Method of, and system for, heuristically detecting viruses in executable code

US 7,664,754 B2
Filed: 03/08/2004
Issued: 02/16/2010
Est. Priority Date: 04/25/2003
Status: Expired due to Fees

First Claim

Patent Images

1. An anti-malware file scanning system for computer files being transferred between computers, the system being implemented on a computer apparatus and comprising:

a) a computer database containing records of known executable programs which are deemed to be not malware and criteria by which a file being processed can be determined to be an instance of one of those programs, the criteria including at least one characteristic signature associated with each said instance;

b) means for processing a file being transferred between computers, the means b) comprising;

a file recogniser operative to determine whether the file being processed is an instance of a known program by checking the contents of the file being processed for the presence of said at least one characteristic signature associated with the said instances;

a difference checker operative, in the case that the file recogniser determines the file being processed to be an instance of a known program, to check whether the file is an unchanged version of that known program;

c) means for signalling the file, depending on the determination made by the processing means, as being;

likely to be not malware if it is an unchanged version of a known file;

likely to be malware if it is a changed version of a known file;

orof unknown status if it is not determined as being an instance of a known file;

wherein the processor assigns a score to a file identified as likely to be malware, andstoring the determination that the file is likely to be not malware, is likely to be malware or is of unknown status.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an anti-virus scanning system for computer files being transferred between computers, the number of files requiring detailed scanning is first reduced by identifying files which are instances of programs which are known and deemed to be safe. This is done by reference to a database of known executables which records characteristics which can be used as the basis for identifying a file as an unchanged instance of a known executable. Secondly, these characteristics can then also be used to identify files which are changed instances of known executables. These are extremely suspicious, since the most likely cause of change is infection by a file infecting virus, so these files are classed as likely to be malware.

Citations

11 Claims

1. An anti-malware file scanning system for computer files being transferred between computers, the system being implemented on a computer apparatus and comprising:
- a) a computer database containing records of known executable programs which are deemed to be not malware and criteria by which a file being processed can be determined to be an instance of one of those programs, the criteria including at least one characteristic signature associated with each said instance;
  
  b) means for processing a file being transferred between computers, the means b) comprising;
  
  a file recogniser operative to determine whether the file being processed is an instance of a known program by checking the contents of the file being processed for the presence of said at least one characteristic signature associated with the said instances;
  
  a difference checker operative, in the case that the file recogniser determines the file being processed to be an instance of a known program, to check whether the file is an unchanged version of that known program;
  
  c) means for signalling the file, depending on the determination made by the processing means, as being;
  
  likely to be not malware if it is an unchanged version of a known file;
  
  likely to be malware if it is a changed version of a known file;
  
  orof unknown status if it is not determined as being an instance of a known file;
  
  wherein the processor assigns a score to a file identified as likely to be malware, andstoring the determination that the file is likely to be not malware, is likely to be malware or is of unknown status.
- View Dependent Claims (2, 3, 4)
- - 2. A system according to claim 1 and including:
    - d) means for processing a file being transferred between computers to determine whether it is considered to be, or considered possibly to be, malware, and wherein the means d) is operative to subject a file to processing if the file is signaled by the signalling means c) as being of unknown status.
  - 3. A system according to claim 1 wherein the difference checker is operative to generate a checksum for the entire file under consideration or for at least one selected region thereof, and to compare the checksum or checksums with those of entries in the database.
  - 4. A system according to claim 1 and including an exception list handler operative to determine, in relation to a file which the processing means b) has determined is a changed version of a known file, whether that file has characteristics matching an entry in an exception list of files, the signalling means c) being operative to signal the file as malware only if it is not in the exception list or as being of unknown status otherwise.

5. A method of anti-malware scanning computer files being transferred between computers, the method comprising:
- maintaining a computer database containing records of known executable programs which are deemed to be uninfected and criteria by which a file being processed can be determined to be an instance of one of those programs, the criteria including at least one characteristic signature associated with each said instance;
  
  processing a file being transferred between computers by determining whether the file being processed is an instance of a known program by checking the contents of the file being processed for the presence of said at least one characteristic signature associated with the said instances, andchecking, in the case that the file is determined to be an instance of a known program, whether the file is an unchanged version of that known program;
  
  signalling the file, depending on the determination made by the processing, as being;
  
  likely to be not malware if it is an unchanged version of a known file;
  
  likely to be malware if it is a changed version of a known file;
  
  orof unknown status if it is not determined as being an instance of a known file;
  
  wherein the processor assigns a score to a file identified as likely to be malware, andstoring the determination that the file is likely to be not malware, is likely to be malware or is of unknown status.
- View Dependent Claims (6, 7, 8)
- - 6. A method according to claim 5 and including:
    - processing a file being transferred between computers to determine whether it is considered to be, or considered possibly to be, malware, if the file is signalled by the signalling step c) as being of unknown status.
  - 7. A method according to claim 5 wherein the step of checking whether the file being processed is an instance of a known program comprises generating a checksum for the entire file under consideration or for at least one selected region thereof, and comparing the checksum or checksums with those of entries in the database.
  - 8. A method according to claim 5 further including using an exception list to determine, in relation to a file which the processing step b) has determined is a changed version of a known file, whether that file has characteristics matching an entry in an exception list of files, and wherein, in the signalling step c), the file is signalled as malware if it is not in the exception list or as being of unknown status otherwise.

9. An anti-malware file scanning system for computer files being transferred between computers, the system comprising:
- a computer database containing records of known executable programs which are deemed to be not malware and criteria by which a file being processed can be determined to be an instance of one of those programs, the criteria including at least one characteristic signature associated with each said instance;
  
  a processor for processing a file being transferred between computers,the processor being operative to determine whether the file being processed is an instance of a known program by checking the contents of the file being processed for the presence of said at least one characteristic signature associated with the said instances and, in the case that the file being processed is determined to be an instance of a known program,to check whether the file is an unchanged version of that known program, said processor, depending on the determination, identifying the file being processed as;
  
  (i) likely to be not malware if it is an unchanged version of a known file;
  
  (ii) likely to be malware if it is a changed version of a known file;
  
  or(iii) of unknown status if it is not determined as being an instance of a known file;
  
  wherein the processor assigns a score to a file identified as likely to be malware, andstoring the determination that the file is likely to be not malware, is likely to be malware or is of unknown status.
- View Dependent Claims (10, 11)
- - 10. An anti-malware file scanning system according to claim 9, further comprising:
    - a file-scanning subsystem for scanning files identified by the processor as being of unknown status to determine whether the scanned files are malware.
  - 11. An anti-malware file scanning system according to claim 10, wherein records for files which are instances of programs determined by the file-scanning system not to be malware are added to the computer database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Shipp, Alexander
Primary Examiner(s)
Alam; Shahid A
Assistant Examiner(s)
Bromell; Alexandria Y

Application Number

US10/500,954
Publication Number

US 20050027686A1
Time in Patent Office

2,171 Days
Field of Search

707/1, 707/6, 707/10, 707/101, 707/3, 726/24
US Class Current

726/24
CPC Class Codes

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

H04L 51/212   using filtering or selectiv...

Method of, and system for, heuristically detecting viruses in executable code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Method of, and system for, heuristically detecting viruses in executable code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links