Method and apparatus for determination of the non-replicative behavior of a malicious program

  • US 7,103,913 B2
  • Filed: 05/08/2002
  • Issued: 09/05/2006
  • Est. Priority Date: 05/08/2002
  • Status: Active Grant
First Claim
Patent Images

1. A computer executed method for processing a suspect executable file, comprising:

  • attempting to infect a known file using the suspect executable file and, if the attempt is successful, providing the infected known file as a sample, executing the sample in a controlled environment;

    determining a record of side effects that occur in the environment as a result of a non-replicative behavior of the sample during its execution;

    comparing the record to a stored record of side effects that occur in the environment as a result of a non-replicative behavior of the known file during its execution and deriving a set of characteristic side effects; and

    undoing a detected change that results from execution of an undesirable software entity and/or informing a user of the side effects;

    if the attempt to infect the known file is not successful, the method further includes;

    attempting to repair the suspect executable file and, if the attempt is successful, providing the repaired file as the sample;

    executing the sample in the controlled environment;

    determining a first record of side effects that occur in the environment as a result of a non-replicative behavior of the sample during its execution;

    executing the suspect executable file in the controlled environment;

    determining a second record of side effects that occur in the environment as a result of a non-replicative behavior of the suspect executable file during its execution;

    comparing the first record to the second record and deriving the set of characteristic side effects; and

    undoing a detected change that results from execution of an undesirable software entity and/or informing a user of the side effects.

View all claims
    ×
    ×

    Thank you for your feedback

    ×
    ×