Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Patents Multiple File Area Virus Scanning

Posted by Zonk on from the kind-of-a-broad-area dept.

DigitumDei writes "Symantec announced on Wednesday that it has aquired a new patent (United States Patent - 6,851,057) titled "Data driven detection of viruses". Symantec has declined to comment on whether it will pursue litigation. Symantec's director of intellectual property Michael Schallop stated : 'We don't generally discuss how we will leverage this patent against competitors or others,'." From the article: "[The patent] could refer to any technology that allows antivirus researchers or antivirus products to use scripting to determine, dynamically, where in a file to scan and detect threats. It could also include the use of Javascript or other common scripting languages to direct antivirus scanning..."

10 of 226 comments (clear)

  1. Please... by Foobar+of+Borg · · Score: 4, Informative

    before anyone starts frothing at the mouth and gives the usual /. response of "What? Someone got a patent? Kill! Kill! Kill!", please read claims 1, 8 and 14 (the independent claims).

    --
    Similar to the upcoming US election results
  2. Re:Good for Symantec by numatrix · · Score: 2, Informative

    Are you kidding?

    Exactly what part of this is 'non-obvious to a skilled practitioner'? I only dabble-part time in AV research and am certainly not a highly recognized researcher in the field, and it is still pretty darn obvious to me. Heck, I've written my own scripting engines around multiple anti-virus engines to scan files. First, I'm quite sure somebody's done this before Symantec, and secondly, it shouldn't even matter since this fails the non-obvious test.

    What will it take to shake the USPTO awake? It is NOT the courts place to decide (after expensive litigation) that patents are overly broad.

  3. Re:More patent problems by Foobar+of+Borg · · Score: 2, Informative
    Patents are granted to everybody who applies, and it's just left up to the courts to decide if it's valid or not.

    Um, despite /. hyperbole, a lot of patents do get completely rejected until the prosecution runs out. Even if they are granted, the claims tend to get whittled down a lot during prosecution.

    As for small developers, it is possible to file under "small entity" status, which is cheaper. The most expensive part of getting a patent is the fees for the patent attorneys.

    --
    Similar to the upcoming US election results
  4. Claim by Claim analysis? by SuperficialRhyme · · Score: 4, Informative
    I'm not an antivirus software developer so I really don't know what exactly these claims are referring to. The background of the patent helps a bit, but it seems to me that the patent refers to a program which uses an emulator to catch the point where a program's code being passed off to viral code.

    Could someone give better summary claim by claim?

    I'll provide the claims here to give a starting point. Let's try to actually see what's getting patented here and whether or not it really is novel.

    I claim:

    1. A virus detection system for detecting if a computer file is infected by a virus, the file having a plurality of potential virus entry points, the system comprising:

    an engine for controlling operation of the virus detection system responsive to instructions stored in an intermediate language, the instructions adapted to examine the plurality of potential virus entry points and post for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus;

    an emulating module coupled to the engine for emulating the posted entry points of the file in a virtual memory responsive to the engine, wherein the virus may become apparent during the emulation of an entry points of the file infected by the virus; and

    a scanning module coupled to the engine for scanning regions of the virtual memory for a signature of the virus responsive to the engine and the emulating module, wherein presence of the virus signature in a scanned region indicates that the file is infected by the virus.

    2. The virus detection system of claim 1, further comprising:

    a custom module coupled to the engine for executing custom virus-detection code responsive to invocation by the engine.

    3. The virus detection system of claim 1, wherein the intermediate language is P-code and the engine comprises:

    a P-code interpreter for interpreting the P-code and controlling the operation of the virus detection system responsive thereto.

    4. The virus detection system of claim 3, wherein the engine further comprises:

    primitives for performing operations with respect to the file and the virtual memory responsive to invocations of the primitives by the P-code.

    5. The virus detection system of claim 1, further comprising:

    a virus definition file coupled to the scanning module for holding virus signatures for use by the scanning module.

    6. The virus detection system of claim 1, wherein the instructions stored in the intermediate language post regions of the file for scanning by the scanning module.

    7. The virus detection system of claim 6, wherein postings identifying overlapping regions are merged into a single posting identifying the regions of the merged postings.

    8. A method for detecting a virus in a computer file, the file having a plurality of potential virus entry points, the method comprising the steps of:

    executing instructions stored in an intermediate language representation, the instructions performing the steps of:

    examining regions of the file for possible infection by viruses and posting for scanning any regions exhibiting characteristics indicating a possible virus infection;

    examining the plurality of potential virus entry points of the file for possible infections by viruses and posting for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus infection; and

    examining the posted regions of the file to algorithmically determine whether the file is infected with a virus.

    9. The method of claim 8, wherein the instructions further perform the steps of:

    merging overlapping regions posted for scanning.

    10. The method of claim 8, wherein the instructions further perform the step of:

    calling a custom executable program to determine when the file is infected with a virus.

    11. The method of claim 8, further comprisi

  5. RTFP by numatrix · · Score: 3, Informative

    Actually, I take my previous comment back. This ~is~ a reasonable patent for Symantec. Go and actually read it. In it's entirety, it probably is non-obvious, and is a reasonable patent, though nothing particularly stellar.

    It's especially not a problem because working around it doesn't look hard at all. You can do everything they do in the patent, for example, ommitting any intermediary code (P-Code), and you apparently wouldn't be violating it.

    For that matter; the patent's main application is for files with multiple entry points and scanning specifically for polymorphic viruses using a scripting engine capable of handling different pieces of code off to different analysis engines and passing things around.

    Again, not exactly brilliant, but probably a reasonable patent; also because it's probably not hard to code around.

  6. Re:evil, again by mattyrobinson69 · · Score: 2, Informative

    you mean something like clamAV?

  7. Re:While we are ranting ..... by Lisandro · · Score: 2, Informative

    You did fine. The days when "Norton" products were any good are long past by. They seem to have him stuffed in position with arms crossed for the photos alone these days.

    I would reccomend Avast! antivirus - uses a fraction of the resources of NAV200x, and works quite better too, IMHO. The difference in performance after replacing NAV for A! on my mother's PC was ridiculous.

    Not only that, registration is free for personal use.

  8. Re:Closed source protects against this? by Anonymous Coward · · Score: 1, Informative

    If your closed-source program acts an awful lot like it infringed a patent you could be taken to court for patent violation (maybe after you refuse offer to license said patent) and forced to reveal source code.
    Some patents are move obvious than others (e.g. dealing with file formats).
    Patent owners might quietly reverse engineer a program and have a look to be sure their suit suceeds, but aren't going to admit it (and it would be hard for the defence to prove it).

  9. Lots of prior art on this patent by oldfogie · · Score: 5, Informative
    FWIW, I am an (ex-)anti-virus author, and I actually looked at this patent.

    First, the person who wrote the text should be shot... it's worded to be as confusing as possible, so that even an expert in the field can't readily tell what is being covered in the patent.

    Next, from what I can tell, the patent seems to cover 3 main points (in various flavors, to come up with their 20 points):
    1) We don't just scan for strings, we take into consieration what sort of virus it might be, and only scan in the appropriate place.
    2) We have a "scripting language" that can direct the virus scan.
    3) We can emulate a "virus target" and see if the virus goes for it.
    All of these points were done years ago. The first two points were "state of the art" as of 1990. The product I worked on (name withheld for various reasons. Sorry about that...) was, at the time, unlike the other virus scanners out there. It used "precision scanning" in which the nature of the virus being scanned for was taken into account, and was scanned for ONLY AT THE LOCATION AT WHICH THE INFECTION WOULD OCCUR. This was a major differentiation from the "bulk scanners" (i.e. run the entire file through a string filter that contains all virus signatures, and see if there are any matches. As a trivia note, "bulk scanners" are why all anti-virus scanners use encrypted (in some trivial way) virus signatures -- so that a virus scanner would not be identified as an infected file by another virus scanner, or even by itself!) that all other major anti-virus vendors used.

    Also, the virus scanner I wrote included a scripting language so that users could add their own virus scan and remove definitions.

    As for emulating a virus target and seeing if the virus "bites", that is also old hat. While a commercial product was never introduced, a lab prototype was publically demonstrated in 1996, in which files under examination were interpreted in a virtual 80x86 environment, including OS and file system, both to see if they did anything suspicious, and to see if they "tagged along" on "provocative" system calls.

    And, yes, I still have my old code sitting around. It would be a pity if someone suddenly showed it to Symantec or the patent office...
    1. Re:Lots of prior art on this patent by EQ · · Score: 3, Informative

      See if the Patent Bounty folks would be interested in this one. Seems like your prior art would torpedo this patent completely - help society and make a buck or two while you are at it.

      I bet a large software company in Redmond that wants to get into the antivirus market would love to put up a bounty for this if they knew it would pay off. The bonus would be that open source and free scanners woudl not face patent persecution thanks to such work, no matter who it was that took on this patent.

      --
      Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO