1. Field of the Invention
The present invention relates generally to computer security, and more particularly, but not necessarily exclusively, to methods and apparatus for detecting malicious computer code.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, malicious codes are also collectively referred to as “viruses.” Antivirus products for protecting computers against malicious codes are commercially available. Experienced computer users have installed some form of antivirus in their computers.
A typical antivirus scanner includes a scan engine and a pattern file. The pattern file comprises patterns for identifying known malicious codes. To check a file for malicious code, the scan engine opens the file and compares its content to patterns in the pattern file. While this pattern matching approach is relatively effective, the pattern file needs to be continually updated to address newly discovered malicious codes. As the number of known malicious codes increases, so does the size of the pattern file. The larger the pattern file, the more memory and processing resources are consumed to perform malicious code scanning. Furthermore, a conventional antivirus scanner has limitations in scanning for scripts (for example, java scripts) on web pages, particularly scripts that are encrypted.
An emulator with heuristic rules may be used at the client (host) computer for detecting encrypted scripts. However, such emulation demands a large amount of CPU (central processing unit) and memory resources at the client computer.