State-based cache for antivirus software

US 5,999,723 A
Filed: 12/01/1998
Issued: 12/07/1999
Est. Priority Date: 09/28/1995
Status: Expired due to Term

First Claim

Patent Images

1. A computer-implemented method for detecting computer viruses in a computer file before the computer file is actually executed, the method comprising:

simulating execution of the computer file by a virtual CPU for a first predetermined number of instructions;

suspending the simulated execution;

constructing a state record of the virtual CPU;

comparing the constructed state record to state records of clean programs previously stored in a state-based cache; and

indicating that no virus is detected when the constructed state record matches one of the previously stored state records.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for executing a computer file in a CPU emulator (154) to detect a computer virus. The method includes simulating (302) the execution of a predetermined number of instructions of the computer file in the CPU emulator (154), suspending (303) the execution, constructing (304) a state record, temporarily storing (305) the state record in memory, comparing (306) the constructed state record to state records stored in a state cache (158), and indicating (308) that the file is virus free when the constructed state record matches one of the stored state records.

75 Citations

View as Search Results

15 Claims

1. A computer-implemented method for detecting computer viruses in a computer file before the computer file is actually executed, the method comprising:
- simulating execution of the computer file by a virtual CPU for a first predetermined number of instructions;
  
  suspending the simulated execution;
  
  constructing a state record of the virtual CPU;
  
  comparing the constructed state record to state records of clean programs previously stored in a state-based cache; and
  
  indicating that no virus is detected when the constructed state record matches one of the previously stored state records.
- View Dependent Claims (2, 3, 4, 5, 6, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising, if the constructed state record does not match one of the previously stored state records, resuming the simulated execution until satisfaction of a criterion from a group of criteria including:
    - detection of a computer virus; and
      
      determination to a high level of certainty that the computer file is virus free.
  - 3. The method of claim 2, further comprising:
    - storing the constructed state record in the state-based cache when the computer file is determined to a high level of certainty to be virus free.
  - 4. The method of claim 1, wherein each state record includes a value of a virtual instruction pointer within the virtual CPU.
  - 5. The method of claim 1, wherein each state record includes values of virtual general registers within the virtual CPU.
  - 6. The method of claim 1, wherein each state record includes a total number of data writes to a virtual memory performed during the simulated execution of the computer file by the within the virtual CPU.
  - 9. The method of claim 1, wherein the first predetermined number of instructions is substantially less than a total number of instructions in the target file.
  - 10. The method of claim 3, wherein the storing is performed only when a total number of instructions emulated by the virtual CPU is greater than a second predetermined number of instructions.
  - 11. The method of claim 10, wherein the second predetermined number of instructions is substantially greater than the first predetermined number of instructions but is substantially less than a total number of instructions in the target file.
  - 12. The method of claim 1, further comprising re-simulating the execution of the computer file after adjusting the virtual CPU to correspond to a different CPU version.
  - 13. The method of claim 1, wherein the virtual CPU simulates execution of native CPU instructions in a protective virtual environment.
  - 14. The method of claim 1, wherein each state record includes a file size.

7. A system for detecting computer viruses in a computer file before the computer file is actually executed, the system comprising:
- a CPU emulator for simulating a first predetermined number of instructions of the computer file;
  
  a state-based cache for storing state records; and
  
  an emulation controller for halting the execution of the CPU emulator, constructing a current state record, comparing the current state record to state records of clean programs previously stored in the state-based cache, and indicating that no virus was detected when the current state record matches one of the previously stored state records.
- View Dependent Claims (15)
- - 15. The system of claim 7, wherein the system is coupled to a network and the computer file is being transferred from the network to the system.

8. A computer program product comprising a computer-usable medium having computer-readable code embodied therein for detecting computer viruses in a computer file before the computer file is actually executed, comprising:
- computer-readable program code devices configured to simulate execution of the computer file on a CPU emulator for a first predetermined number of instructions;
  
  computer-readable program code devices configured to suspend the simulated execution;
  
  computer-readable program code devices configured to construct a state record of the CPU emulator;
  
  computer-readable program code devices configured to compare the constructed state record to state records of clean programs previously stored in a state-based cache; and
  
  computer-readable program code devices configured to indicate that no virus is detected when the constructed state record matches one of the previously stored state records.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S.
Primary Examiner(s)
Teska, Kevin J.
Assistant Examiner(s)
Fiul, Dan

Application Number

US09/203,828
Time in Patent Office

371 Days
Field of Search

713/323, 395/500.34, 395/500.42, 395/500.43, 395/500.44, 395/500.47
US Class Current

703/22
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

State-based cache for antivirus software

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

State-based cache for antivirus software

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links