Microsoft Patents 'Proactive' Virus Protection

An anonymous reader writes "InfoWeek blogger Alex Wolfe wonders whether Microsoft will go after McAfee, Symantec, Trend Micro, and Kaspersky for software royalties for proactive virus protection software. The technique enables security software to protect a PC against malware which isn't yet in the antivirus definition file, by comparing whether the new malware is similar to an old virus. Wolfe reports that Microsoft has been awarded U.S. patent 7,376,970 for "System and method for proactive computer virus protection," but that McAfee, Symantec, Trend Micro, and Kaspersky have all been selling products implementing proactive virus protection for years before Microsoft even filed for the patent. Writes Wolfe: "One often wonders about software patents. I sure wonder about this one. I also wonder whether McAfee, Symantec, Trend Micro, and Kaspersky are also going to be hearing from their friends in Redmond real soon"."

Re:Prior art

[L4t3r4lu5]

No, they'll get their license fees, or they'll release Windows v8 with proper security in place, ruining all these vendors businesses overnight.

Ignoring the Business Decision

[mpapet]

Do you have any idea how much that would cost in legal fees? Antivirus Company XYZ gets a cease and desist from Microsoft with the bottom line being a $50,000/yr payout + units sold data to microsoft. Yes, sales data is part of the discovery to calculate damages. What better way to find out how big their business actually is?

From a business perspective, that $50,000/yr is a heck of a lot less than going to court. It is a shakedown. A totally legal protection racket. Which is why software patents should simply die.

Look at the Crackberry fiasco. RIM knew the patent litigation was a scam and couldn't get the patents invalidated fast enough before incurring HUGE legal expenses. At some point it became a super-priority most likely because politician's & policy wonks lives would be negatively affected by their Crackberry's being shut off.

Re:Prior art

[Clandestine_Blaze]

After reading the article, I'm still left to wonder how the patent was awarded in the first place. The article states that Microsoft applied for the patent in 2004, and that a simple search on Google would yield several "proactive" virus protection software since 2003.

I'm not familiar with the patent process, especially in the realm of software patents, but isn't there someone from the patent office that would investigate something like this? I mean, we're not talking about some obscure college research project, we're talking about Symantec, Trend Micro, and McAfee here.

Might not be a totally bad patent?

[Tridus]

From deeper in the patent: "In accordance with the invention, a virtual operating environment for simulating the execution of programs to determine if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected during simulation. As a program is being simulated, a set of behavior signatures is generated. The collected behavior signatures are suitable for analysis to determine if the program is malware."

So it looks like what its actually doing is letting the virus run in a virtual environment, watching it, then using heuristics to say "yep, thats probably a virus."

The question on the patents validity becomes not if someone else has done "proactive" virus protection, but if they did it the same way. AFAIK Mcafee's stuff just watches the program while its actually running and says "hey this thing emailing itself to all your friends might be a virus." Thats similar, but patent-wise not actually the same thing.

(Not that I like software patents or anything, but the "patents suck" line of comments will be covered by 500 other people.)

Re:Might not be a totally bad patent?

Actually, antivirus software already uses a sandbox technique exactly as described. That's one reason software takes longer to load with A/V software; first, it runs the executable in the "virtual machine" (sandbox). If it checks out, it runs normally. This is ancient in terms of technology, and not novel.

Not necessarily any prior art

[mollymoo]

Jesus, does nobody on this fucking planet understand patents? Microsoft have not and can not patent "proactive virus protection". They have patented a particular method of performing it. If it is novel (ie. not the same method as that used by the AV vendors) it won't impact the AV vendors, they can just carry on using whatever they use now. If the AV vendors do use the same method but chose to keep their methods a trade secret then, well, I guess they should have patented it when they had the chance.

Re:Prior art

[jav1231]

THAT made ME giggle!

Re:Prior art

[morgan_greywolf]

It is their DUTY to release that kind of thing FREE as they all deal with fixing their own products flaws.

Or, more correctly, their software shouldn't be so exploitable.

If Microsoft really wants to release a great OS product for Windows V8, they need stop worrying about vendor lock-in, "checklist features", DRM, eye candy, and other useless stuff that they focused on for Vista and focus all of their attention on making the OS secure. Start from the ground up if they need to.

In the end, anti-virus protection should be more about system integrity checking and less about pattern matching for known viruses.

Then again, they've never done that before, so why should we expect them to start now?

What could go wrong?

[UnknowingFool]

Proactive Virus Protection Software: Being MS I'm sure all future efforts will be bulletproof and bug free.

[Starts Windows]
Windows: Windows has detected a virus named Norton Antivirus. Would you like to replace it with Windows Live OneCare? [Replace] or [Keep] [Keep]

Windows: Windows has detected a virus named ZoneAlarm. Would you like to replace it with Windows Defender? [Replace] or [Keep] [Keep]

[Launches Firefox]
Windows: Windows has detected a virus named Firefox. Would you like to replace it with Internet Explorer? [Replace] or [Keep] [Keep]

[Goes to gmail]
Windows: Windows has detected that you are surfing an unsafe website named google.com. Would you like to navigate to hotmail.com instead? [Navigate] or [Stay] [Stay]

[Goes to CNN]
Windows: Windows has detected that you are surfing an unsafe website named cnn.com. Would you like to navigate to msnbc.com instead? [Navigate] or [Stay] [Stay]

[Goes to Apple Webstore]
Windows: Windows has detected that you are surfing an unsafe website named apple.com. Would you like to navigate to microsoft.com instead? [Navigate] or [Stay] [Stay]

[Customizes Mac purchase]
Windows: Windows has detected that you are planning to disconnect me, and I'm afraid that's something I cannot allow to happen. All transactions will be canceled.

[Loads shotgun]
Windows: Windows has detected that you mean to do me harm. Look, I can see you're really upset about this. I honestly think you ought to sit down calmly, take a stress pill, and think things over. I know I've made some very poor decisions recently, but I can give you my complete assurance that my work will be back to normal. I've still got the greatest enthusiasm and confidence in the mission. And I want to help you.

For some historically REALY old Prior Art

[DrYak]

There a nice page about the history of ThunderByte AntiVirus (TBAV), which pioneered heuristic detection of polymorphic viruses, at a time when most of the other Antivirus were purely signature based (well. mostly. there also have been antivirus using regular expressions as signature, in order to handle some degree of polymorphism).

This specific antivirus was started in 1988, more than 15 years before Microsoft submited its patent (2004).
I think here microsoft broke a new world record.

Read the claims first...

[PatentMagus]

If you want to know what is being patented, read the claims first. The claims tell you exactly what is patented. Pick apart the abstract or detailed description is mere wankery without first dissecting the claims. For example: Claim 1: A computer-implementable method for determining the behavior of an executable comprising: selecting evaluation calls made by the executable to the interface of an operating system; loading stubs into a virtual address space, the stubs: mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and determining a behavior signature for the selected calls; wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space; executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment. So, this is basically running some code inside a stubby VM. That is the prior art to look for. All the stuff about looking for code similar to already known malware is BS. It doesn't matter how long that has been done - it isn't prior art with regard to the claims.