| 摘要 |
A Polymorphic Anti-Virus Module (PAM) (200) comprises a CPU emulator (210) for emulating the target program, a virus signature scanning module (250) for scanning decrypted virus code, and an emulation control module (220), including a static exclusion module (230), a dynamic exclusion module (240), instruction/interrupt usage profiles (224) for the mutation engines (162) of the known polymorphic viruses (150), size and target file types (226) for these viruses, and a table (228) having an entry for each known polymorphic virus (150). Prior to emulation, the static exclusion module (230) examines the gross characteristics of the target file for attributes that are inconsistent with the size/type data (226), and excludes polymorphic viruses (150) from the list (228) accordingly. During emulation, the dynamic exclusion module (240) compares fetched instructions with the instruction/interrupt usage profiles (224) to determine when emulation has proceeded to a point where at least some code from the decrypted static virus body (160) may be scanned for virus signatures. |
