Information security – Prevention of unauthorized use of data including prevention...
Reexamination Certificate
2003-03-31
2008-03-04
Moazzami, Nasser (Department: 2136)
Information security
Prevention of unauthorized use of data including prevention...
C726S022000, C726S023000, C726S024000, C713S165000, C713S167000, C713S188000
Reexamination Certificate
active
07340777
ABSTRACT:
Characteristics of a call module originating a critical operating system function call are analyzed for indications of suspicious content and a virus threshold counter is incremented appropriately. For example, the memory image to the file image of the call module are compared for indications of suspicious content. If a determination is made that the virus threshold counter exceeds a virus threshold, there is a significant probability that malicious code is executing on the host computer system. Thus, the user of the host computer system and/or an administrator are notified that malicious code is possibly executing on the host computer system.
REFERENCES:
patent: 5274819 (1993-12-01), Blomfield-Brown
patent: 5361359 (1994-11-01), Tajalli et al.
patent: 5367682 (1994-11-01), Chang
patent: 5398196 (1995-03-01), Chambers
patent: 5696822 (1997-12-01), Nachenberg
patent: 5822517 (1998-10-01), Dotan
patent: 6275938 (2001-08-01), Bond et al.
patent: 6301699 (2001-10-01), Hollander et al.
patent: 6357008 (2002-03-01), Nachenberg
patent: 6480962 (2002-11-01), Touboul
patent: 6577920 (2003-06-01), Hyppönen et al.
patent: 6775780 (2004-08-01), Muttik
patent: 7028305 (2006-04-01), Schaefer
patent: 7069581 (2006-06-01), Fu et al.
patent: 7085928 (2006-08-01), Schmid et al.
Farmer, D., et al, ‘Forensic Discovery’, Addison Wesley Professional, Dec. 30, 2004, entire document, http://www.porcupine.org/forensics/forensic-discovery/chapter6.html.
Szor, P., “Attacks on WIN32”, Virus Bulletin Conference, Oct. 1998, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 57-84.
Szor, P., “Memory Scanning Under Windows NT”, Virus Bulletin Conference, Sep. 1999, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 1-22.
Szor, P., “Attacks on WIN32-Part II”, Virus Bulletin Conference, Sep. 2000, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 47-68.
Chien, E. and Szor, P., “Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques In Computer Viruses”, Virus Bulletin Conference, Sep. 2002, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 1-36.
Buysse, J., “Virtual Memory: Window NT® Implementation”, pp. 1-15 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet: <URL:http://people.msoe.edu/˜barnicks/courses/cs384/papers19992000/buyssej-Term.pdf>.
Dabak, P., Borate, M. and Phadke, S., “Hooking Windows NT System Services”, pp. 1-8 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.windowsitlibrary.com/Content/356/06/2.html>.
“How Entercept Protects: System Call Interception”, pp. 1-2 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.entercept.com/products/technology/kernelmode.asp>. No author provided.
“How Entercept Protects: System Call Interception”, p. 1 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.entercept.com/products/technology/interception.asp>. No author provided.
Kath, R., “The Virtual-Memory Manager in Windows NT”, pp. 1-11 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://msdn.microsoft.com/library/en-us/dngenlib/html/msdn—ntvmm.asp?frame=true>.
Szor, P. and Kaspersky, E., “The Evolution of 32-Bit Windows Viruses”, Windows & .NET Magazine, pp. 1-4 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.winnetmag.com/Articles/Print.cfm?ArticleID=8773>.
Szor, P., “The New 32-bit Medusa”, Virus Bulletin, Dec. 2000, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 8-10.
Szor, P., “Shelling Out”, Virus Bulletin, Feb. 1997, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 6-7.
McCorkendale, B. and Szor, P., “Code Red Buffer Overflow”, Virus Bulletin, Sep. 2001, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 4-5.
Nachenberg, C., “A New Technique for Detecting Polymorphic Computer Viruses”, University of California, Los Angeles, 1995.
Baum Ronald
Gunnison McKay & Hodgson, L.L.P.
Hodgson Serge J.
Moazzami Nasser
Symantec Corporation
LandOfFree
In memory heuristic system and method for detecting viruses does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with In memory heuristic system and method for detecting viruses, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and In memory heuristic system and method for detecting viruses will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3971129