1. Field of the Invention
The present invention is related to anti-malware technology, and more particularly, to measuring a static and dynamic security rating of processes.
2. Description of the Related Art
Detection of viruses has been a concern throughout the era of the personal computer. With the growth of communication networks, such as the Internet, and increasing interchange of data, including the rapid growth in the use of e-mail for communications, the infection of computers through communications or file exchange is an increasingly significant consideration. Infections take various forms, but are typically related to computer viruses, trojan programs, or other forms of malicious code. Recent incidents of e-mail mediated virus attacks have been dramatic both for the speed of propagation and for the extent of damage, with Internet service providers (ISPs) and companies suffering service problems and a loss of e-mail capability. In many instances, attempts to adequately prevent file exchange or e-mail mediated infections significantly inconvenience computer users. Improved strategies for detecting and dealing with virus attacks are desired.
One conventional technique for detecting viruses is signature scanning. Signature scanning systems use sample code patterns extracted from known malicious code and scan for the occurrence of these patterns in other program code. In some cases, program code that is scanned is first decrypted through emulation, and the resulting code scanned for virus signatures or function signatures. A primary limitation of this signature scanning method is that only known malicious code is detected, that is, only code that matches the stored sample signatures of known malicious code is identified as infected. All the viruses or malicious code not previously identified and all the viruses or malicious code created after the last update of the signature database will not be detected. Thus, newly released viruses are not detected by this method, neither are viruses with code in which the signature, previously extracted and contained in the signature database, has been overwritten.
In addition, the signature analysis fails to identify the presence of a virus if the signature is not aligned in the code in the expected fashion. Alternatively, the authors of a virus may obscure the identity of the virus by opcode substitution or by inserting dummy or random code into virus functions. Nonsense code can be inserted that alters the signature of the virus to a sufficient extent undetectable by a signature scanning program, without diminishing the ability of the virus to propagate and deliver its payload.
Another virus detection strategy is integrity checking. Integrity checking systems extract a code sample from known benign application program code. The code sample is stored, together with information from the program file, such as the executable program header and the file length, as well as the date and time of the sample. The program file is checked at regular intervals against this database to ensure that the program file has not been modified. Integrity checking programs generate long lists of modified files when a user upgrades the operating system of the computer or installs or upgrades application software. The main disadvantage of an integrity check-based virus detection system is that many warnings of virus activity are issued when any modification of an application program is performed. It is difficult for a user to determine whether a warning represents a legitimate attack on the computer system.
Checksum monitoring systems detect viruses by generating a cyclic redundancy check (CRC) value for each program file. Modification of the program file is detected by a variation in the CRC value. Checksum monitors improve on integrity check systems since it becomes difficult for malicious code to defeat the monitoring. On the other hand checksum monitors exhibit the same limitations as integrity checking systems, meaning that false warnings are issued, and it becomes difficult to identify which warnings represent actual viruses or infection.
Behavior interception systems detect virus activity by interacting with the operating system of the target computer and monitoring for potentially malicious behavior. When malicious behavior is detected, the action is blocked and the user is informed that a potentially dangerous action is about to take place. The potentially malicious code can be allowed to perform this action by the user, which makes the behavior interception system somewhat unreliable, because the effectiveness of the system depends on the user input. In addition, resident behavior interception systems are sometimes detected and disabled by malicious code.
Another conventional strategy for detecting infections is the use of bait files. This strategy is typically used in combination with various virus detection strategies to detect an existing and active infection. This means that the malicious code is running on the target computer and is modifying files. The virus is detected the moment the bait file is modified. Many viruses are aware of bait files and do not modify files that are either too small or have a predetermined content in the file name or because of their structure.
One of the problems in the field of anti-virus software is the fact that many users are unwilling to wait for a long time for the anti-virus software to do its work. In fact, most users would wait a fraction of a second, perhaps a second or two, when starting an application, but not longer than that. On the other hand in such a relatively short period of time, only more rudimentary anti-virus checks are possible, which is problem for the anti-virus software vendor, because the need to check the executable file being launched for viruses must be balanced against the time that a thorough anti-virus check takes.
It is apparent that improved techniques for detecting viruses and other malicious types of code are desirable.