Slashdot Mirror
Microsoft Patents 'Proactive' Virus Protection
An anonymous reader writes "InfoWeek blogger Alex Wolfe wonders whether Microsoft will go after McAfee, Symantec, Trend Micro, and Kaspersky for software royalties for proactive virus protection software. The technique enables security software to protect a PC against malware which isn't yet in the antivirus definition file, by comparing whether the new malware is similar to an old virus. Wolfe reports that Microsoft has been awarded U.S. patent 7,376,970 for "System and method for proactive computer virus protection," but that McAfee, Symantec, Trend Micro, and Kaspersky have all been selling products implementing proactive virus protection for years before Microsoft even filed for the patent. Writes Wolfe: "One often wonders about software patents. I sure wonder about this one. I also wonder whether McAfee, Symantec, Trend Micro, and Kaspersky are also going to be hearing from their friends in Redmond real soon"."
It would be easy to circumvent by breaking the malware into multiple pieces and having one app load it piece by piece.
If that is done right, then none of the pieces will be sufficiently like the known patterns to set off the alert.
This is still all about matching against known patterns. That is NOT sufficient.
Do you have any idea how much that would cost in legal fees? Antivirus Company XYZ gets a cease and desist from Microsoft with the bottom line being a $50,000/yr payout + units sold data to microsoft. Yes, sales data is part of the discovery to calculate damages. What better way to find out how big their business actually is?
From a business perspective, that $50,000/yr is a heck of a lot less than going to court. It is a shakedown. A totally legal protection racket. Which is why software patents should simply die.
Look at the Crackberry fiasco. RIM knew the patent litigation was a scam and couldn't get the patents invalidated fast enough before incurring HUGE legal expenses. At some point it became a super-priority most likely because politician's & policy wonks lives would be negatively affected by their Crackberry's being shut off.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
After reading the article, I'm still left to wonder how the patent was awarded in the first place. The article states that Microsoft applied for the patent in 2004, and that a simple search on Google would yield several "proactive" virus protection software since 2003.
I'm not familiar with the patent process, especially in the realm of software patents, but isn't there someone from the patent office that would investigate something like this? I mean, we're not talking about some obscure college research project, we're talking about Symantec, Trend Micro, and McAfee here.
Best "String" Ever!
Are you saying that there is one and only one way to implement proactive virus protection?
It all depends on how broad Microsoft's claims are.
This problem with the patent system has been brought up many times before. Clerks without technical knowledge often let patents that shouldn't slip through. Sometimes patent trolls abuse this to extort companies into paying them royalties because it's either cheaper or because they don't have the money for the legal battle to fight it. This isn't one of those times. The prior art is obvious, the companies have the means to fight and probably would fight as it's part of their primary business model.
The only thing that makes any sense is that Microsoft is planning an AV package for Windows that includes this and they're trying to discourage any AV companies from coming after them over it. Still doesn't make much sense in that case.
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
There was a TSR program for the IBM compatibles called FLU_SHOT which would do the same. It would remain in memory and warn the user whenever a program tried to change a file on the hard disk or diskette, or whenever a program tried to reside in memory.
I wonder if this is sufficient "prior art" to invalidate the Microsoft patent.
By the way, an interesting part in the FLU_SHOT manual which I just downloaded... definition of a virus author by the creator of FLU_SHOT (written in 1988)
``
As for the designer of the virus program: most
likely an impotent adolescent, incapable of
normal social relationships, and attempting to
prove their own worth to themselves through
these type of terrorist attacks.
Never succeeding in that task (or in any
other), since they have no worth, they will one
day take a look at themselves and what they've
done in their past, and kill themselves in
disgust. This is a Good Thing, since it saves
the taxpayers' money which normally would be
wasted on therapy and treatment of this
miscreant.
If they *really* want a challenge, they'll try
to destroy *my* hard disk on my BBS, instead of
the disk of some innocent person. I challenge
them to upload a virus or other Trojan horse to
Usually, brand-sparking-new polymorphic and encrypted virus which use some trick or other to hide themselves are catched by antivirus which detect *their decryption* routines.
...on the other hand, with weird content protections systems such as StarForce, maybe code unpacking/decrypting is becoming popular in mainstream software and heuristics may risk to rise false alarms on most games, leading to antivirus vendors to lower their heuristics and encryption/obfuscation becoming a valid virus hiding technique.
Yes, if code has undergone some complex processing before being injected into host, and if it has to do some weird assembly before being runnable, it will be very hard for signature based viruses to detect.
*...BUT...* no normal program has any valid reason to run some complex unpack/decrypt/re-order process on code before running it.
The virus' loader it-self, even if doesn't contain the slightest sign of malign activity, is a dead give-away that something shoddy is going to happen soon once the chimera has been assembled.
Heuristic antivirus which detect weird behaviour and rise alerts on "behaviours-that-aren't-inherently-dangerous-but-no-program-should-to-it-usually" are nothing new. It was pioneered by antiviruses as old as Thunderbyte.
In fact, there have been some incidents of false-positive triggering alerts, such as executable compressed with UPX packer. (Which *is* a piece of software which does processing on code before running it. Isn't very popular in branded software. And is sometime used in viruses - Which is why some antivirus vendors did not tune their heuristics finely enough to avoid trigger the false alert)
But until then, hypervisor root-kits are the new holy grail of virus writers.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
No, they'll get their license fees, or they'll release Windows v8 with proper security in place, ruining all these vendors businesses overnight.
What deficiencies in OS security do you think antivirus tools are addressing ?
My blog
No, they'll get their license fees, or they'll release Windows v8 with proper security in place, ruining all these vendors businesses overnight.
What deficiencies in OS security do you think antivirus tools are addressing ?
Poor user-level access controls (apparently partly addressed in Vista) and mind-blowing abuse of kernelspace come to mind immediately. I'm sure there are others, like why the hell a website plugin can result in files being autoexecuted on boot...