Detection of malicious computer code

US 7,469,419 B2
Filed: 10/07/2002
Issued: 12/23/2008
Est. Priority Date: 10/07/2002
Status: Active Grant

First Claim

Patent Images

1. A method for determining if a computer file is infected, said method comprising:

executing a high speed scan to determine if the file is infected by a simple attacking agent associated with a simple detection module;

determining a creation date for a complex attacking agent associated with a complex detection module;

determining a last change date of the computer file;

comparing the last change date to the creation date for the complex attacking agent associated with the complex detection module;

executing a complex scan to determine if the file is infected by the complex attacking agent responsive to the last change date being later than the creation date for the complex attacking agent; and

determining that the file is not infected by the complex attacking agent responsive to the last change date being earlier than the creation date for the complex attacking agent.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer readable media for determining whether a computer file (210) has been infected with malicious code by an attacking agent. A scanning engine (205) determines whether the file (210) contains malicious code. The scanning engine (205) includes detection modules (325) for detecting particular attacking agents, and indicators of when particular attacking agents were first created. The scanning engine (205) determines a critical date for a file (210) with regards to a particular attacking agent. If the file (210) has not been changed since the critical date, the scanning engine (205) determines that the file (210) has not been infected by that attacking agent.

143 Citations

20 Claims

1. A method for determining if a computer file is infected, said method comprising:
- executing a high speed scan to determine if the file is infected by a simple attacking agent associated with a simple detection module;
  
  determining a creation date for a complex attacking agent associated with a complex detection module;
  
  determining a last change date of the computer file;
  
  comparing the last change date to the creation date for the complex attacking agent associated with the complex detection module;
  
  executing a complex scan to determine if the file is infected by the complex attacking agent responsive to the last change date being later than the creation date for the complex attacking agent; and
  
  determining that the file is not infected by the complex attacking agent responsive to the last change date being earlier than the creation date for the complex attacking agent.
- View Dependent Claims (2, 3, 4, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising modifying a database entry storing a last scan date of the file to indicate a current date.
  - 3. The method of claim 1, wherein determining a last change date comprises:
    - reading a change log, the change log indicating changes made to the file and dates associated with the changes; and
      
      determining that the last change date is the latest date associated with a change to the file in the change log.
  - 4. The method of claim 1, wherein determining the last change date comprises reading a change indicator, wherein the change indicator is generated by steps including:
    - generating a new hash of the file;
      
      comparing the new hash to a previously generated hash; and
      
      modifying the change indicator to list a current date when the new hash and the previously generated hash are different.
  - 15. The method of claim 1, wherein executing the high speed scan comprises executing a signature-based scan.
  - 16. The method of claim 1, wherein the complex attacking agent is resistant to signature-based detection methods.
  - 17. The method of claim 1, wherein the complex attacking agent has an encrypted viral body, wherein scanning the file for the complex attacking agent comprises:
    - loading the file in a virtual computer;
      
      decrypting the viral body of the complex attacking agent using the virtual computer; and
      
      scanning a virtual memory of the virtual computer for a signature from the decrypted viral body.
  - 18. The method of claim 1, further comprising executing a second high speed scan in parallel to the high speed scan to determine if the file is infected by the a second simple attacking agent associated with a second simple detection module.

5. A system for determining if a computer file is infected, the system comprising:
- an inoculation database storing a plurality of entries, each entry associated with a file and containing a last change date for the file;
  
  a simple detection module in communication with the inoculation database and configured to execute a high speed scan to determine if the file is infected by a simple attacking agent;
  
  a complex detection module in communication with the inoculation database and configured to execute a complex scan to check the file for infection by a complex attacking agent, the complex detection module storing a creation date for the complex attacking agent; and
  
  a selection module in communication with the inoculation database and with the complex detection module, the selection module configured to compare the last change date to the creation date, direct the complex detection module to check the file for infection responsive to the last change date being later than the creation date for the complex attacking agent and determine that the file is not infected by the complex attacking agent responsive to the last change date being earlier than the creation date for the complex attacking agent.
- View Dependent Claims (6, 7)
- - 6. The system of claim 5, further comprising an update module in communication with the complex detection module and with the inoculation database, the update module configured to change a last scan date of the file to a current date when the complex detection module checks the file for infection by the complex attacking agent.
  - 7. The system of claim 6, further comprising:
    - a hash generator, in communication with the inoculation database and with the update module, and configured to generate a new hash of the file;
      
      wherein;
      
      the selection module is configured to compare the new hash with a previously generated hash; and
      
      the update module is configured to replace the change date with a current date when the previously generated hash and the new hash are not identical.

8. A computer-readable storage medium containing computer code instructions for determining if a computer file infected, the computer code instructions when executed cause a processor to carry out the steps of:
- executing a high speed scan to determine if the file is infected by a simple attacking agent associated with a simple detection module;
  
  determining a creation date for a complex attacking agent associated with a complex detection module;
  
  determining a last change date of the computer file;
  
  comparing the last change date to the creation date for the complex attacking agent associated with the complex detection module;
  
  executing a complex scan to determine if the file is infected by the complex attacking agent responsive to the last change date being later than the creation date for the attacking agent; and
  
  determining that the file is not infected by the complex attacking agent responsive to the last change date being earlier than the creation date for the complex attacking agent.
- View Dependent Claims (9, 10, 19)
- - 9. The computer readable storage medium of claim 8, wherein the instructions for determining if the computer file is infected further comprise instructions for modifying a database entry storing a last scan date of the file to indicate a current date.
  - 10. The computer readable storage medium of claim 8, wherein the instructions for determining if the computer file is infected further comprise instructions for:
    - generating a new hash of the file;
      
      comparing the new hash to a previously generated hash; and
      
      modifying an indicator of the last change date to list a current date when the new hash and the previously generated hash are different.
  - 19. The computer readable storage medium of claim 8, further comprising instructions for executing a second high speed scan in parallel to the high speed scan to determine if the file is infected by a second simple attacking agent associated with a second simple detection module.

11. A method for determining if a file is infected, the method comprising:
- executing a high speed scan to determine if the file is infected by a simple attacking agent associated with a simple detection module;
  
  determining a creation date for a complex attacking agent associated with a complex detection module;
  
  determining a last change date of the file;
  
  determining a last scan date on which the file was scanned for the presence of the complex attacking agent;
  
  comparing the last change date to the creation date for the complex attacking agent and to the last scan date on which the file was scanned for the presence of the complex attacking agent;
  
  executing a complex scan to determine if the file is infected by the complex attacking agent responsive to the last change date being later than both of the creation date for the complex attacking agent and the last scan date on which the file was scanned for the presence of the complex attacking agent; and
  
  determining that the file is not infected by the complex attacking agent responsive to the last change date being earlier than at least one of the creation date for the complex attacking agent and the last scan date on which the file was scanned for the presence of the complex attacking agent.
- View Dependent Claims (12, 13, 14, 20)
- - 12. The method of claim 11, further comprising:
    - modifying a database entry storing the scan date to indicate a current date when the file is scanned for infection by the complex attacking agent.
  - 13. The method of claim 11, wherein determining a last change date comprises:
    - reading a change log, the change log indicating changes made to the file and dates associated with the changes; and
      
      determining that the last change date is the latest date associated with a change to the file in the change log.
  - 14. The method of claim 11, wherein determining the last change date comprises reading a change indicator, wherein the change indicator is generated by steps including:
    - generating a new hash of the file;
      
      comparing the new hash to a previously generated hash; and
      
      modifying the change indicator to list a current date when the new hash and the previously generated hash are different.
  - 20. The method of claim 11, further comprising executing a second high speed scan in parallel to the high speed scan to determine if the file is infected by a second simple attacking agent associated with a second simple detection module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ARMOUCHE, HADI S

Application Number

US10/266,340
Publication Number

US 20040068663A1
Time in Patent Office

2,269 Days
Field of Search

726/24, 714/38
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

Detection of malicious computer code

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

143 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of malicious computer code

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links