The present invention relates in general to computer anti-virus protection and, in particular, to systems and methods for executing computer virus definitions containing general purpose programming language extensions.
Computer viruses are executable files or attachments often hidden or disguised as legitimate files or messages. More precisely, computer viruses include any form of self-replicating computer code which can be stored, disseminated, and directly or indirectly executed by unsuspecting clients. Viruses travel between machines over network connections or via infected media and cause malicious and sometimes destructive results. Viruses can be executable program or macro code disguised as application programs, functions, macros, electronic mail attachments, and even applets and hypertext links.
The earliest computer viruses infected boot sectors and files. Over time, computer viruses evolved into numerous types, including cavity, cluster, companion, direct action, encrypting, multipartite, mutating, polymorphic, overwriting, self-garbling, and stealth viruses, such as described in xe2x80x9cVirus Information Library,xe2x80x9d Networks Associates Technology, Inc., (2001), the disclosure of which is incorporated by reference. Recently, macro viruses have become popular. These viruses are written as scripts in macro programming languages and are attached to documents and electronic mail attachments.
Historically anti-virus solutions have reflected the sophistication of the viruses being combated. The first anti-virus solutions were stand-alone programs for identifying and disabling viruses. Eventually, anti-virus solutions grew to include special purpose functions and parameterized variables that could be stored in data files read by the anti-virus engine. Over time, the special purpose functions evolved into specialized anti-virus languages for defining virus scanning and cleaning, including removal and disablement, instructions.
The data files store virus definitions. Each virus definition includes object code executed by an anti-virus engine on each client. As new computer viruses are discovered daily, each data file must be periodically updated to add new computer virus definitions, and replace or delete old virus definitions. Over time, data files tend to become large and can take excessive amounts of time to download. Long download times are particularly problematic on low bandwidth connections or in corporate computing environments having a large user base. Data files are also often platform-dependent and updates must be hard-coded into each different type of data file.
Upgrading anti-virus engines in a corporate computing environment can require considerable effort and time. Each anti-virus engine is limited to performing only those operations defined in the associated anti-virus language. Consequently, any changes or extensions to the language typically require the patching or replacement of the engine and can consume considerable resources in debugging and testing. In addition, anti-virus engines are implemented for specific computing environments, generally dependent on the type and version of operating system. Changes or upgrades to an anti-virus engine, therefore, must be propagated across all computing platforms and can present critical portability issues.
One prior art approach avoids the need to patch or replace the anti-virus engine by including the engine as part of the data files. Each new virus definition accordingly results in a new engine. However, such an approach to upgrading is slow and bandwidth-intensive. As well, including an anti-virus engine as part of a computer virus definition data file is misleading, as security policies controlling software download and installation are subverted.
Therefore, there is a need for an approach to providing a flexible and extensible anti-virus solution that avoids the limitations of a special purpose anti-virus language and the limited capabilities of the corresponding anti-virus engine. Preferably, such an approach would provide an anti-virus engine capable of executing general purpose programming language extensions.
There is a further need for an approach to providing a legacy-based anti-virus solution that preserves the user base of installed anti-virus engines, while providing a richer operation feature set. Preferably, such an approach would present a platform-independent means for extending data file functionality without hard-coding platform-specific changes into individual data files.
The present invention provides a system and method for embedding and interpreting general purpose programming language extensions included within a script written in an anti-virus language. The source code for the general purpose programming language extension is embedded in a source data file containing computer virus definitions and instructions written in the anti-virus language. The general purpose programming language extensions are delimited by verbs added to the grammar of the anti-virus language to support the execution of general purpose programming language extensions. The extensions are compiled by a compiler for the general purpose programming language and object code is generated. Computer virus definitions and object code for the compiled anti-virus language script and general purpose programming language extension are consolidated into a data file. The data file is interpreted by an anti-virus engine on a client and any embedded object code for the general purpose programming language is interpreted by a separate interpreter.
An embodiment of the present invention is a system and a method for executing computer virus definitions containing general purpose programming language extensions. One or more virus definition records are stored in a computer virus data file. Each virus definition record includes an identifier, a virus detection section and an extension sentence. The identifier uniquely identifies a computer virus. The virus detection section includes object code providing operations to detect the identified computer virus within a computer system. The extension sentence includes object code providing reusable operations implemented in a general purpose computing language. For each virus definition record, at least one of the object code of the virus detection section and the extension sentence is interpreted.
Accordingly, the capabilities of the anti-virus engine are enhanced with the ability to include the richer feature set provided by the general purpose programming language without having to modify the functionality of the anti-virus engine itself.
Still other embodiments of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein is described embodiments of the invention by way of illustrating the best mode contemplated for carrying out the invention. As will be realized, the invention is capable of other and different embodiments and its several details are capable of modifications in various obvious respects, all without departing from the spirit and the scope of the present invention. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.