1. Field of the Invention
The present invention relates to the protection of computer systems. More particularly, the present invention relates to a virus detection system and method.
2. Description of the Related Art
Anti-viral string scanning software looks for known viral scan strings, i.e., known strings of bytes, also known as virus signatures, to identify known viruses. Because of this, anti-viral string scanning software, hereinafter referred to as a string scanner, typically will detect only known viruses and the virus definition file used by the string scanner must be updated regularly.
Virus definition files typically include known virus strings and properties, e.g., flags, associated with the known virus strings. More particularly, some string scanners use mismatch values of the number of allowed mismatches assigned to particular known virus strings to allow identification of variants of a known virus.
A mismatch is an amount of information, e.g., a byte of information, that can be different between the known virus string and the scanned file string while still resulting in a conclusion that the scanned file string is a virus. A mismatch value if the number of allowed mismatches.
To illustrate, an exemplary known virus string is:
ABCDEFG
If the mismatch value is one, the following strings would be detected under the same virus name:
ZBCDEFG
AZCDEFG
ABZDEFG
ABCZEFG
ABCDZFG
ABCDEZG
ABCDEFZ
Thus, using mismatches, variants of known viruses are identified.
Because the virus definition updates are readily available, the virus definition file used by the string scanner is easily obtainable by virus writers. Thus, virus writers have the opportunity to create viruses and to test their viruses in the very same environment as other computer systems use. This allows the virus writer to verify that their virus is undetected by the string scanner even when the most current virus definition file is used.
To illustrate, a virus writer creates a virus. The virus writer then scans the virus with the string scanner. If the string scanner detects the virus as a threat, then the virus writer simply further modifies the virus. The virus writer again scans the now modified virus with the string scanner. This process is repeated until the string scanner does not detect the virus as a threat, i.e., the virus is not identified as a known virus or a variant of a known virus.
Once the string scanner does not detect the virus as a threat, the virus writer is free to release the virus to the wild confident that the virus will not be detected as a threat on other computer systems running the same string scanner. Thus, the virus becomes widespread before a virus definition update for the virus is generally available.