In general, computer viruses (hereinafter referred to as viruses) are programs designed to replicate themselves by attaching virus programs to non-virus software. For example, a virus might attach a copy of itself to a spreadsheet program, word processing document, Internet browser, computer game, etc. After a program has been “infected” with a virus, each time the infected program runs the virus also runs, further replicating the virus. Because the presence of computer viruses often goes undetected, viruses can cause unexpected and harmful results. For example, viruses have been known to delete files, alter system settings, and consume system resources.
Traditionally, there have been two main virus types including executable and boot sector viruses. Executable viruses attach themselves to executable programs, so the virus programs run while the executable programs are running. One characteristic of executable viruses is that they will not execute until the “host” program is executed. Boot sector viruses attach themselves to floppy or hard disk boot sectors. Boot sectors store operating system programs for loading parts of an operating system into a computer's memory during boot-up. When viruses are stored in the boot sector, they are guaranteed to execute because boot sector programs are always executed during operating system boot-up. Once the boot sector virus is loaded into memory, it typically can infect the boot sector of any floppy disk inserted into the computer.
Virus detection software has been developed to detect and eliminate these and other computer virus types. Virus detection programs typically scan computer files for specific bit patterns associated with known viruses. These bit patterns are often referred to as virus signatures. Scanning files for virus signatures can be a slow and resource draining process. Various techniques have been developed to limit the scope of signature searches. One such technique is scalpel scanning, which limits signature searching to the parts of file that are likely to contain virus entry points.
However, virus writers have thwarted many signature-scanning techniques by creating randomly encrypted and polymorphic viruses. Randomly encrypted viruses are difficult to detect because each new copy of the virus is randomly encrypted, so new virus copies may not exhibit traceable signatures until they are decrypted. Randomly encrypted viruses remain encrypted until just before execution, when they perform self-decryption, which may reveal known signatures. Polymorphic viruses are also difficult to detect because they change their encryption logic with each new infection. That is, the virus produces different encrypting and decrypting code for each new virus that is inserted into non-virus software. Because the encryption/decryption code is constantly changing, copies of the virus may not include traceable signatures, even when the virus is not encrypted.
In response to random encryption and polymorphic viruses, some virus detection systems emulate executable programs in secure portions of memory. Because encrypted viruses decrypt themselves before executing, emulating potentially infected programs can produce viruses in a decrypted state. Matching decrypted viruses with known virus signatures is typically more effective than doing the same with encrypted viruses. During emulation, the emulator periodically scans the secure memory portion for known virus signatures. If the emulator finds known virus signatures, the corresponding non-virus programs are processed and viruses are removed.
One disadvantage of using emulators to search for virus signatures is that emulators consume a relatively large amount of system resources. Another disadvantage is that emulators can miss known viruses when the viruses execute before being processed by the emulator. Yet another disadvantage is that some viruses are “aware” of emulators and thus do not decrypt during emulation. Another disadvantage is that emulators often do not support an entire processor instruction set. Thus, an emulator may not detect viruses that include instructions which the emulator does not support.
Another disadvantage of emulator based virus detection systems is that emulators typically do not know how long to emulate programs before associated viruses will decrypt themselves. Because emulation times are unknown, the only way to ensure that emulation times are not too short for decrypting viruses is to emulate programs forever, which is typically impossible.