The invention relates to systems and methods for detecting viruses and other malware, and in particular to anti-virus detection systems using behavior-based heuristics.
Known methods of scanning for malicious software (malware) such as viruses, worms, and Trojan horses include content-based methods and behavior-based methods. In content-based methods, the contents of a suspected file are compared to a database of known malware signatures. If a known virus signature is found in the suspected file, the file is labeled as a virus. Content-based methods are generally effective at identifying known malware, but may not be able to identify new threats. Also, malware writers often employ countermeasures aimed at evading signature scanners. For example, polymorphic viruses mutate periodically in order to make their identification more difficult.
Behavior-based methods typically involve allowing a suspected program to execute in an isolated virtual environment, commonly called a sandbox, and observing the program's resulting behavior. Programs that exhibit malicious behavior are identified and removed or contained. While conventional behavior-based methods may be effective in identifying new threats, such methods may be relatively computationally intensive and require relatively long analysis times.