This invention relates generally to detecting the presence of malicious code in computer files, and more particularly to improving the performance of malicious code detection methods.
During the brief history of computers, system administrators and users have been plagued by attacking agents such as viruses, worms, and Trojan Horses, which may be designed to disable host computer systems and propagate themselves to connected systems.
In recent years, two developments have increased the threat posed by these attacking agents. Firstly, increased dependence on computers to perform mission critical business tasks has increased the economic cost associated with system downtime. Secondly, increased interconnectivity among computers has made it possible for attacking agents to spread to a large number of systems in a matter of hours.
Attacking agents can infect a system by replacing the executable code stored in existing files. When the system attempts to execute the code stored in these files, it instead executes malicious code inserted by the attacking agent, allowing the attacking agent to gain control of the system. Virus scanning utilities, such as Norton Antivirus, produced by Symantec Corporation of Cupertino, Calif., allow a user to determine whether a file containing executable code has been infected with malicious code.
Traditionally, these utilities have been able to detect viruses by checking for suspicious sections of code in designated locations or looking for other easily detectable characteristics. These methods can be performed quickly, with little burden to system resources.
However, as attacking agents have become more sophisticated, scanning utilities have needed to perform even more complicated tests to detect the presence of malicious code. For example, special purpose code may have to examine large portions of a file or perform complicated emulation techniques to detect the presence of viruses.
These techniques must often be performed serially, and are extremely time and resource intensive. Optimizing these routines sufficiently to prevent them from becoming prohibitively time consuming when applied to a large number of files is becoming extremely difficult as attacking agents grow in number and complexity. What is needed is a way to improve the speed and reliability of detection techniques.