1. Field of the Invention
The present invention relates to computer system security. More particularly, the present invention relates to a system and method of detecting malicious code in a computer system.
2. Description of the Related Art
An antivirus scanner, sometimes called memory scanner, scans memory of a computer system to detect malicious code. A trade-off exists between the amount of memory scanned and the speed at which the memory is scanned.
Generally, the greater the amount of memory scanned, the higher is the likelihood that the antivirus scanner will detect malicious code within memory. Stated another way, the greater the amount of memory scanned, the less likely it is that malicious code will be in a memory area that is not scanned. Accordingly, it is desirable to scan as much memory as possible.
Conversely, the greater the amount of memory scanned, the longer it takes for the antivirus scanner to complete the scan. Thus, to increase the speed at which the antivirus scanner scans the memory while at the same time minimizing the likelihood of not scanning a memory area that contains malicious code, only memory areas, e.g., pages, that are likely to contain malicious code are scanned.
To identify memory areas that are likely to contain malicious code, the page tables are interrogated by the antivirus scanner to determine which pages are likely to contain malicious code, e.g., existing pages which are valid.
The antivirus scanner then scans the pages likely to contain malicious code. However, if the malicious code is in a page that is not scanned, the malicious code goes undetected.