Detection of malicious computer code
First Claim
1. A method for determining if a computer file is infected, said method comprising:
- executing a high speed scan to determine if the file is infected by a simple attacking agent associated with a simple detection module;
determining a creation date for a complex attacking agent associated with a complex detection module;
determining a last change date of the computer file;
comparing the last change date to the creation date for the complex attacking agent associated with the complex detection module;
executing a complex scan to determine if the file is infected by the complex attacking agent responsive to the last change date being later than the creation date for the complex attacking agent; and
determining that the file is not infected by the complex attacking agent responsive to the last change date being earlier than the creation date for the complex attacking agent.
5 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and computer readable media for determining whether a computer file (210) has been infected with malicious code by an attacking agent. A scanning engine (205) determines whether the file (210) contains malicious code. The scanning engine (205) includes detection modules (325) for detecting particular attacking agents, and indicators of when particular attacking agents were first created. The scanning engine (205) determines a critical date for a file (210) with regards to a particular attacking agent. If the file (210) has not been changed since the critical date, the scanning engine (205) determines that the file (210) has not been infected by that attacking agent.
143 Citations
20 Claims
-
1. A method for determining if a computer file is infected, said method comprising:
-
executing a high speed scan to determine if the file is infected by a simple attacking agent associated with a simple detection module; determining a creation date for a complex attacking agent associated with a complex detection module; determining a last change date of the computer file; comparing the last change date to the creation date for the complex attacking agent associated with the complex detection module; executing a complex scan to determine if the file is infected by the complex attacking agent responsive to the last change date being later than the creation date for the complex attacking agent; and determining that the file is not infected by the complex attacking agent responsive to the last change date being earlier than the creation date for the complex attacking agent. - View Dependent Claims (2, 3, 4, 15, 16, 17, 18)
-
-
5. A system for determining if a computer file is infected, the system comprising:
-
an inoculation database storing a plurality of entries, each entry associated with a file and containing a last change date for the file; a simple detection module in communication with the inoculation database and configured to execute a high speed scan to determine if the file is infected by a simple attacking agent; a complex detection module in communication with the inoculation database and configured to execute a complex scan to check the file for infection by a complex attacking agent, the complex detection module storing a creation date for the complex attacking agent; and a selection module in communication with the inoculation database and with the complex detection module, the selection module configured to compare the last change date to the creation date, direct the complex detection module to check the file for infection responsive to the last change date being later than the creation date for the complex attacking agent and determine that the file is not infected by the complex attacking agent responsive to the last change date being earlier than the creation date for the complex attacking agent. - View Dependent Claims (6, 7)
-
-
8. A computer-readable storage medium containing computer code instructions for determining if a computer file infected, the computer code instructions when executed cause a processor to carry out the steps of:
executing a high speed scan to determine if the file is infected by a simple attacking agent associated with a simple detection module; determining a creation date for a complex attacking agent associated with a complex detection module; determining a last change date of the computer file; comparing the last change date to the creation date for the complex attacking agent associated with the complex detection module; executing a complex scan to determine if the file is infected by the complex attacking agent responsive to the last change date being later than the creation date for the attacking agent; and determining that the file is not infected by the complex attacking agent responsive to the last change date being earlier than the creation date for the complex attacking agent. - View Dependent Claims (9, 10, 19)
-
11. A method for determining if a file is infected, the method comprising:
-
executing a high speed scan to determine if the file is infected by a simple attacking agent associated with a simple detection module; determining a creation date for a complex attacking agent associated with a complex detection module; determining a last change date of the file; determining a last scan date on which the file was scanned for the presence of the complex attacking agent; comparing the last change date to the creation date for the complex attacking agent and to the last scan date on which the file was scanned for the presence of the complex attacking agent; executing a complex scan to determine if the file is infected by the complex attacking agent responsive to the last change date being later than both of the creation date for the complex attacking agent and the last scan date on which the file was scanned for the presence of the complex attacking agent; and determining that the file is not infected by the complex attacking agent responsive to the last change date being earlier than at least one of the creation date for the complex attacking agent and the last scan date on which the file was scanned for the presence of the complex attacking agent. - View Dependent Claims (12, 13, 14, 20)
-
Specification