Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
HISTOGRAM-BASED VIRUS DETECTION
Document Type and Number:
WIPO Patent Application WO2001069356
Kind Code:
A3
Abstract:
A virus detection system (VDS) (400) uses a histogram to detect the presence of a computer virus in a computer file. The VDS (400) has a P-code data file (410) for holding P-code, a virus definition file (VDF) (412) for holding signatures of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating instructions in the file. The emulating module (426) contains a histogram generation module (HGM) (436) for generating a histogram of characteristics of instructions emulated by the emulating module (426) and a histogram definition module (HDF) (438) for specifying the characteristics to be included in the generated histogram. The emulating module (426) uses the generated histogram (500) to determine how many of the instructions of the computer file (100) to emulate. The emulating module (426) emulates (712) instructions and the HGM (436) generates a histogram of the instructions until active instructions are not detected. When active instructions are not detected (714), a P-code module is executed (722) to analyze the histogram (500) and determine whether a file (100) contains a virus. The P-code can also decide to extend (728) emulation. The HGM (436) is also used to detect (822) the presence of dummy loops during virus decryption.

Inventors:
NACHENBERG CAREY S
Application Number:
PCT/US2001/008058
Publication Date:
January 30, 2003
Filing Date:
March 13, 2001
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
SYMANTEC CORP (US)
International Classes:
G06F1/00; G06F21/00; (IPC1-7): G06F1/00
Domestic Patent References:
WO1999015966A11999-04-01
Foreign References:
US5964889A1999-10-12
US5826013A1998-10-20
Other References:
NACHENBERG C S: "A NEW TECHNIQUE FOR DETECTING POLYMORPHIC COMPUTER VIRUSES. A THESIS SUBMITTED IN PARTIAL SATISFACTION OF THE REQUIREMENTS FOR THE DEGREE MASTER OF SCIENCE IN COMPUTER SCIENCE AND ENGINEERING", THESIS UNIVERSITY OF CALIFORNIA, XX, XX, PAGE(S) I-V,1-127, XP000197628
Download PDF:
View/Download PDF      PDF Help



 
Previous Patent: TECHNIQUE FOR PRODUCING TAMPER-RESISTANT EXECUTABLE CODE THROUGH WATERMARKING

Next Patent: ANIONIZER FOR PERSONAL COMPUTERS