State-based cache for antivirus software
First Claim
1. A computer-implemented method for detecting computer viruses in a computer file before the computer file is actually executed, the method comprising:
- simulating execution of the computer file by a virtual CPU for a first predetermined number of instructions;
suspending the simulated execution;
constructing a state record of the virtual CPU;
comparing the constructed state record to state records of clean programs previously stored in a state-based cache; and
indicating that no virus is detected when the constructed state record matches one of the previously stored state records.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for executing a computer file in a CPU emulator (154) to detect a computer virus. The method includes simulating (302) the execution of a predetermined number of instructions of the computer file in the CPU emulator (154), suspending (303) the execution, constructing (304) a state record, temporarily storing (305) the state record in memory, comparing (306) the constructed state record to state records stored in a state cache (158), and indicating (308) that the file is virus free when the constructed state record matches one of the stored state records.
75 Citations
15 Claims
-
1. A computer-implemented method for detecting computer viruses in a computer file before the computer file is actually executed, the method comprising:
-
simulating execution of the computer file by a virtual CPU for a first predetermined number of instructions; suspending the simulated execution; constructing a state record of the virtual CPU; comparing the constructed state record to state records of clean programs previously stored in a state-based cache; and indicating that no virus is detected when the constructed state record matches one of the previously stored state records. - View Dependent Claims (2, 3, 4, 5, 6, 9, 10, 11, 12, 13, 14)
-
-
7. A system for detecting computer viruses in a computer file before the computer file is actually executed, the system comprising:
-
a CPU emulator for simulating a first predetermined number of instructions of the computer file; a state-based cache for storing state records; and an emulation controller for halting the execution of the CPU emulator, constructing a current state record, comparing the current state record to state records of clean programs previously stored in the state-based cache, and indicating that no virus was detected when the current state record matches one of the previously stored state records. - View Dependent Claims (15)
-
-
8. A computer program product comprising a computer-usable medium having computer-readable code embodied therein for detecting computer viruses in a computer file before the computer file is actually executed, comprising:
-
computer-readable program code devices configured to simulate execution of the computer file on a CPU emulator for a first predetermined number of instructions; computer-readable program code devices configured to suspend the simulated execution; computer-readable program code devices configured to construct a state record of the CPU emulator; computer-readable program code devices configured to compare the constructed state record to state records of clean programs previously stored in a state-based cache; and computer-readable program code devices configured to indicate that no virus is detected when the constructed state record matches one of the previously stored state records.
-
Specification