Symantec Patents Multiple File Area Virus Scanning

DigitumDei writes "Symantec announced on Wednesday that it has aquired a new patent (United States Patent - 6,851,057) titled "Data driven detection of viruses". Symantec has declined to comment on whether it will pursue litigation. Symantec's director of intellectual property Michael Schallop stated : 'We don't generally discuss how we will leverage this patent against competitors or others,'." From the article: "[The patent] could refer to any technology that allows antivirus researchers or antivirus products to use scripting to determine, dynamically, where in a file to scan and detect threats. It could also include the use of Javascript or other common scripting languages to direct antivirus scanning..."

Oxymoron

We don't generally discuss how we will leverage this patent against competitors or others

He just did.

Re:Oxymoron

[dfn5]

We don't generally discuss how we will leverage this patent against competitors or others

He just did.

He's only discussing his lack of discussion. There's a difference.

More patent problems

[chris09876]

Here we go again... just another one of those slashdot posts about how the patent system is clearly flawed... Even I can't help ranting about it! Patents are granted to everybody who applies, and it's just left up to the courts to decide if it's valid or not.

Companies just amass huge patent libraries. Hm... there should really be an exponential cost increase with each patent the company owns. That would prevent big companies from getting thousands and thousands of useless unenforcable patents. ...patents *do* have a place, they're just mis-used (and the system's broken). If a small developer could get a patent for $20, but then the next patent cost $40 and then $80 and so on, it would really discourage people from getting tons of patents. ...just a thought (I'm sure it's been suggested before...)

Re:More patent problems

[XorNand]

If a small developer could get a patent for $20, but then the next patent cost $40 and then $80 and so on, it would really discourage people from getting tons of patents. ...just a thought (I'm sure it's been suggested before...)

If you make patents cheaper than toner, how is this supposed to prevent companies from sweeping up countless bogus patents? The costs aren't the real issue here; I think you're looking at the wrong side of the equation. Look at PARC: A lot of bright people have churrned out a lot of novel patents. Should they be punished for that? What we need are greater standards to prevent junk patents; not playing pricing games in an attempt reduce the number applied for.

Re:More patent problems

[ultranova]

Oh, that's a brilliant idea. Symantec only has about $5 -billion- in liquid cash.

So, if the first patent costs $20, and each patent after that costs twice as much as the previous one, Symantec is going to go banckrupt after the 29th patent - which will cost about 5 billion dollars (the previous one costs 2 billion dollars, so 6 in total > 5).

Geometric growth. Gotta love it or hate it :).

Please...

[Foobar+of+Borg]

before anyone starts frothing at the mouth and gives the usual /. response of "What? Someone got a patent? Kill! Kill! Kill!", please read claims 1, 8 and 14 (the independent claims).

Awesome!

[null+etc.]

I love how patents encourage innovation. Now Symantec will be able to lock up the market and really innovate some cool stuff!

Re:Awesome!

[damian+cosmas]

Patents encourage innovation in a quite simple and straightforward manner, by providing financial incentive to innovate. If you invent something, you can exclusively profit from it for a period of time. Otherwise, those with more marketing power (or anyone capable of making a ripoff of your software/device/drug/&c.) can flood the market with copies of your invention, in which case you make no money and you and your family die of starvation. Dead inventors stifle innovation.

Re:Awesome!

[frankie]

That's an excellent explanation of the THEORY of patents. The REALITY is that:

1. patent examiners are rated and promoted based on volume
2. it takes more work to deny a patent than accept it
3. patent applications have accelerated through the roof
4. trivial, obvious patents are granted every week
5. it has been over 50 years since SCOTUS properly slapped down USPTO for doing so
6. such patents are used to STIFLE competition and innovation rather than spur it

Re:Awesome!

[ScentCone]

No, patents prevent competition.

If you mean that patents prevent your competitors from using your invention without having to bear the costs of inventing a competing technology themselves, then, yes. But company X making profit off of their own invention means that company Y will need to innovate and compete by arriving at a better way to solve the problem (and thus win back those customers). Patents encourage the creative innovation of competing (and superior) patentable products/concepts/practices.

Since the _only_ valid societal rationale for patents to exist is to promote the public good

Really? I would think that being able to benefit from your labor and creativity is a strong incentive. Strong enough that the person who does it best gets rewarded accordingly, and only indirectly (though substantially) does the public benefit. The public benefit is frosting on the cake. Protection of an individual's claim to their own work is the heart of it.

it would be a LOT more simple & straightforward to promote innovation if society collectively paid a lot of smart people to create useful ideas

Excellent idea, Citizen Comrade! Why, in countries where that's been the practice, we see fantastic displays of innovation in the areas of stealing IP and technologies from those private innovators elsewhere that are actually getting it done faster, better, and with better-paid people in a higher standard of living. I'm sure some of the community-based researchers in North Korea, or perhaps the ones that prospered so well in the Sovier Union, would disagree with me, me being a clueless Yankee and all.

The anti-competitive effect of patents just turns out to be prone to abuse

Though I'd say that the abuse of the best and brightest people in any collective setting is a much more pervasive problem. In any academic, or even private "team"-based setting where a group of people are tasked with a complex goal, some small percentage of brighter bulbs will always be the people doing the heavy lifting and the creative thinking that actually moves the project forward. The only way not to burn people like that out is a merit-based system that rewards and encourages going the extra mile on (say) research and development. Your system would work fine, as long as the minority of the research communinity that actually innovates gets some sort of reward (and knows they will be getting some sort of reward) for their unique innovations. Oh, wait, that's called a patent and the right to use it.

Rediculous

[adennis]

The U.S. is granting too many patents for too broad of topics. It's coming to a point where even new things can't be created simply because a patent exists that, not only covers part of the new invention, but the entire GENRE of the invention.

They need to reform the patent law before it gets even more out of hand than it already is... Up next: a patent for "any process whereas pages of paper are bound together.."

Obvious

[MrMickS]

Finding out whether a file is infected by a virus is a case of looking at the file and seeing if that virus signature is present in the file. This is likely to be done by a program as its easier. These chunks of virus code will live in different places dependent on the type of file being effected. This is all obvious. Surely this patent isn't worth a damn as it can be challenged as such.

It is not.

[Raven42rac]

It is not the responsibility of the Federal Government to
A)Protect your business model.
B)Ensure you can "pay back your investors for a long shot" This patent is bullshit, it's like EA, just eliminate all competition, then what incentive is there to change or improve? None, slap 2006 on it and ship it. I want a patent on "Exchanging Oxygen for Carbon Dioxide utilizing organic muscle structures", and sue everyone who breathes.

Patent

[cyriustek]

I fully support companies retaining ownership of their intellectual property. However, how granular do we go. This is remincient of e-commerce being patented. If we follow old patent laws, we will surely stifle creativity. In contrast, if we do not have patents, we will likely stifle creativity since no one can claim ownership to their idea and profit accordingly.

next we know viruses are patented

[xiando]

I can not wait for someone to file a patent for a virus, when the US patent office can accept this then they are sure to accept that too.

Spammers are suing those who filter their crap away, next thing we know virus authors are suing anti-virus vendors... it is truely a brave new world.

'Leverage' why not just say 'use' ?

Why do American corproate idiots insist on saying 'leverage' when they mean 'use'? It sounds so lame.

OMG Virus

[improfane]

I say Symantec should just patent viruses and charge royalty fees on whoever decides to make them.

i dont get it

[JeanBaptiste]

""Data driven detection of viruses". "

how else are you going to detect them?

They've got to do something...

[the_skywise]

Now that Microsoft is getting into the anti-virus biz and presumably shipping it with the OS, Symantec knows its days are numbered.

Claim by Claim analysis?

[SuperficialRhyme]

I'm not an antivirus software developer so I really don't know what exactly these claims are referring to. The background of the patent helps a bit, but it seems to me that the patent refers to a program which uses an emulator to catch the point where a program's code being passed off to viral code.

Could someone give better summary claim by claim?

I'll provide the claims here to give a starting point. Let's try to actually see what's getting patented here and whether or not it really is novel.

I claim:

1. A virus detection system for detecting if a computer file is infected by a virus, the file having a plurality of potential virus entry points, the system comprising:

an engine for controlling operation of the virus detection system responsive to instructions stored in an intermediate language, the instructions adapted to examine the plurality of potential virus entry points and post for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus;

an emulating module coupled to the engine for emulating the posted entry points of the file in a virtual memory responsive to the engine, wherein the virus may become apparent during the emulation of an entry points of the file infected by the virus; and

a scanning module coupled to the engine for scanning regions of the virtual memory for a signature of the virus responsive to the engine and the emulating module, wherein presence of the virus signature in a scanned region indicates that the file is infected by the virus.

2. The virus detection system of claim 1, further comprising:

a custom module coupled to the engine for executing custom virus-detection code responsive to invocation by the engine.

3. The virus detection system of claim 1, wherein the intermediate language is P-code and the engine comprises:

a P-code interpreter for interpreting the P-code and controlling the operation of the virus detection system responsive thereto.

4. The virus detection system of claim 3, wherein the engine further comprises:

primitives for performing operations with respect to the file and the virtual memory responsive to invocations of the primitives by the P-code.

5. The virus detection system of claim 1, further comprising:

a virus definition file coupled to the scanning module for holding virus signatures for use by the scanning module.

6. The virus detection system of claim 1, wherein the instructions stored in the intermediate language post regions of the file for scanning by the scanning module.

7. The virus detection system of claim 6, wherein postings identifying overlapping regions are merged into a single posting identifying the regions of the merged postings.

8. A method for detecting a virus in a computer file, the file having a plurality of potential virus entry points, the method comprising the steps of:

executing instructions stored in an intermediate language representation, the instructions performing the steps of:

examining regions of the file for possible infection by viruses and posting for scanning any regions exhibiting characteristics indicating a possible virus infection;

examining the plurality of potential virus entry points of the file for possible infections by viruses and posting for emulating ones of the plurality of potential virus entry points exhibiting characteristics indicating a possible virus infection; and

examining the posted regions of the file to algorithmically determine whether the file is infected with a virus.

9. The method of claim 8, wherein the instructions further perform the steps of:

merging overlapping regions posted for scanning.

10. The method of claim 8, wherein the instructions further perform the step of:

calling a custom executable program to determine when the file is infected with a virus.

11. The method of claim 8, further comprisi

Closed source protects against this?

[NotQuiteReal]

If you write closed-source software, how would anyone prove your code infringes on a patent, unless they violate other laws and reverse engineer your program?

RTFP

[numatrix]

Actually, I take my previous comment back. This ~is~ a reasonable patent for Symantec. Go and actually read it. In it's entirety, it probably is non-obvious, and is a reasonable patent, though nothing particularly stellar.

It's especially not a problem because working around it doesn't look hard at all. You can do everything they do in the patent, for example, ommitting any intermediary code (P-Code), and you apparently wouldn't be violating it.

For that matter; the patent's main application is for files with multiple entry points and scanning specifically for polymorphic viruses using a scripting engine capable of handling different pieces of code off to different analysis engines and passing things around.

Again, not exactly brilliant, but probably a reasonable patent; also because it's probably not hard to code around.

Re:RTFP

[akad0nric0]

I agree. What seems to be happening here is that Symantec is patenting a domain-specific framework for creating code that will analyze files for malicious patterns. While it is a bit broad, at the same time it's innovative and certainly useful.

I'm as big of a critic of the US patent process as anyone, but there are plenty of legitimate patents out there, and on the surface this appears to be one. If they try to enforce it in an overly-broad manner, shame on them, but the patent itself sounds legit.

hmm..

[t_allardyce]

Microsoft should patent some of its security flaws, it could make a killing by licensing the ability to patch said flaws to anti-virus companies.

Lots of prior art on this patent

[oldfogie]

FWIW, I am an (ex-)anti-virus author, and I actually looked at this patent.

First, the person who wrote the text should be shot... it's worded to be as confusing as possible, so that even an expert in the field can't readily tell what is being covered in the patent.

Next, from what I can tell, the patent seems to cover 3 main points (in various flavors, to come up with their 20 points):

1) We don't just scan for strings, we take into consieration what sort of virus it might be, and only scan in the appropriate place.

2) We have a "scripting language" that can direct the virus scan.

3) We can emulate a "virus target" and see if the virus goes for it.

All of these points were done years ago. The first two points were "state of the art" as of 1990. The product I worked on (name withheld for various reasons. Sorry about that...) was, at the time, unlike the other virus scanners out there. It used "precision scanning" in which the nature of the virus being scanned for was taken into account, and was scanned for ONLY AT THE LOCATION AT WHICH THE INFECTION WOULD OCCUR. This was a major differentiation from the "bulk scanners" (i.e. run the entire file through a string filter that contains all virus signatures, and see if there are any matches. As a trivia note, "bulk scanners" are why all anti-virus scanners use encrypted (in some trivial way) virus signatures -- so that a virus scanner would not be identified as an infected file by another virus scanner, or even by itself!) that all other major anti-virus vendors used.

Also, the virus scanner I wrote included a scripting language so that users could add their own virus scan and remove definitions.

As for emulating a virus target and seeing if the virus "bites", that is also old hat. While a commercial product was never introduced, a lab prototype was publically demonstrated in 1996, in which files under examination were interpreted in a virtual 80x86 environment, including OS and file system, both to see if they did anything suspicious, and to see if they "tagged along" on "provocative" system calls.

And, yes, I still have my old code sitting around. It would be a pity if someone suddenly showed it to Symantec or the patent office...

Re:Lots of prior art on this patent

[EQ]

See if the Patent Bounty folks would be interested in this one. Seems like your prior art would torpedo this patent completely - help society and make a buck or two while you are at it.

I bet a large software company in Redmond that wants to get into the antivirus market would love to put up a bounty for this if they knew it would pay off. The bonus would be that open source and free scanners woudl not face patent persecution thanks to such work, no matter who it was that took on this patent.

Very smooth...

[Rs_Conqueror]

While talking to my boss Chris about how Mcafee patented the firewall a few weeks back He made the point: "Do you think the guy who awarded the patent even know what a firewall is?" I think the point still stands.

I disagree

[NigelJohnstone]

I disagree, all they've done is change their virus definition (a series of tokens in some format) to pseudo code (a different series of tokens in some other format with program like qualities).

I presume the other virus programs already use IF and LOOP tokens to handle polymorphism of virus's because polymorphism is already detected by other companies products.

What interests me, is that if this was a patent for a Spinning Jenny we would *know* if there is prior art from looking at the previous machines and I wouldn't have to 'presume' anything.

But because this is software we have to guess whether other companies use programming constructs like IF and LOOP in their virus definition files that would qualify as the use of P-Code in virus detectors.

I also wonder if they need the patent to protect that idea, if they don't document the virus file format who would know?
Seems to me if they didn't disclose it and it was a real invention then they would have plenty of opportunity to make money from it.

Its like patents are being used as a fight mechanism..... and Symantic has hit out with a left patent hook, meanwhile McAfee strikes with a sneaky undercut design patent.....
rather than a mechanism to reward invention.