| 发明名称 | Computer virus detection systems and methods | ||
| 摘要 | Systems and methods for computer virus detection are presented. In one embodiment; an computer virus detection method includes: receiving an indication of a change to a file; performing a virus analysis process, including executing the changes to the file in a virtual machine and examining results of the executing the changes; and handling the file based upon the virus analysis. The virus analysis can be performed in a system in which the change to the file occurs. Handling the file can include treating the file as potentially infected with a virus based upon the virus analysis. In one exemplary implementation, examining the results includes comparing the results of executing the changes to the file to other results from executing changes to another file, wherein the file is identified as potentially infected with a virus if the examining results indicates the results of executing the changes to the file are similar to results from executing changes to another file. Examining results includes examining behavior resulting from executing the file (e.g., examining system calls, etc.). Outcome of the examining results can be forwarded for utilization in developing virus data sets. | ||
| 申请公布号 | US8782791(B2) | 申请公布日期 | 2014.07.15 |
| 申请号 | US201012958306 | 申请日期 | 2010.12.01 |
| 申请人 | Symantec Corporation | 发明人 | Sankruthi Anand D. |
| 分类号 | G06F21/00;H04L29/06;G06F21/56 | 主分类号 | G06F21/00 |
| 代理机构 | Wilmer Cutler Pickering Hale and Dorr LLP | 代理人 | Wilmer Cutler Pickering Hale and Dorr LLP |
| 主权项 | 1. A computer virus detection method comprising: performing a virus analysis process, including: executing changes to a first and a second file in a virtual machine;comparing resulting behavior of executing said changes to said first file in said virtual machine to resulting behavior of executing said changes to said second file in said virtual machine; and executing said changes to said first and second files outside the virtual machine based upon receiving an indication from said virus analysis process that said first and second files are not infected; wherein said first and second files are identified as potentially infected with a virus if said resulting behavior of executing said changes to said first file in said virtual machine shares common characteristics with said resulting behavior of executing said changes to said second file in said virtual machine. | ||
| 地址 | Mountain View CA US | ||