Information security – Monitoring or scanning of software or data including attack...
Reexamination Certificate
2002-10-04
2008-08-26
Moazzami, Nasser (Department: 2136)
Information security
Monitoring or scanning of software or data including attack...
C726S024000
Reexamination Certificate
active
07418729
ABSTRACT:
To detect a computer virus in a host file (100), an emulating module (414) emulates the host file (100) in a virtual machine (422) having a virtual memory (426). While emulating the host file (100), the system (400) tracks the host file's access of the virtual memory (426). Responsive to an access in a non-normal address range of the virtual memory (426) by the host file (100), a flag recording module (522) sets a flag. A virus reporting module (526) declares a potential virus based on whether the flag is set.
REFERENCES:
patent: 5278901 (1994-01-01), Shieh et al.
patent: 5398196 (1995-03-01), Chambers
patent: 5440723 (1995-08-01), Arnold et al.
patent: 5452442 (1995-09-01), Kephart
patent: 5473769 (1995-12-01), Cozza
patent: 5572590 (1996-11-01), Chess
patent: 5684875 (1997-11-01), Ellenberger
patent: 5696822 (1997-12-01), Nachenberg
patent: 5715174 (1998-02-01), Cotichini et al.
patent: 5715464 (1998-02-01), Crump et al.
patent: 5758359 (1998-05-01), Saxon
patent: 5812763 (1998-09-01), Teng
patent: 5889943 (1999-03-01), Ji et al.
patent: 5951698 (1999-09-01), Chen et al.
patent: 5956481 (1999-09-01), Walsh et al.
patent: 5960170 (1999-09-01), Chen et al.
patent: 5978917 (1999-11-01), Chi
patent: 5987610 (1999-11-01), Franczek et al.
patent: 5991881 (1999-11-01), Conklin et al.
patent: 6052709 (2000-04-01), Paul et al.
patent: 6070244 (2000-05-01), Orchier et al.
patent: 6072830 (2000-06-01), Proctor et al.
patent: 6088803 (2000-07-01), Tso et al.
patent: 6094731 (2000-07-01), Waldin et al.
patent: 6104872 (2000-08-01), Kubota et al.
patent: 6108799 (2000-08-01), Boulay et al.
patent: 6167434 (2000-12-01), Pang
patent: 6192379 (2001-02-01), Bekenn
patent: 6192512 (2001-02-01), Chess
patent: 6199181 (2001-03-01), Rechef et al.
patent: 6275938 (2001-08-01), Bond et al.
patent: 6338141 (2002-01-01), Wells
patent: 6357008 (2002-03-01), Nachenberg
patent: 6370648 (2002-04-01), Diep
patent: 6412071 (2002-06-01), Hollander et al.
patent: 6493007 (2002-12-01), Pang
patent: 6535891 (2003-03-01), Fisher et al.
patent: 6552814 (2003-04-01), Okimoto et al.
patent: 6611925 (2003-08-01), Spear
patent: 6622150 (2003-09-01), Kouznetsov et al.
patent: 6678734 (2004-01-01), Haatainen et al.
patent: 6697950 (2004-02-01), Ko
patent: 6721721 (2004-04-01), Bates et al.
patent: 6748534 (2004-06-01), Gryaznov et al.
patent: 6763462 (2004-07-01), Marsh
patent: 6766458 (2004-07-01), Harris et al.
patent: 6813712 (2004-11-01), Luke
patent: 6851057 (2005-02-01), Nachenberg
patent: 6910134 (2005-06-01), Maher et al.
patent: 6941473 (2005-09-01), Etoh et al.
patent: 6973577 (2005-12-01), Kouznetsov
patent: 7134141 (2006-11-01), Crosbie et al.
patent: 7213260 (2007-05-01), Judge
patent: 7301899 (2007-11-01), Goldstone
patent: 2002/0004908 (2002-01-01), Galea
patent: 2002/0035696 (2002-03-01), Thacker
patent: 2002/0046275 (2002-04-01), Crosbie et al.
patent: 2002/0083175 (2002-06-01), Afek et al.
patent: 2002/0091940 (2002-07-01), Wellborn et al.
patent: 2002/0157008 (2002-10-01), Radatti
patent: 2002/0162015 (2002-10-01), Tang
patent: 2002/0178374 (2002-11-01), Swimmer et al.
patent: 2002/0188870 (2002-12-01), Gong et al.
patent: 2003/0014667 (2003-01-01), Kolichtchak
patent: 2003/0023865 (2003-01-01), Cowie et al.
patent: 2003/0051026 (2003-03-01), Carter et al.
patent: 2003/0065926 (2003-04-01), Schultz et al.
patent: 2003/0115485 (2003-06-01), Milliken
patent: 2003/0120951 (2003-06-01), Gartside et al.
patent: 2003/0126449 (2003-07-01), Kelly et al.
patent: 2003/0140049 (2003-07-01), Radatti
patent: 2003/0145232 (2003-07-01), Poletto et al.
patent: 2003/0191966 (2003-10-01), Gleichauf
patent: 2003/0212902 (2003-11-01), van der Made
patent: 2003/0236995 (2003-12-01), Fretwell, Jr.
patent: 2004/0015712 (2004-01-01), Szor
patent: 2004/0015726 (2004-01-01), Szor
patent: 2004/0030913 (2004-02-01), Liang et al.
patent: 2004/0158730 (2004-08-01), Sarkar
patent: 2004/0162808 (2004-08-01), Margolus et al.
patent: 2004/0181687 (2004-09-01), Nachenberg et al.
patent: 2005/0021740 (2005-01-01), Bar et al.
patent: 2005/0044406 (2005-02-01), Stute
patent: 2005/0132205 (2005-06-01), Palliyil et al.
patent: 2005/0177736 (2005-08-01), De los Santos et al.
patent: 2005/0204150 (2005-09-01), Peikari
patent: 2006/0064755 (2006-03-01), Azadet et al.
patent: 100 21 686 (2001-11-01), None
patent: 1 280 039 (2003-01-01), None
patent: 2 364 142 (2002-01-01), None
patent: WO 97/39399 (1997-10-01), None
patent: WO 01/91403 (2001-11-01), None
patent: WO 02/05072 (2002-01-01), None
Szor, P.;Attacks on WIN32, Virus Bulletin Conference, Oct. 1998, pp. 57-84.
Szor, P.; Memory Scanning Under Windows NT, Virus Bulletin Conference, Sep. 1999, pp. 1-22.
Szor, P.; Attacks on WIN32—Part II, Virus Bulletin Conference, Sep. 2000, pp. 47-68.
Parkhouse, Jayne, “Pelican SafeTNet 2.0”, [online] Jun. 2000, SC Magazine Product Review, [retrieved Dec. 1, 2003] Retrieved from the Internet: <URL: http://www.scmagazine.com/standalone/pelican/sc—pelican.html>.
Szor, P. and Ferrie, P., “Hunting for Metamorphic”, Virus Bulletin Conference, Sep. 2001, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 123-144.
“News Release—Symantec Delivers Cutting-Edge Anti-Virus Technology with Striker32”, Oct. 1, 1999, 2 pages, [online]. Retrieved on Nov. 11, 2003. Retrieved from the Internet:<URL:http://www.symantec.com/press/1999
991001.html>. Author unknown.
Von Babo, Michael, “Zehn Mythnum Computerviren: Dichtug Und Wahrheit Uber Den Schrecken Des Informatkzeitlers,”Technische Kundschau, Hallwag, Bern CH vol. 84, No. 36. Sep. 4, 1992, pp. 44-47.
Delio, M., “Virus Throttle a Hopeful Defense”, Wired News, Dec. 9, 2002, retrieved from the Internet Http://www.wired.com
ews/print/0,1294,56753,00.html Jan. 7, 2003.
“System File Protection and Windows ME”, [online], last updated Dec. 4, 2001, [retrieved on Apr. 9, 2002] Retrieved from the Internet: <URL: http://www.Microsoft.com/hwdev/archive/sfp/winME—sfpP.asp>.
“Description of Windows 2000 Windows File Protection Feature (Q222193)”, [online], first published May 26, 1999, last modified Jan. 12, 2002, [retrieved on Apr. 9, 2002] Retrieved from the Internet <URL: http://support.microsoft.com/default.aspx?scid=kb:EN-US;q222193>.
“Software: Windows ME; Windows ME and System File Protection”, [online] last updated Mar. 11, 2002, [retrieved on Apr. 9, 2002] Retrieved from the Internet: <URL: http://www.wackyb.co.nz/mesfp.html>.
Von Babo, Michael, “Zehn Mythen um Computerviren: Dichtung und Wahrheit über den Schrecken des Informatikzeitalters,” Technische Rundschau, Hallwag, Bern, Switzerland, vol. 84, No. 36, Sep. 4, 1992, pp. 44-47.
Toth, et al “Connection-history based anomaly detection” Proceedings of the 2002 IEEE Workshop on Information Assurance and Security. West Point, NY, Jun. 17-19, 2002. pp. 30-35.
Kephart, Jeffrey et al., “An Immune System For Cyberspace” IBM Thomas J. Watson Research Center, IEEE 1997, pp. 879-884.
Symantec Corporation, “Norton AntiVirus Corporate Edition”, 1999, Version 1, pp. 15,22.
Bakos et al., “Early Detection of Internet Work Activity by Metering ICMP Destination Unreachable Activity.”, Proc. Of SPIE Conference on Sensors, and Command, Control, Communications and Intelligence, Orlando, Apr. 2002.
Wikipedia—“Thread (computer science),” Oct. 12, 2005, [online] [Retrieved on ] Retrieved from the Internet<URL:http://en.wikipedia.org/wiki/Thread—%28computer—science%29>.
Hoffman Brandon S
Moazzami Nasser
Symantec Corporation
LandOfFree
Heuristic detection of malicious computer code by page tracking does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Heuristic detection of malicious computer code by page tracking, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Heuristic detection of malicious computer code by page tracking will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4007904