1. Field of the Invention
The present invention relates generally to computer security, and more particularly, but not necessarily exclusively, to methods and apparatus for detecting malicious computer code.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, malicious codes are also collectively referred to as “viruses.” Antivirus products for protecting computers against malicious codes are commercially available. Experienced computer users have installed some form of antivirus in their computers.
A typical antivirus scanner includes a scan engine and a pattern file. The pattern file comprises patterns for identifying known malicious codes. To check a file for malicious code, the scan engine opens the file and compares its content to patterns in the pattern file. While this pattern matching approach is relatively effective, the pattern file needs to be continually updated to address newly discovered malicious codes. As the number of known malicious codes increases, so does the size of the pattern file. The larger the pattern file, the more memory and processing resources are consumed to perform malicious code scanning. Furthermore, a conventional antivirus scanner has limitations in scanning for scripts (for example, javascripts) on web pages, particularly scripts that are encrypted.
An emulator with heuristic rules may be used at a client (host) computer for detecting encrypted scripts. For example, a full-scale emulation may follow a cycle of preprocessing, tokenization, reduction, compiling and emulating. However, such emulation typically consumes a large amount of processing and memory resources and is disadvantageously slow in performance. This generally makes it impractical or undesirable to perform such emulation at a client computer.