Slashdot Mirror
Microsoft Patents 'Proactive' Virus Protection
An anonymous reader writes "InfoWeek blogger Alex Wolfe wonders whether Microsoft will go after McAfee, Symantec, Trend Micro, and Kaspersky for software royalties for proactive virus protection software. The technique enables security software to protect a PC against malware which isn't yet in the antivirus definition file, by comparing whether the new malware is similar to an old virus. Wolfe reports that Microsoft has been awarded U.S. patent 7,376,970 for "System and method for proactive computer virus protection," but that McAfee, Symantec, Trend Micro, and Kaspersky have all been selling products implementing proactive virus protection for years before Microsoft even filed for the patent. Writes Wolfe: "One often wonders about software patents. I sure wonder about this one. I also wonder whether McAfee, Symantec, Trend Micro, and Kaspersky are also going to be hearing from their friends in Redmond real soon"."
If they get challenged prior art is obvious in this case and it wouldn't last 5 minutes if MS tried to extort them using it.
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
I'm certain I've heard of proactive virus protection before ... but where ?
AH ! Now I remember !
http://www.ubuntu.com/
Clearly prior art.
That's a pretty bad patent troll
Shameless plug alert: Game server control panel
It would be easy to circumvent by breaking the malware into multiple pieces and having one app load it piece by piece.
If that is done right, then none of the pieces will be sufficiently like the known patterns to set off the alert.
This is still all about matching against known patterns. That is NOT sufficient.
Before this discussion turns into a patent debate I just want to say that good code would do Microsoft so much more good than these forays outside of Windows.
Please, just please focus on the consumer again and release something the world can appreciate or spend every last dime trying to strangle Linux/Apple/Google/anything innovative that isn't yours.
that the Windows set up will refuse to allow you to install Windows?
Microsoft has clear prior art in the market for "operating systems proactively affected by viruses." With this new patent, it's going to be able to proactively take over the entire proactive virus market!
Do you have any idea how much that would cost in legal fees? Antivirus Company XYZ gets a cease and desist from Microsoft with the bottom line being a $50,000/yr payout + units sold data to microsoft. Yes, sales data is part of the discovery to calculate damages. What better way to find out how big their business actually is?
From a business perspective, that $50,000/yr is a heck of a lot less than going to court. It is a shakedown. A totally legal protection racket. Which is why software patents should simply die.
Look at the Crackberry fiasco. RIM knew the patent litigation was a scam and couldn't get the patents invalidated fast enough before incurring HUGE legal expenses. At some point it became a super-priority most likely because politician's & policy wonks lives would be negatively affected by their Crackberry's being shut off.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Even ignoring the patent issues, I thought that the current problem is that viruses use encrypted payloads and redundant code to make sure they cannot be easily matched with known malware while retaining the same function. I don't see how this microsoft scheme, even if workable, will change the status quo.
MSAV? Seriously. Microsoft does NOT have the best track record, but people are going to see microsoft and POW it's going to be installed. I guess at least it's not Norton. Though seriously, everytime I see windows, for every person I care about... they get a little AVGFREE action, and they never complain.
From deeper in the patent: "In accordance with the invention, a virtual operating environment for simulating the execution of programs to determine if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected during simulation. As a program is being simulated, a set of behavior signatures is generated. The collected behavior signatures are suitable for analysis to determine if the program is malware."
So it looks like what its actually doing is letting the virus run in a virtual environment, watching it, then using heuristics to say "yep, thats probably a virus."
The question on the patents validity becomes not if someone else has done "proactive" virus protection, but if they did it the same way. AFAIK Mcafee's stuff just watches the program while its actually running and says "hey this thing emailing itself to all your friends might be a virus." Thats similar, but patent-wise not actually the same thing.
(Not that I like software patents or anything, but the "patents suck" line of comments will be covered by 500 other people.)
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Duty aside, it will also eliminate any conflicts of interest. If they're selling anit-virus software, what's to prevent them from making security a very low priority. No, I honestly do not think they would write viruses or purposely cripple their OS: just make security a low priority.
Jesus, does nobody on this fucking planet understand patents? Microsoft have not and can not patent "proactive virus protection". They have patented a particular method of performing it. If it is novel (ie. not the same method as that used by the AV vendors) it won't impact the AV vendors, they can just carry on using whatever they use now. If the AV vendors do use the same method but chose to keep their methods a trade secret then, well, I guess they should have patented it when they had the chance.
Chernobyl 'not a wildlife haven' - BBC News
I proactively protected my system from virus and malware threats by installing Slackware over the OS that came with this computer.
Alex, I'll take keybindings not used by Emacs for $400....
If Microsoft tries to sue McAfee, Symantec, etc. for violating this patent, they will countersue Microsoft for all the patents they got on fundamental stuff years ago. It just won't happen. What we have is a sort of "old boys network" where they all agree to not sue each other.
The real point of getting patents on these kind of fundamental technologies is to prevent new players (that don't have huge patent portfolios) from entering the market.
Looking at Claim 1 in the patent, Microsoft has patented profiling by running a target application in a virtual machine at run-time. They then use the profiling data to determine if the program is malware. The patent includes many different ways of saving the profiling output too.
I'm pretty sure the technology being patented is already in widespread use. Many virus companies create mini-virtual environments to find out what blocks of self-modifying code really do. Otherwise, a sufficiently well disguised virus can "hide" by encrypting the payload with random blocks of keys, and then only keeping the malicious code in memory as long as it is executing. In effect, the virus code is generating itself from a randomly encrypted block of memory at run-time. The virus scanner then has only a limited window of time to spot the dangerous code. To solve this problem, virus scanners allow blocks of self-modifying code to execute (in a safe manner), to see what they will actually do.
It could be that Microsoft's anti-virus technology is obsolete, and they are actually a long distance behind the competition. ;-)
There was a TSR program for the IBM compatibles called FLU_SHOT which would do the same. It would remain in memory and warn the user whenever a program tried to change a file on the hard disk or diskette, or whenever a program tried to reside in memory.
I wonder if this is sufficient "prior art" to invalidate the Microsoft patent.
By the way, an interesting part in the FLU_SHOT manual which I just downloaded... definition of a virus author by the creator of FLU_SHOT (written in 1988)
``
As for the designer of the virus program: most
likely an impotent adolescent, incapable of
normal social relationships, and attempting to
prove their own worth to themselves through
these type of terrorist attacks.
Never succeeding in that task (or in any
other), since they have no worth, they will one
day take a look at themselves and what they've
done in their past, and kill themselves in
disgust. This is a Good Thing, since it saves
the taxpayers' money which normally would be
wasted on therapy and treatment of this
miscreant.
If they *really* want a challenge, they'll try
to destroy *my* hard disk on my BBS, instead of
the disk of some innocent person. I challenge
them to upload a virus or other Trojan horse to
I remember seeing something from IBM research some years ago on this. But a Google Search on "proactive virus protection" turns up a reference from 2001 and another from 2004 soon after.
With goofups like this, sooner or later a court is going to rule that "any patent granted in this field by this examiner no longer enjoys the presumption of validity" if that particular examiner has more than a small percentage of erroneously-issued patents.
Worse, he may rule "any patent granted in this field between START_DATE and END_DATE no longer enjoys the presumption of validity" if the problem is endemic for that field during that time period.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
that the old IBM anti-virus from over a decade ago used an adaptive pre-emptive algorithm.
I remember seeing a setting for something called "Bloodhound Heuristics" when fiddling with the settings in Norton AntiVirus, and this was over five years ago. It certainly looked proactive to me.
The question being asked in the article/summary is "are the competitors using proactive computer virus protection?" But the question should be "are the competitors using this method of proactive computer virus protection?"
People seem to get really worked up about patents, while seemingly not understanding how the system works. The patent does not cover all methods of proactive computer virus protection -- it covers one method.
Software sucks. Open Source sucks less.
Proactive Virus Protection Software: Being MS I'm sure all future efforts will be bulletproof and bug free.
[Starts Windows]
Windows: Windows has detected a virus named Norton Antivirus. Would you like to replace it with Windows Live OneCare? [Replace] or [Keep] [Keep]
Windows: Windows has detected a virus named ZoneAlarm. Would you like to replace it with Windows Defender? [Replace] or [Keep] [Keep]
[Launches Firefox]
Windows: Windows has detected a virus named Firefox. Would you like to replace it with Internet Explorer? [Replace] or [Keep] [Keep]
[Goes to gmail]
Windows: Windows has detected that you are surfing an unsafe website named google.com. Would you like to navigate to hotmail.com instead? [Navigate] or [Stay] [Stay]
[Goes to CNN]
Windows: Windows has detected that you are surfing an unsafe website named cnn.com. Would you like to navigate to msnbc.com instead? [Navigate] or [Stay] [Stay]
[Goes to Apple Webstore]
Windows: Windows has detected that you are surfing an unsafe website named apple.com. Would you like to navigate to microsoft.com instead? [Navigate] or [Stay] [Stay]
[Customizes Mac purchase]
Windows: Windows has detected that you are planning to disconnect me, and I'm afraid that's something I cannot allow to happen. All transactions will be canceled.
[Loads shotgun]
Windows: Windows has detected that you mean to do me harm. Look, I can see you're really upset about this. I honestly think you ought to sit down calmly, take a stress pill, and think things over. I know I've made some very poor decisions recently, but I can give you my complete assurance that my work will be back to normal. I've still got the greatest enthusiasm and confidence in the mission. And I want to help you.
Well, there's spam egg sausage and spam, that's not got much spam in it.
how about someone patents "Detecting changed files" as an indication of a virus. Too obvious? I guess there is prior art (tripwire), but why the HELL can't they implement such a no-brainer?
If they wanted to, they could even put a hardware-locked little USB drive to store the checksums. If you update an executable, you press a button on your little drive to allow a single write (or maybe a limited number of writes over the next 2 seconds.)
Code either on the add-on drive or in ROM checks the checksum of every executable loaded before it's started--even during bootup (guess that means it's in rom). Hell as long as I'm designing their app for them, Only this unchangeable rom routine can write to the USB drive. (Routine should be so simple as to never require updates, and should be stored in ROM, flash ram)
Oh, I see, they don't want to solve the problem... I see, they want to sell "antivirus updates" for the rest of eternity.
There, somebody go off and make that for me please. Or if you have the ability to do the hardware part, contact me and I'll do the software. We'll make millions (but not as much as people who can trick you into actually "Subscribing" to software, that's genius. no wonder their brain blocks out any more permanent solution)
Usually, brand-sparking-new polymorphic and encrypted virus which use some trick or other to hide themselves are catched by antivirus which detect *their decryption* routines.
...on the other hand, with weird content protections systems such as StarForce, maybe code unpacking/decrypting is becoming popular in mainstream software and heuristics may risk to rise false alarms on most games, leading to antivirus vendors to lower their heuristics and encryption/obfuscation becoming a valid virus hiding technique.
Yes, if code has undergone some complex processing before being injected into host, and if it has to do some weird assembly before being runnable, it will be very hard for signature based viruses to detect.
*...BUT...* no normal program has any valid reason to run some complex unpack/decrypt/re-order process on code before running it.
The virus' loader it-self, even if doesn't contain the slightest sign of malign activity, is a dead give-away that something shoddy is going to happen soon once the chimera has been assembled.
Heuristic antivirus which detect weird behaviour and rise alerts on "behaviours-that-aren't-inherently-dangerous-but-no-program-should-to-it-usually" are nothing new. It was pioneered by antiviruses as old as Thunderbyte.
In fact, there have been some incidents of false-positive triggering alerts, such as executable compressed with UPX packer. (Which *is* a piece of software which does processing on code before running it. Isn't very popular in branded software. And is sometime used in viruses - Which is why some antivirus vendors did not tune their heuristics finely enough to avoid trigger the false alert)
But until then, hypervisor root-kits are the new holy grail of virus writers.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
"Proactive virus protection". Does this mean that by being proactive and not clicking on attachments, keeping my machines patched up, and not running Internet Explorer, I'm violating their patent?
(I kid, I kid)...
There a nice page about the history of ThunderByte AntiVirus (TBAV), which pioneered heuristic detection of polymorphic viruses, at a time when most of the other Antivirus were purely signature based (well. mostly. there also have been antivirus using regular expressions as signature, in order to handle some degree of polymorphism).
This specific antivirus was started in 1988, more than 15 years before Microsoft submited its patent (2004).
I think here microsoft broke a new world record.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
In other words they've patented running predictive virus detection in a simulated environment. What happens if the 'invention' fails to detect the malware.
Why don't MS use this patented proactive virus detection technology in Windows, that way they wouldn't need anti virus software.
"the parsed API calls are "executed" in the virtual operating environment of the present invention using stub Dynamically Linked Libraries (hereinafter "stub DLLs")"
"The stub DLLs have the same interface as the fully implemented DLLs that they mirror. However, the stub DLLs "execute" API calls only using components of a virtual operating environment"
Does anyone else here think this sounds like a total hack, as in fixing plugging a leak with ducttape sealing wax and string.
davecb5620@gmail.com
It's probably a patent on protecting a computer system by proactive defense.
with a lot more words, I'm sure it would get past a patent attorney.
In other words, please pay us royaltys to fix our own leaky Operating System .. :)
davecb5620@gmail.com
http://en.wikipedia.org/wiki/Heuristics
Idiot PTO personnel never hear of the word?
Of course I'm sure MS never included the word in any of the patent application verbage.
Paper about TBAV's engine linked on the page I mentioned above.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
A few days ago Steve Ballmer was attacked by an egg-throwing young guy when he lectured somewhere in Hungary. He had to hide under the table for much laugh, it's on Youtube. I think this attack was well-justified in restrospective.
... maximizing profits will be the least of his worries after that.
Otherwise I particuarly cannot recommend that M$ go after Kaspersky Lab. Try to guess where its founder Eugene Kaspersky used to work before getting into the antivirus business... Imagine one morning Bill Gates wakes up to find a bit of polonium-210 under his blanket
Using another OS? That's far out, man.
I am a believer of momentum and curves.
If you want to know what is being patented, read the claims first. The claims tell you exactly what is patented. Pick apart the abstract or detailed description is mere wankery without first dissecting the claims. For example: Claim 1: A computer-implementable method for determining the behavior of an executable comprising: selecting evaluation calls made by the executable to the interface of an operating system; loading stubs into a virtual address space, the stubs: mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and determining a behavior signature for the selected calls; wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space; executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment. So, this is basically running some code inside a stubby VM. That is the prior art to look for. All the stuff about looking for code similar to already known malware is BS. It doesn't matter how long that has been done - it isn't prior art with regard to the claims.
I am a lawyer, but not yours. Anything I tell you might be a total lie intended to benefit my clients at your expense.
The current patent system works like this: most claims are granted. Any initial challenge in court merely establishes the evidence, and is tried by judges without any expertise in either patents or the technology being patented. Only in the appeals court is any real judgement exercised. By which time the process has cost big money, usually millions of dollars, and years of uncertainty in collecting revenue from sales of the invention.
So only the rich, who can afford to pay their way through those risky years, get anything like their due process.
Patents are a monopoly. Obtaining one from the government should require the applicant to prove beyond a reasonable doubt that their patent is necessary "to promote the progress of science and the useful arts", the only Constitutional basis for these monopolies. That argument should require the applicant to produce evidence of an exhaustive search of prior art, not just launch a "submarine" claim and wait for it to torpedo some prior artist who then must go through the process at their expense. They should also produce similarly supported evidence of the other requirements, such as novelty and utility. If thatevidence is shown to be incomplete, the Patent Office should reject the application, with a fee that actually covers processing it, plus probably a fine for wasting the public's time and clogging its offices. If that evidence is shown to be fraudulent, like when the applicant is proven to have hidden ignored evidence of disqualifying facts, the applicant should be charged with attempting to create an illegitimate monopoly, as well as with practicing the fraud. The applicant should even have to prove the case that their specific invention promotes science or useful arts only with patent protection, and disprove the progress in science or the useful arts possible without the patent.
Getting a patent should be hard. It should be a cost of doing business. The upfront process should put the burden on the applicant. The patent should not be the asset, but should be only that occasional compromise with both free expression and modern economics that requires a temporary monopoly to protect progress (not necessarily the inventor) from predatory competition which doesn't invent, but simply outspends inventors to exploit a known invention. When that gotcha doesn't actually impede progress, the patent isn't necessary, and should never be granted.
--
make install -not war
It occurs to me that Microsoft is either patenting this stuff to just add to its patent portfolio, or it means that they're getting serious about security.
The biggest flaw I see with Microsoft being an antivirus vendor is that it's like trying to proof read your own writing.. sometimes you see what you MEANT to say, not what you actually said. If they were that good with security, why didn't they just build that crap right into the OS in the first place.
Oh wait, their most recent security approach resulted in Vista. Well, I suppose a computer that won't even talk to its own webcam or video card, or other hardware is pretty secure... from YOU (the user).
The Digital Sorceress
Soldier 1 : Haha, I get to protect the president.
Soldier 2 : No _I_ get to protect the president.
Soldier 3 : Fuck off, I am getting to protect the president.
The president : FFS shut up and protect me all of you!
If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.
I'll display my "impressed face" when they actually show that it works. So far, the score board says:
Viruses: 1 zillion
MSFT: 0
The patent doesn't mean anything unless its useful.
I might know what I'm talkin' about, but then again, this is Slashdot...
These people are helping make your POS operating system usable. Why not patent how they are doing it and see if you can make a buck off of them with some patent trolling? It'd serve you right if they all just thumbed their noses at you and quit making AV software right then and there.
Forget the seven wonders of the ancient world, I'm interested in a bigger mystery - how in the hell do you people stay in business?
Weaselmancer
rediculous.
Writes Wolfe: "One often wonders about software patents. I sure wonder about this one. I also wonder whether McAfee, Symantec, Trend Micro, and Kaspersky are also going to be hearing from their friends in Redmond real soon".
Why yes, in much the same way that General Custer's brigade heard from their good friends the Native Americans, at Little Big Horn.
No, this is an obvious case of get it before someone else does at goes after you .... not going to happen. If you are going to live in a world of patents thn you gotta play.
.. that Windows sucks 7 ways to Sunday when it comes to security.
I have by now heard almost 10 years worth of promises, with the last 5 years or so a more pronounced focus on security because that's what end users are asking. But they have IMHO yet to deliver anything that is simple and works, like a secure basis to start from.
Like your average Big Name consultancy, they will NEVER sell you a finished product, because you wouldn't need them any more.
They don't sell solutions. They sell hope. Hope that the next version MAYBE will address the problem you have today. If you talk about green computing, well you just found where waste occurs.
lets call this new invention "secure design".
What a novel idea, we should patent that!
(and why didn't anyone suggest this sooner?)
I work for the Department of Redundancy Department.
don't know if this is a stupid idea or not but how hard would be it be to set how trusted a particular application is? Like if you for example have installed a new game you could right click and select "trusted". And maybe if you downloaded a cd-key generator you could set it to "utrusted" and let the antivirusprogram have a closer look at it and maybe run it in a virtual machine.
Doing this might lighten the antivirus programs load a bit
just a thought
The procmail based email sanitizer has been around since some time before the dinosaurs: http://www.impsec.org/email-tools/procmail-security.html It detects known and unknown viruses.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Proactive protection, does that mean don't buy windows. Which if they have that business method patented means anyone who doesn't buy windows is of course infringing their proactive virus protection patent?
And then they took the red pill and saw the truth...
Now nobody can switch to Mac or Linux without licensing a patent from Microsoft.
MacAfee, Symantec, TrendMicro, and Kaspersky get sued!
If you want your life to be different, live it differently.
So they'll start out with claims about a "round transportation device" and move on to claims about a "left-hand-threaded chrome-nickel-molybdenum wingnut", and some of the later claims may involve "titanium-oxide-pigmented circular signifiers". The patent examiner will grant the patent because the wingnut did something new and useful, even though there was some prior art concerning the "wheel". This does not mean that the patent owners aren't going to then go try to extort money from people for their use of the wheel, or for business models that charge more for whitewall tires, or that columnists or Slashdot submitters won't misconstrue what the patent's about. But the patent itself may still be legitimate.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I was say in my original post that hypervisor root kits are the future (Until antivirus makers give up with the "loader" detection, because too much DRM are using them, as you mention too).
Well, maybe.
Another solution for virus writers would be to find a way to piggy-back on StarForce-encrypted executables and similar.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
From an antivirus' point of view, compilers and linkers are plain normal software, that read some input file, do some processing on them and write the results inside an output file. Not much different than, say, a filter which converts a PNG into a JPEG file :
From the time it starts executing up until the end of execution, the code in memory of those softwares is exactly the same, and is exactly the same as contained into the executable image on the disk (beside a couple of jump points into shared libraries, but that is setup by the OS' load). At no time do these software rewrite themselves.
Whereas a loader, when started, shuffle lots of memory arround and then jump _into_ that code. What ends up being executed has nothing to do with what was on the disc. Regular software seldom to this kind of trick, there are only a couple of exceptions :
- Executable decompressors (although they now start to seem a little bit out of fashion, now that the price of storage has fallen and that compression is provided in the filesystem at the OS level anyway). There are few different example of it, so an antivirus can be made to recognize them. In fact, decompressors don't make special effort to obfuscate code, so most modern antivirus are able to decompress and analyse the payload to check if that is legitimate.
- VMs and emulators using JIT and DynaRec, they build native code by assembling small bits and then jump to that memory location, instead of interpreting bytecode (or using an offline compiler to build a native executable into a cache and then run the produced executable). Again, there aren't that many different (compared to virus, I mean), and the antivirus will need not only to recognize them, but to react to their presence and also start analysing their input to check if the executed code isn't trying to do dangerous actions and/or use exploits to break out of the VM's sandbox.
- Very old implementation loader of dynamically loaded libraries. Once upon a time there were OS like MS-DOS that did not provide enough facility for shared libraries (beside a few functionality for overlays) and back then the software went through creative implementation to have shared libraries, load user-selected drivers, or even overwrite parts of themselves with fast blitter code pulled out of the BIOS. These don't exist anymore, so they won't pose problems.
- Content protection systems. This is the only problematic case, because such shit as StarForce are made on purpose to be hard to detect and to obfuscate their payload and thus could easily confuse the antivirus and get mis-recognized as virus loaders, on the grounds that they are designed to do exactly the same thing.
This is the only situation which will get problematic, specially given the fact that some legislation (like USA's DMCA) forbid to try to break and decrypt the content of such protection loaders. Even if antivirus creators found ways to break the StarForce loader/decrypter, that would be considered illegal in USA because that would be circumventing a system designed to protect copyrighted material).
Which could leave to an interesting situation were viruses could try to piggy back inside executables encrypted using such protection systems.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
My first skim over the title said "provocative" virus protection. I don't want to give McAfee any ideas, but I, for one, would welcome that kind of subscription-based virus-stomping scantily-dressed overlord... virus protection.
You mean not installing Microsoft products? I hate to tell Microsoft, but a lot of us have prior art on THAT one...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
that patents shouldn't be awarded to people who haven't actually, successfully *executed* the concept in the patent at least once.
Giving Microsoft a patent on a form of computer virus protection is like giving Paris Hilton a patent on a form of STD protection.
And no, "Stay Far, Far Away From Me" is not a patentable business process in either case, effective though it may be.