WO2004097604A3 - A method of, and system for, heuristically detective viruses in executable code - Google Patents

A method of, and system for, heuristically detective viruses in executable code Download PDF

Info

Publication number
WO2004097604A3
WO2004097604A3 PCT/GB2004/000997 GB2004000997W WO2004097604A3 WO 2004097604 A3 WO2004097604 A3 WO 2004097604A3 GB 2004000997 W GB2004000997 W GB 2004000997W WO 2004097604 A3 WO2004097604 A3 WO 2004097604A3
Authority
WO
WIPO (PCT)
Prior art keywords
files
detective
heuristically
viruses
executable code
Prior art date
Application number
PCT/GB2004/000997
Other languages
French (fr)
Other versions
WO2004097604A2 (en
Inventor
Alexander Shipp
Original Assignee
Messagelabs Ltd
Alexander Shipp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Messagelabs Ltd, Alexander Shipp filed Critical Messagelabs Ltd
Priority to US10/500,954 priority Critical patent/US7664754B2/en
Priority to AU2004235514A priority patent/AU2004235514B2/en
Priority to EP04718331A priority patent/EP1618446A2/en
Publication of WO2004097604A2 publication Critical patent/WO2004097604A2/en
Publication of WO2004097604A3 publication Critical patent/WO2004097604A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking

Abstract

In an anti-virus scanning system for computer files being transferred between computers, the number of files requiring detailed scanning is first reduced by identifying files which are instances of programs which are known and deemed to be safe. This is done by reference to a database of known executables which records characteristics which can be used as the basis for identifying a file as an unchanged instance of a known executable. Secondly, these characteristics can then also be used to identify files which are changed instances of known executables. These are extremely suspicious, since the most likely cause of change is infection by a file infecting virus, so these files are classed as likely to be malware.
PCT/GB2004/000997 2003-04-25 2004-03-08 A method of, and system for, heuristically detective viruses in executable code WO2004097604A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US10/500,954 US7664754B2 (en) 2003-04-25 2004-03-08 Method of, and system for, heuristically detecting viruses in executable code
AU2004235514A AU2004235514B2 (en) 2003-04-25 2004-03-08 A method of, and system for, heuristically detective viruses in executable code
EP04718331A EP1618446A2 (en) 2003-04-25 2004-03-08 A method of, and system for, heuristically detective viruses in executable code

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0309464A GB2400933B (en) 2003-04-25 2003-04-25 A method of, and system for, heuristically detecting viruses in executable code by detecting files which have been maliciously altered
GB0309464.6 2003-04-25

Publications (2)

Publication Number Publication Date
WO2004097604A2 WO2004097604A2 (en) 2004-11-11
WO2004097604A3 true WO2004097604A3 (en) 2005-03-10

Family

ID=33042177

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2004/000997 WO2004097604A2 (en) 2003-04-25 2004-03-08 A method of, and system for, heuristically detective viruses in executable code

Country Status (6)

Country Link
US (1) US7664754B2 (en)
EP (1) EP1618446A2 (en)
AU (1) AU2004235514B2 (en)
GB (1) GB2400933B (en)
HK (1) HK1070440A1 (en)
WO (1) WO2004097604A2 (en)

Families Citing this family (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1828902A4 (en) * 2004-10-26 2009-07-01 Rudra Technologies Pte Ltd System and method for identifying and removing malware on a computer system
US7917955B1 (en) * 2005-01-14 2011-03-29 Mcafee, Inc. System, method and computer program product for context-driven behavioral heuristics
US8719924B1 (en) * 2005-03-04 2014-05-06 AVG Technologies N.V. Method and apparatus for detecting harmful software
US8646080B2 (en) * 2005-09-16 2014-02-04 Avg Technologies Cy Limited Method and apparatus for removing harmful software
US20070067844A1 (en) * 2005-09-16 2007-03-22 Sana Security Method and apparatus for removing harmful software
US20060212940A1 (en) * 2005-03-21 2006-09-21 Wilson Michael C System and method for removing multiple related running processes
GB2427048A (en) 2005-06-09 2006-12-13 Avecho Group Ltd Detection of unwanted code or data in electronic mail
GB0513375D0 (en) 2005-06-30 2005-08-03 Retento Ltd Computer security
US20070016951A1 (en) * 2005-07-13 2007-01-18 Piccard Paul L Systems and methods for identifying sources of malware
GB2430284A (en) * 2005-09-16 2007-03-21 Jeroen Oostendorp Platform for message management
US20070074289A1 (en) * 2005-09-28 2007-03-29 Phil Maddaloni Client side exploit tracking
US8418245B2 (en) * 2006-01-18 2013-04-09 Webroot Inc. Method and system for detecting obfuscatory pestware in a computer memory
US8255992B2 (en) * 2006-01-18 2012-08-28 Webroot Inc. Method and system for detecting dependent pestware objects on a computer
US8713686B2 (en) * 2006-01-25 2014-04-29 Ca, Inc. System and method for reducing antivirus false positives
GB0605117D0 (en) * 2006-03-14 2006-04-26 Streamshield Networks Ltd A method and apparatus for providing network security
US8479174B2 (en) * 2006-04-05 2013-07-02 Prevx Limited Method, computer program and computer for analyzing an executable computer file
SG136828A1 (en) * 2006-04-25 2007-11-29 Khee Seng Chua Method of safeguarding against malicious software (malware)
US8065664B2 (en) * 2006-08-07 2011-11-22 Webroot Software, Inc. System and method for defining and detecting pestware
US8190868B2 (en) 2006-08-07 2012-05-29 Webroot Inc. Malware management through kernel detection
US8201244B2 (en) * 2006-09-19 2012-06-12 Microsoft Corporation Automated malware signature generation
US9729513B2 (en) 2007-11-08 2017-08-08 Glasswall (Ip) Limited Using multiple layers of policy management to manage risk
GB2444514A (en) 2006-12-04 2008-06-11 Glasswall Electronic file re-generation
US8528089B2 (en) * 2006-12-19 2013-09-03 Mcafee, Inc. Known files database for malware elimination
IL181426A (en) * 2007-02-19 2011-06-30 Deutsche Telekom Ag Automatic extraction of signatures for malware
US8255999B2 (en) 2007-05-24 2012-08-28 Microsoft Corporation Anti-virus scanning of partially available content
US20080301796A1 (en) * 2007-05-31 2008-12-04 Microsoft Corporation Adjusting the Levels of Anti-Malware Protection
US8275842B2 (en) 2007-09-30 2012-09-25 Symantec Operating Corporation System and method for detecting content similarity within email documents by sparse subset hashing
US8037145B2 (en) 2007-09-30 2011-10-11 Symantec Operating Corporation System and method for detecting email content containment
US8108931B1 (en) * 2008-03-31 2012-01-31 Symantec Corporation Method and apparatus for identifying invariants to detect software tampering
US8381298B2 (en) 2008-06-30 2013-02-19 Microsoft Corporation Malware detention for suspected malware
US8220054B1 (en) * 2008-10-31 2012-07-10 Trend Micro, Inc. Process exception list updating in a malware behavior monitoring program
GB0822619D0 (en) * 2008-12-11 2009-01-21 Scansafe Ltd Malware detection
US8291497B1 (en) * 2009-03-20 2012-10-16 Symantec Corporation Systems and methods for byte-level context diversity-based automatic malware signature generation
EP2234349B8 (en) * 2009-03-27 2019-06-26 Symantec Corporation System and method for detecting email content containment
US8458232B1 (en) * 2009-03-31 2013-06-04 Symantec Corporation Systems and methods for identifying data files based on community data
US11489857B2 (en) 2009-04-21 2022-11-01 Webroot Inc. System and method for developing a risk profile for an internet resource
GB2470928A (en) * 2009-06-10 2010-12-15 F Secure Oyj False alarm identification for malware using clean scanning
KR101138748B1 (en) * 2010-01-22 2012-04-24 주식회사 안철수연구소 Apparatus, system and method for preventing malicious codes
JP5557623B2 (en) * 2010-06-30 2014-07-23 三菱電機株式会社 Infection inspection system, infection inspection method, recording medium, and program
CN101989320B (en) * 2010-10-12 2013-09-25 李彬杰 Computer file processing method
TWI442260B (en) * 2010-11-19 2014-06-21 Inst Information Industry Server, user device and malware detection method thereof
US10574630B2 (en) 2011-02-15 2020-02-25 Webroot Inc. Methods and apparatus for malware threat research
US8427201B2 (en) * 2011-03-24 2013-04-23 International Business Machines Corporation Local result processor
GB2494105B (en) * 2011-08-20 2013-07-17 Blis Media Ltd Verifying the transfer of a data file
RU2491623C1 (en) * 2012-02-24 2013-08-27 Закрытое акционерное общество "Лаборатория Касперского" System and method of verifying trusted files
US8943031B2 (en) * 2012-08-20 2015-01-27 Red Hat, Inc. Granular self-healing of a file in a distributed file system
US11126720B2 (en) 2012-09-26 2021-09-21 Bluvector, Inc. System and method for automated machine-learning, zero-day malware detection
US9292688B2 (en) * 2012-09-26 2016-03-22 Northrop Grumman Systems Corporation System and method for automated machine-learning, zero-day malware detection
GB2518880A (en) 2013-10-04 2015-04-08 Glasswall Ip Ltd Anti-Malware mobile content data management apparatus and method
WO2016081346A1 (en) 2014-11-21 2016-05-26 Northrup Grumman Systems Corporation System and method for network data characterization
US9330264B1 (en) 2014-11-26 2016-05-03 Glasswall (Ip) Limited Statistical analytic method for the determination of the risk posed by file based content
RU2606559C1 (en) 2015-10-22 2017-01-10 Акционерное общество "Лаборатория Касперского" System and method for optimizing of files antivirus checking

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0813132A2 (en) * 1996-06-11 1997-12-17 International Business Machines Corporation Support for trusted software distribution
WO2002033525A2 (en) * 2000-10-17 2002-04-25 Chuang Shyne Song A method and system for detecting rogue software
GB2378015A (en) * 2001-07-26 2003-01-29 Networks Assoc Tech Inc Detecting computer programs within packed computer files
EP1291749A2 (en) * 2001-09-06 2003-03-12 Networks Associates Technology, Inc. Automatic builder of detection and cleaning routines for computer viruses

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5617533A (en) * 1994-10-13 1997-04-01 Sun Microsystems, Inc. System and method for determining whether a software package conforms to packaging rules and requirements
US7673342B2 (en) * 2001-07-26 2010-03-02 Mcafee, Inc. Detecting e-mail propagated malware
US7263561B1 (en) * 2001-08-24 2007-08-28 Mcafee, Inc. Systems and methods for making electronic files that have been converted to a safe format available for viewing by an intended recipient
US7356736B2 (en) * 2001-09-25 2008-04-08 Norman Asa Simulated computer system for monitoring of software performance
US7107618B1 (en) * 2001-09-25 2006-09-12 Mcafee, Inc. System and method for certifying that data received over a computer network has been checked for viruses
US20030070088A1 (en) * 2001-10-05 2003-04-10 Dmitry Gryaznov Computer virus names cross-reference and information method and system
US7310818B1 (en) * 2001-10-25 2007-12-18 Mcafee, Inc. System and method for tracking computer viruses
US20030097378A1 (en) * 2001-11-20 2003-05-22 Khai Pham Method and system for removing text-based viruses
US7150042B2 (en) * 2001-12-06 2006-12-12 Mcafee, Inc. Techniques for performing malware scanning of files stored within a file storage device of a computer network
US7058975B2 (en) * 2001-12-14 2006-06-06 Mcafee, Inc. Method and system for delayed write scanning for detecting computer malwares
US7096500B2 (en) * 2001-12-21 2006-08-22 Mcafee, Inc. Predictive malware scanning of internet data
US7415726B2 (en) * 2001-12-28 2008-08-19 Mcafee, Inc. Controlling access to suspicious files
US7093121B2 (en) * 2002-01-10 2006-08-15 Mcafee, Inc. Transferring data via a secure network connection
US20040128355A1 (en) * 2002-12-25 2004-07-01 Kuo-Jen Chao Community-based message classification and self-amending system for a messaging system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0813132A2 (en) * 1996-06-11 1997-12-17 International Business Machines Corporation Support for trusted software distribution
WO2002033525A2 (en) * 2000-10-17 2002-04-25 Chuang Shyne Song A method and system for detecting rogue software
GB2378015A (en) * 2001-07-26 2003-01-29 Networks Assoc Tech Inc Detecting computer programs within packed computer files
EP1291749A2 (en) * 2001-09-06 2003-03-12 Networks Associates Technology, Inc. Automatic builder of detection and cleaning routines for computer viruses

Also Published As

Publication number Publication date
US20050027686A1 (en) 2005-02-03
EP1618446A2 (en) 2006-01-25
WO2004097604A2 (en) 2004-11-11
US7664754B2 (en) 2010-02-16
GB2400933B (en) 2006-11-22
AU2004235514B2 (en) 2009-10-08
HK1070440A1 (en) 2005-06-17
AU2004235514A1 (en) 2004-11-11
GB2400933A (en) 2004-10-27

Similar Documents

Publication Publication Date Title
WO2004097604A3 (en) A method of, and system for, heuristically detective viruses in executable code
RU2607231C2 (en) Fuzzy whitelisting anti-malware systems and methods
US7620990B2 (en) System and method for unpacking packed executables for malware evaluation
HK1074687A1 (en) Method and of system for heuristicaly detecting viruses in executable code
EP1959367B1 (en) Automatic extraction of signatures for Malware
CN1147795C (en) Method, system and medium for detecting and clearing known and anknown computer virus
US8261344B2 (en) Method and system for classification of software using characteristics and combinations of such characteristics
US8352522B1 (en) Detection of file modifications performed by malicious codes
JP2012501028A5 (en)
WO2008054732A3 (en) Virus localization using cryptographic hashing
RU2009141594A (en) TRUSTED ENVIRONMENT FOR DETECTING MALICIOUS APPLICATIONS
WO2003017068A3 (en) Preventing virus infection in a computer system
WO2004088483A3 (en) System for and method of detecting malware in macros and executable scripts
US20110283358A1 (en) Method and system to detect malware that removes anti-virus file system filter driver from a device stack
DE602005020889D1 (en) Antivirus manifest for document printing
Pandey et al. Performance of malware detection tools: A comparison
US8726377B2 (en) Malware determination
JPWO2005103895A1 (en) Computer virus specific information extraction apparatus, computer virus specific information extraction method, and computer virus specific information extraction program
Al-Anezi Generic packing detection using several complexity analysis for accurate malware detection
Altaher et al. Computer virus detection using features ranking and machine learning
US20060167948A1 (en) Detection of computer system malware
Zarghoon et al. Evaluation of AV systems against modern malware
CN1329828C (en) Method and device for preventing computer virus
CN106127044A (en) The detection method of a kind of function malice degree and device
Hu et al. Unknown malicious executables detection based on run-time behavior

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 10500954

Country of ref document: US

AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2004718331

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2004235514

Country of ref document: AU

ENP Entry into the national phase

Ref document number: 2004235514

Country of ref document: AU

Date of ref document: 20040308

Kind code of ref document: A

WWP Wipo information: published in national office

Ref document number: 2004235514

Country of ref document: AU

WWP Wipo information: published in national office

Ref document number: 2004718331

Country of ref document: EP