Method of, and system for, heuristically detecting viruses in executable code
First Claim
1. An anti-malware file scanning system for computer files being transferred between computers, the system being implemented on a computer apparatus and comprising:
- a) a computer database containing records of known executable programs which are deemed to be not malware and criteria by which a file being processed can be determined to be an instance of one of those programs, the criteria including at least one characteristic signature associated with each said instance;
b) means for processing a file being transferred between computers, the means b) comprising;
a file recogniser operative to determine whether the file being processed is an instance of a known program by checking the contents of the file being processed for the presence of said at least one characteristic signature associated with the said instances;
a difference checker operative, in the case that the file recogniser determines the file being processed to be an instance of a known program, to check whether the file is an unchanged version of that known program;
c) means for signalling the file, depending on the determination made by the processing means, as being;
likely to be not malware if it is an unchanged version of a known file;
likely to be malware if it is a changed version of a known file;
orof unknown status if it is not determined as being an instance of a known file;
wherein the processor assigns a score to a file identified as likely to be malware, andstoring the determination that the file is likely to be not malware, is likely to be malware or is of unknown status.
2 Assignments
0 Petitions
Accused Products
Abstract
In an anti-virus scanning system for computer files being transferred between computers, the number of files requiring detailed scanning is first reduced by identifying files which are instances of programs which are known and deemed to be safe. This is done by reference to a database of known executables which records characteristics which can be used as the basis for identifying a file as an unchanged instance of a known executable. Secondly, these characteristics can then also be used to identify files which are changed instances of known executables. These are extremely suspicious, since the most likely cause of change is infection by a file infecting virus, so these files are classed as likely to be malware.
-
Citations
11 Claims
-
1. An anti-malware file scanning system for computer files being transferred between computers, the system being implemented on a computer apparatus and comprising:
-
a) a computer database containing records of known executable programs which are deemed to be not malware and criteria by which a file being processed can be determined to be an instance of one of those programs, the criteria including at least one characteristic signature associated with each said instance; b) means for processing a file being transferred between computers, the means b) comprising; a file recogniser operative to determine whether the file being processed is an instance of a known program by checking the contents of the file being processed for the presence of said at least one characteristic signature associated with the said instances; a difference checker operative, in the case that the file recogniser determines the file being processed to be an instance of a known program, to check whether the file is an unchanged version of that known program; c) means for signalling the file, depending on the determination made by the processing means, as being; likely to be not malware if it is an unchanged version of a known file; likely to be malware if it is a changed version of a known file;
orof unknown status if it is not determined as being an instance of a known file; wherein the processor assigns a score to a file identified as likely to be malware, and storing the determination that the file is likely to be not malware, is likely to be malware or is of unknown status. - View Dependent Claims (2, 3, 4)
-
-
5. A method of anti-malware scanning computer files being transferred between computers, the method comprising:
-
maintaining a computer database containing records of known executable programs which are deemed to be uninfected and criteria by which a file being processed can be determined to be an instance of one of those programs, the criteria including at least one characteristic signature associated with each said instance; processing a file being transferred between computers by determining whether the file being processed is an instance of a known program by checking the contents of the file being processed for the presence of said at least one characteristic signature associated with the said instances, and checking, in the case that the file is determined to be an instance of a known program, whether the file is an unchanged version of that known program; signalling the file, depending on the determination made by the processing, as being; likely to be not malware if it is an unchanged version of a known file; likely to be malware if it is a changed version of a known file;
orof unknown status if it is not determined as being an instance of a known file; wherein the processor assigns a score to a file identified as likely to be malware, and storing the determination that the file is likely to be not malware, is likely to be malware or is of unknown status. - View Dependent Claims (6, 7, 8)
-
-
9. An anti-malware file scanning system for computer files being transferred between computers, the system comprising:
-
a computer database containing records of known executable programs which are deemed to be not malware and criteria by which a file being processed can be determined to be an instance of one of those programs, the criteria including at least one characteristic signature associated with each said instance; a processor for processing a file being transferred between computers, the processor being operative to determine whether the file being processed is an instance of a known program by checking the contents of the file being processed for the presence of said at least one characteristic signature associated with the said instances and, in the case that the file being processed is determined to be an instance of a known program, to check whether the file is an unchanged version of that known program, said processor, depending on the determination, identifying the file being processed as; (i) likely to be not malware if it is an unchanged version of a known file; (ii) likely to be malware if it is a changed version of a known file;
or(iii) of unknown status if it is not determined as being an instance of a known file; wherein the processor assigns a score to a file identified as likely to be malware, and storing the determination that the file is likely to be not malware, is likely to be malware or is of unknown status. - View Dependent Claims (10, 11)
-
Specification