1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the detection of an outbreak of a computer virus on a data processing system.
2. Description of the Prior Art
It is known to detect computer viruses using signature definitions of those viruses. In this technique, when a new virus is discovered, a characteristic pattern of computer instructions is identified associated with the virus and this characteristic pattern then added to a library of computer virus definitions so that a suspect file can be compared against this library of definitions to determine whether it contains one of the known computer viruses identified within the library.
An alternative approach to virus identification is heuristic testing in which types of activity associated with viruses are searched for and used to identify candidate viruses. As an example, an executable computer file that has at its start a call to a routine located at the end of the executable file is a strong candidate for having been infected with a virus.
A problem with both of the above techniques is that they are only generally capable of detecting known viruses or viruses behaving in known ways. As an example, it is only after a virus has been created, released and infected innocent users, that it will be drawn to the attention of anti-virus system makers who can then add a new virus definition to their library of definitions characteristic of the newly released virus to enable its detection by the library technique. Similarly, a virus with a new type of action, such as Word macro viruses when they were first released, present a problem for heuristic identification since their patterns of activity are not ones that are being tested for until after those new viruses have been created, released and infected innocent users.
It is known from Trend's Scan Mail Exchange Beta Release to provide a system in which a virus outbreak is notified if more than a threshold number of known viruses are detected within a 24 hour period. This technique does not address unknown viruses and types of virus behavior.