In memory heuristic system and method for detecting viruses

US 7,340,777 B1
Filed: 03/31/2003
Issued: 03/04/2008
Est. Priority Date: 03/31/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining that a call module originating a critical operating system function call has indications of suspicious content comprising;

determining a host application of said call module;

logging an instance of said critical operating system function call;

determining a total number of logged call instances for a session of said host application; and

determining that said total number is significantly greater than a total number of at least one previous session of said host application; and

incrementing a virus threshold counter.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Characteristics of a call module originating a critical operating system function call are analyzed for indications of suspicious content and a virus threshold counter is incremented appropriately. For example, the memory image to the file image of the call module are compared for indications of suspicious content. If a determination is made that the virus threshold counter exceeds a virus threshold, there is a significant probability that malicious code is executing on the host computer system. Thus, the user of the host computer system and/or an administrator are notified that malicious code is possibly executing on the host computer system.

Citations

28 Claims

1. A method comprising:
- determining that a call module originating a critical operating system function call has indications of suspicious content comprising;
  
  determining a host application of said call module;
  
  logging an instance of said critical operating system function call;
  
  determining a total number of logged call instances for a session of said host application; and
  
  determining that said total number is significantly greater than a total number of at least one previous session of said host application; and
  
  incrementing a virus threshold counter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - hooking at least one critical operating system function, wherein said critical operating system function call is to said at least one critical operating system function.
  - 3. The method of claim 1 further comprising:
    - determining whether said critical operating system function call is a new instance.
  - 4. The method of claim 1 further comprising:
    - determining whether said virus threshold counter exceeds a virus threshold.
  - 5. The method of claim 4 wherein upon a determination that said virus threshold counter exceeds said virus threshold, said method further comprising issuing a notification that malicious code may be executing on a host computer system.
  - 6. The method of claim 5 wherein said notifying comprises requesting a sample of said malicious code be sent to a virus collection center.
  - 7. The method of claim 1 wherein said determining that a call module originating a critical operating system function call has indications of suspicious content comprises:
    - determining a location of said call module;
      
      scanning said location;
      
      determining a fingerprint of said call module; and
      
      determining that said fingerprint is suspicious.
  - 8. The method of claim 1 wherein said determining that a call module originating a critical operating system function call has indications of suspicious content comprises:
    - determining a location of said call module;
      
      scanning said location;
      
      determining a first fingerprint of said call module;
      
      comparing said first fingerprint to a second fingerprint of at least one other call module; and
      
      determining that said first fingerprint matches said second fingerprint.

9. A method comprising:
- determining that a call module originating a critical operating system function call has indications of suspicious content comprising;
  
  comparing a memory image to a file image of said call module;
  
  determining a change between said memory image and said file image;
  
  determining that a similar change between a memory image and a file image of another call module exists;
  
  comparing a first fingerprint of said call module to a second fingerprint of said another call module; and
  
  determining that said first fingerprint matches said second fingerprint; and
  
  incrementing a virus threshold counter.

10. A method comprising:
- determining that an application originating a critical operating system function call has indications of suspicious content comprising;
  
  comparing a memory image to a file image of an said application;
  
  determining a change between said memory image and said file image;
  
  determining that a similar change between a memory image and a file image of another application exists;
  
  comparing a first fingerprint of said application to a second fingerprint of said another application; and
  
  determining that said first fingerprint matches said second fingerprint; and
  
  incrementing a virus threshold counter.

11. A method comprising:
- comparing a memory image to a file image of an application;
  
  determining a change between said memory image and said file image;
  
  determining that a similar change between a memory image and a file image of another application exists;
  
  comparing a first fingerprint of said application to a second fingerprint of said another application;
  
  determining that said first fingerprint matches said second fingerprint;
  
  determining whether a match between said first fingerprint and said second fingerprint is a known false positive; and
  
  incrementing a virus threshold counter.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11 further comprising determining that a request for a scan has been made.
  - 13. The method of claim 11 further comprising determining whether said virus threshold counter exceeds a virus threshold.
  - 14. The method of claim 13 wherein upon a determination that said virus threshold counter exceeds said virus threshold, said method further comprising issuing a notification that malicious code may be executing on a host computer system.

15. A method comprising:
- comparing a memory image to a file image of an application;
  
  determining a change between said memory image and said file image;
  
  determining that a similar change between a memory image and a file image of another application exists;
  
  comparing a first fingerprint of said application to a second fingerprint of said another application;
  
  determining that said first fingerprint matches said second fingerprint;
  
  determining whether a match between said first fingerprint and said second fingerprint is a known false positive; and
  
  logging said change between said memory image and said file image.

16. A method comprising:
- determining that a hook module has indications of suspicious content comprising;
  
  comparing a memory image to a file image of said hook module;
  
  determining a change between said memory image and said file image;
  
  determining that a similar change between a memory image and a file image of another hook module exists;
  
  comparing a first fingerprint of said hook module to a second fingerprint of said another hook module; and
  
  determining that said first fingerprint matches said second fingerprint; and
  
  incrementing a virus threshold counter.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 further comprising determining that a request for a scan has been made.
  - 18. The method of claim 16 further comprising determining whether said virus threshold counter exceeds a virus threshold.
  - 19. The method of claim 18 wherein upon a determination that said virus threshold counter exceeds said virus threshold, said method further comprising issuing a notification that malicious code may be executing on a host computer system.
  - 20. The method of claim 16 wherein said hook module includes an instruction or set of instructions that hook operating system functions.

21. A method comprising:
- determining whether a calls threshold is exceeded, wherein upon a determination that said calls threshold is exceeded during said determining, said method further comprising;
  
  stalling a critical operating system function call originating from a call module; and
  
  determining whether said critical operating system function call is a new instance, wherein upon a determination that said critical operating system function call is a new instance during said determining whether said critical operating system function call is a new instance, said method further comprising;
  
  determining whether said call module has indications of suspicious content comprising;
  
  determining a host application of said call module;
  
  logging an instance of said critical operating system function call;
  
  determining a total number of logged call instances for a session of said host application; and
  
  determining that said total number is significantly greater than a total number of at least one previous session of said host application.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The method of claim 21 wherein upon a determination that said critical operating system function call is not a new instance during said determining whether said critical operating system function call is a new instance, said method further comprising:
    - allowing said call to proceed.
  - 23. The method of claim 21 wherein upon a determination that said call module does have indications of suspicious content during said determining whether said call module has indications of suspicious content, said method further comprising:
    - incrementing a virus threshold counter.
  - 24. The method of claim 23 further comprising determining whether said virus threshold counter exceeds a virus threshold.
  - 25. The method of claim 24 wherein upon a determination that said virus threshold counter exceeds said virus threshold during said determining whether said virus threshold counter exceeds a virus threshold, said method further comprising:
    - issuing a notification that malicious code may be executing on a host computer system.
  - 26. The method of claim 21 further comprising updating a known instances of critical operating system function calls by logging characteristics of said critical operating system function call.

27. A computer system comprising:
- a means for determining that a call module originating a critical operating system function call has indications of suspicious content comprising;
  
  a means for determining a host application of said call module;
  
  a means for logging an instance of said critical operating system function call;
  
  a means for determining a total number of logged call instances for a session of said host application; and
  
  a means for determining that said total number is significantly greater than a total number of at least one previous session of said host application; and
  
  a means for incrementing a virus threshold counter.

28. A computer-program product comprising a computer-readable medium containing computer program code comprising:
- an anti-virus application for determining that a call module originating a critical operating system function call has indications of suspicious content comprising;
  
  determining a host application of said call module;
  
  logging an instance of said critical operating system function call;
  
  determining a total number of logged call instances for a session of said host application; and
  
  determining that said total number is significantly greater than a total number of at least one previous session of said host application;
  
  said anti-virus application further for incrementing a virus threshold counter if said call module has indications of suspicious content;
  
  said anti-virus application further for determining whether said virus threshold counter exceeds a virus threshold; and
  
  said anti-virus application further for issuing a notification that malicious code may be executing on a host computer system if said virus threshold counter exceeds said virus threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Baum; Ronald

Application Number

US10/404,167
Time in Patent Office

1,800 Days
Field of Search

None
US Class Current

726/26
CPC Class Codes

G06F 21/562 Static detection

In memory heuristic system and method for detecting viruses

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

In memory heuristic system and method for detecting viruses

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links