a critical operating system function call has indications of suspicious content comprising; determining a host application of said call module; logging an instance of said critical operating system function call; determining a total number of logged call instances for a session of said host application; and determining that said total number is significantly greater than a total number of at least one previous session of said host application; and incrementing a virus threshold counter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
determining that a call module originating a critical operating system function call has indications of suspicious content comprising; comparing a memory image to a file image of said call module; determining a change between said memory image and said file image; determining that a similar change between a memory image and a file image of another call module exists; comparing a first fingerprint of said call module to a second fingerprint of said another call module; and determining that said first fingerprint matches said second fingerprint; and incrementing a virus threshold counter.
-
-
10. A method comprising:
-
determining that an application originating a critical operating system function call has indications of suspicious content comprising; comparing a memory image to a file image of an said application; determining a change between said memory image and said file image; determining that a similar change between a memory image and a file image of another application exists; comparing a first fingerprint of said application to a second fingerprint of said another application; and determining that said first fingerprint matches said second fingerprint; and incrementing a virus threshold counter.
-
-
11. A method comprising:
-
comparing a memory image to a file image of an application; determining a change between said memory image and said file image; determining that a similar change between a memory image and a file image of another application exists; comparing a first fingerprint of said application to a second fingerprint of said another application; determining that said first fingerprint matches said second fingerprint; determining whether a match between said first fingerprint and said second fingerprint is a known false positive; and incrementing a virus threshold counter. - View Dependent Claims (12, 13, 14)
-
-
15. A method comprising:
-
comparing a memory image to a file image of an application; determining a change between said memory image and said file image; determining that a similar change between a memory image and a file image of another application exists; comparing a first fingerprint of said application to a second fingerprint of said another application; determining that said first fingerprint matches said second fingerprint; determining whether a match between said first fingerprint and said second fingerprint is a known false positive; and logging said change between said memory image and said file image.
-
-
16. A method comprising:
-
determining that a hook module has indications of suspicious content comprising; comparing a memory image to a file image of said hook module; determining a change between said memory image and said file image; determining that a similar change between a memory image and a file image of another hook module exists; comparing a first fingerprint of said hook module to a second fingerprint of said another hook module; and determining that said first fingerprint matches said second fingerprint; and incrementing a virus threshold counter. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method comprising:
-
determining whether a calls threshold is exceeded, wherein upon a determination that said calls threshold is exceeded during said determining, said method further comprising; stalling a critical operating system function call originating from a call module; and determining whether said critical operating system function call is a new instance, wherein upon a determination that said critical operating system function call is a new instance during said determining whether said critical operating system function call is a new instance, said method further comprising; determining whether said call module has indications of suspicious content comprising; determining a host application of said call module; logging an instance of said critical operating system function call; determining a total number of logged call instances for a session of said host application; and determining that said total number is significantly greater than a total number of at least one previous session of said host application. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. A computer system comprising:
-
a means for determining that a call module originating a critical operating system function call has indications of suspicious content comprising; a means for determining a host application of said call module; a means for logging an instance of said critical operating system function call; a means for determining a total number of logged call instances for a session of said host application; and a means for determining that said total number is significantly greater than a total number of at least one previous session of said host application; and a means for incrementing a virus threshold counter.
-
-
28. A computer-program product comprising a computer-readable medium containing computer program code comprising:
-
an anti-virus application for determining that a call module originating a critical operating system function call has indications of suspicious content comprising; determining a host application of said call module; logging an instance of said critical operating system function call; determining a total number of logged call instances for a session of said host application; and determining that said total number is significantly greater than a total number of at least one previous session of said host application; said anti-virus application further for incrementing a virus threshold counter if said call module has indications of suspicious content; said anti-virus application further for determining whether said virus threshold counter exceeds a virus threshold; and said anti-virus application further for issuing a notification that malicious code may be executing on a host computer system if said virus threshold counter exceeds said virus threshold.
-
Specification