CA2244892A1 - Emulation repair system - Google Patents
Emulation repair systemInfo
- Publication number
- CA2244892A1 CA2244892A1 CA002244892A CA2244892A CA2244892A1 CA 2244892 A1 CA2244892 A1 CA 2244892A1 CA 002244892 A CA002244892 A CA 002244892A CA 2244892 A CA2244892 A CA 2244892A CA 2244892 A1 CA2244892 A1 CA 2244892A1
- Authority
- CA
- Canada
- Prior art keywords
- virus
- file
- virtual machine
- module
- infected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000008439 repair process Effects 0.000 title abstract 6
- 241000700605 Viruses Species 0.000 abstract 7
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Abstract
An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virus-infected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted. The foundation and overlay modules (240, 262) are then loaded into the virtual machine (216) and control of the virtual machine (216) is given to the overlay module (262). The overlay module (262) calls repair routines in the foundation module (240), the overlay module (262), and the virus itself (224), as necessary, to restore over-written host bytes (228) from the infected host file (220) to their proper locations in the infected host file (220). Repairs made to the image (220") of the host file (220) in the virtual machine (216) are reflected to a back-up file (220') in the computer system (202).
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US08/605,285 US6067410A (en) | 1996-02-09 | 1996-02-09 | Emulation repair system |
US08/605,285 | 1996-02-09 | ||
PCT/US1997/001510 WO1997029425A2 (en) | 1996-02-09 | 1997-02-03 | Emulation repair system |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2244892A1 true CA2244892A1 (en) | 1997-08-14 |
CA2244892C CA2244892C (en) | 2002-05-21 |
Family
ID=24423027
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002244892A Expired - Lifetime CA2244892C (en) | 1996-02-09 | 1997-02-03 | Emulation repair system |
Country Status (6)
Country | Link |
---|---|
US (1) | US6067410A (en) |
EP (1) | EP0880743B1 (en) |
AU (1) | AU1848597A (en) |
CA (1) | CA2244892C (en) |
DE (1) | DE69702335T2 (en) |
WO (1) | WO1997029425A2 (en) |
Families Citing this family (87)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6401210B1 (en) * | 1998-09-23 | 2002-06-04 | Intel Corporation | Method of managing computer virus infected files |
WO2000034867A1 (en) | 1998-12-09 | 2000-06-15 | Network Ice Corporation | A method and apparatus for providing network and computer system security |
US7389540B2 (en) * | 1999-02-03 | 2008-06-17 | Cybersoft, Inc. | Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer |
US7346929B1 (en) * | 1999-07-29 | 2008-03-18 | International Business Machines Corporation | Method and apparatus for auditing network security |
US6543007B1 (en) * | 1999-10-28 | 2003-04-01 | General Electric Company | Process and system for configuring repair codes for diagnostics of machine malfunctions |
US6851057B1 (en) | 1999-11-30 | 2005-02-01 | Symantec Corporation | Data driven detection of viruses |
US8006243B2 (en) * | 1999-12-07 | 2011-08-23 | International Business Machines Corporation | Method and apparatus for remote installation of network drivers and software |
US6954858B1 (en) | 1999-12-22 | 2005-10-11 | Kimberly Joyce Welborn | Computer virus avoidance system and mechanism |
GB2353372B (en) * | 1999-12-24 | 2001-08-22 | F Secure Oyj | Remote computer virus scanning |
US6971019B1 (en) | 2000-03-14 | 2005-11-29 | Symantec Corporation | Histogram-based virus detection |
AU2001257400A1 (en) * | 2000-04-28 | 2001-11-12 | Internet Security Systems, Inc. | System and method for managing security events on a network |
IL152502A0 (en) * | 2000-04-28 | 2003-05-29 | Internet Security Systems Inc | Method and system for managing computer security information |
US6907396B1 (en) * | 2000-06-01 | 2005-06-14 | Networks Associates Technology, Inc. | Detecting computer viruses or malicious software by patching instructions into an emulator |
US20040073617A1 (en) | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
US6901519B1 (en) | 2000-06-22 | 2005-05-31 | Infobahn, Inc. | E-mail virus protection system and method |
US7093239B1 (en) | 2000-07-14 | 2006-08-15 | Internet Security Systems, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
US9027121B2 (en) * | 2000-10-10 | 2015-05-05 | International Business Machines Corporation | Method and system for creating a record for one or more computer security incidents |
US7146305B2 (en) * | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
US7231440B1 (en) * | 2000-12-18 | 2007-06-12 | Mcafee, Inc. | System and method for distributing portable computer virus definition records with binary file conversion |
US7130466B2 (en) * | 2000-12-21 | 2006-10-31 | Cobion Ag | System and method for compiling images from a database and comparing the compiled images with known images |
US7058667B2 (en) * | 2000-12-27 | 2006-06-06 | Microsoft Corporation | Method and system for creating and maintaining version-specific properties in a file |
AU2002243763A1 (en) * | 2001-01-31 | 2002-08-12 | Internet Security Systems, Inc. | Method and system for configuring and scheduling security audits of a computer network |
US6898712B2 (en) * | 2001-02-20 | 2005-05-24 | Networks Associates Technology, Inc. | Test driver ordering |
US7404212B2 (en) * | 2001-03-06 | 2008-07-22 | Cybersoft, Inc. | Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer |
US7114184B2 (en) * | 2001-03-30 | 2006-09-26 | Computer Associates Think, Inc. | System and method for restoring computer systems damaged by a malicious computer program |
US7010696B1 (en) | 2001-03-30 | 2006-03-07 | Mcafee, Inc. | Method and apparatus for predicting the incidence of a virus |
US20030167287A1 (en) * | 2001-04-11 | 2003-09-04 | Karl Forster | Information protection system |
CN1147795C (en) * | 2001-04-29 | 2004-04-28 | 北京瑞星科技股份有限公司 | Method, system and medium for detecting and clearing known and anknown computer virus |
US7210041B1 (en) * | 2001-04-30 | 2007-04-24 | Mcafee, Inc. | System and method for identifying a macro virus family using a macro virus definitions database |
US20020188649A1 (en) * | 2001-06-12 | 2002-12-12 | Ron Karim | Mechanism for safely executing an untrusted program |
US7657419B2 (en) * | 2001-06-19 | 2010-02-02 | International Business Machines Corporation | Analytical virtual machine |
WO2003025722A2 (en) * | 2001-09-14 | 2003-03-27 | Computer Associates Think, Inc. | Virus detection system |
US7356736B2 (en) * | 2001-09-25 | 2008-04-08 | Norman Asa | Simulated computer system for monitoring of software performance |
US7310818B1 (en) * | 2001-10-25 | 2007-12-18 | Mcafee, Inc. | System and method for tracking computer viruses |
WO2003058451A1 (en) * | 2002-01-04 | 2003-07-17 | Internet Security Systems, Inc. | System and method for the managed security control of processes on a computer system |
US9652613B1 (en) | 2002-01-17 | 2017-05-16 | Trustwave Holdings, Inc. | Virus detection by executing electronic message code in a virtual machine |
US7607171B1 (en) | 2002-01-17 | 2009-10-20 | Avinti, Inc. | Virus detection by executing e-mail code in a virtual machine |
EP1490771A4 (en) | 2002-04-03 | 2007-11-21 | Powerquest Corp | Using disassociated images for computer and storage resource management |
US7565517B1 (en) | 2002-04-03 | 2009-07-21 | Symantec Corporation | Retargeting a captured image to new hardware while in a pre-boot environment |
US7290282B1 (en) * | 2002-04-08 | 2007-10-30 | Symantec Corporation | Reducing false positive computer virus detections |
US7103913B2 (en) * | 2002-05-08 | 2006-09-05 | International Business Machines Corporation | Method and apparatus for determination of the non-replicative behavior of a malicious program |
US7370360B2 (en) * | 2002-05-13 | 2008-05-06 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
US7409717B1 (en) * | 2002-05-23 | 2008-08-05 | Symantec Corporation | Metamorphic computer virus detection |
US8069480B1 (en) * | 2002-09-30 | 2011-11-29 | Mcafee, Inc. | Method and system for defining a safe storage area for use in recovering a computer system |
US7013483B2 (en) * | 2003-01-03 | 2006-03-14 | Aladdin Knowledge Systems Ltd. | Method for emulating an executable code in order to detect maliciousness |
US7913303B1 (en) | 2003-01-21 | 2011-03-22 | International Business Machines Corporation | Method and system for dynamically protecting a computer system from attack |
US7657938B2 (en) * | 2003-10-28 | 2010-02-02 | International Business Machines Corporation | Method and system for protecting computer networks by altering unwanted network data traffic |
US7437764B1 (en) * | 2003-11-14 | 2008-10-14 | Symantec Corporation | Vulnerability assessment of disk images |
US7971254B1 (en) * | 2004-01-28 | 2011-06-28 | Netgear, Inc. | Method and system for low-latency detection of viruses transmitted over a network |
US7721334B2 (en) | 2004-01-30 | 2010-05-18 | Microsoft Corporation | Detection of code-free files |
US7370233B1 (en) * | 2004-05-21 | 2008-05-06 | Symantec Corporation | Verification of desired end-state using a virtual machine environment |
US7490268B2 (en) * | 2004-06-01 | 2009-02-10 | The Trustees Of Columbia University In The City Of New York | Methods and systems for repairing applications |
US7636856B2 (en) * | 2004-12-06 | 2009-12-22 | Microsoft Corporation | Proactive computer malware protection through dynamic translation |
US20060137013A1 (en) * | 2004-12-06 | 2006-06-22 | Simon Lok | Quarantine filesystem |
US20060179484A1 (en) * | 2005-02-09 | 2006-08-10 | Scrimsher John P | Remediating effects of an undesired application |
US8046834B2 (en) * | 2005-03-30 | 2011-10-25 | Alcatel Lucent | Method of polymorphic detection |
US7784098B1 (en) * | 2005-07-14 | 2010-08-24 | Trend Micro, Inc. | Snapshot and restore technique for computer system recovery |
US8161548B1 (en) | 2005-08-15 | 2012-04-17 | Trend Micro, Inc. | Malware detection using pattern classification |
US7934229B1 (en) * | 2005-12-29 | 2011-04-26 | Symantec Corporation | Generating options for repairing a computer infected with malicious software |
US20080016572A1 (en) * | 2006-07-12 | 2008-01-17 | Microsoft Corporation | Malicious software detection via memory analysis |
EP1933248A1 (en) * | 2006-12-12 | 2008-06-18 | secunet Security Networks Aktiengesellschaft | Method for secure data processing on a computer system |
US7797743B2 (en) * | 2007-02-26 | 2010-09-14 | Microsoft Corporation | File conversion in restricted process |
US8856782B2 (en) | 2007-03-01 | 2014-10-07 | George Mason Research Foundation, Inc. | On-demand disposable virtual work system |
US8011010B2 (en) * | 2007-04-17 | 2011-08-30 | Microsoft Corporation | Using antimalware technologies to perform offline scanning of virtual machine images |
US8402529B1 (en) | 2007-05-30 | 2013-03-19 | M86 Security, Inc. | Preventing propagation of malicious software during execution in a virtual machine |
US8176477B2 (en) | 2007-09-14 | 2012-05-08 | International Business Machines Corporation | Method, system and program product for optimizing emulation of a suspected malware |
US20090241194A1 (en) * | 2008-03-21 | 2009-09-24 | Andrew James Thomas | Virtual machine configuration sharing between host and virtual machines and between virtual machines |
US20090241192A1 (en) * | 2008-03-21 | 2009-09-24 | Thomas Andrew J | Virtual machine configuration sharing between host and virtual machines and between virtual machines |
US8060476B1 (en) | 2008-07-14 | 2011-11-15 | Quest Software, Inc. | Backup systems and methods for a virtual computing environment |
US8046550B2 (en) | 2008-07-14 | 2011-10-25 | Quest Software, Inc. | Systems and methods for performing backup operations of virtual machine files |
US9098698B2 (en) | 2008-09-12 | 2015-08-04 | George Mason Research Foundation, Inc. | Methods and apparatus for application isolation |
US8429649B1 (en) | 2008-09-25 | 2013-04-23 | Quest Software, Inc. | Systems and methods for data management in a virtual computing environment |
KR101197182B1 (en) * | 2008-12-23 | 2012-11-02 | 한국전자통신연구원 | Method and apparatus for protecting a hacking in computer system |
US8996468B1 (en) | 2009-04-17 | 2015-03-31 | Dell Software Inc. | Block status mapping system for reducing virtual machine backup storage |
US8839422B2 (en) | 2009-06-30 | 2014-09-16 | George Mason Research Foundation, Inc. | Virtual browsing environment |
US9778946B2 (en) * | 2009-08-07 | 2017-10-03 | Dell Software Inc. | Optimized copy of virtual machine storage files |
US9569446B1 (en) | 2010-06-08 | 2017-02-14 | Dell Software Inc. | Cataloging system for image-based backup |
US8898114B1 (en) | 2010-08-27 | 2014-11-25 | Dell Software Inc. | Multitier deduplication systems and methods |
WO2013082437A1 (en) | 2011-12-02 | 2013-06-06 | Invincia, Inc. | Methods and apparatus for control and detection of malicious content using a sandbox environment |
US9311375B1 (en) | 2012-02-07 | 2016-04-12 | Dell Software Inc. | Systems and methods for compacting a virtual machine file |
US9002798B1 (en) * | 2013-02-11 | 2015-04-07 | Symantec Corporation | Systems and methods for remedying corrupt backup images of host devices |
CN104239163B (en) * | 2013-06-19 | 2016-04-13 | 腾讯科技(深圳)有限公司 | Software repair and device |
RU2553056C2 (en) | 2013-10-24 | 2015-06-10 | Закрытое акционерное общество "Лаборатория Касперского" | System and method of storage of emulator state and its further recovery |
US20160006754A1 (en) * | 2014-07-01 | 2016-01-07 | Mcafee, Inc. | Secure enclave-rendered contents |
US9009836B1 (en) | 2014-07-17 | 2015-04-14 | Kaspersky Lab Zao | Security architecture for virtual machines |
US9742796B1 (en) * | 2015-09-18 | 2017-08-22 | Palo Alto Networks, Inc. | Automatic repair of corrupt files for a detonation engine |
CN112580037B (en) * | 2019-09-30 | 2023-12-12 | 奇安信安全技术(珠海)有限公司 | Method, device and equipment for repairing virus file data |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5321840A (en) * | 1988-05-05 | 1994-06-14 | Transaction Technology, Inc. | Distributed-intelligence computer system including remotely reconfigurable, telephone-type user terminal |
US5144660A (en) * | 1988-08-31 | 1992-09-01 | Rose Anthony M | Securing a computer against undesired write operations to or read operations from a mass storage device |
US5121345A (en) * | 1988-11-03 | 1992-06-09 | Lentz Stephen A | System and method for protecting integrity of computer data and software |
US4975950A (en) * | 1988-11-03 | 1990-12-04 | Lentz Stephen A | System and method of protecting integrity of computer data and software |
US5319776A (en) * | 1990-04-19 | 1994-06-07 | Hilgraeve Corporation | In transit detection of computer virus with safeguard |
US5408642A (en) * | 1991-05-24 | 1995-04-18 | Symantec Corporation | Method for recovery of a computer program infected by a computer virus |
US5421006A (en) * | 1992-05-07 | 1995-05-30 | Compaq Computer Corp. | Method and apparatus for assessing integrity of computer system software |
US5359659A (en) * | 1992-06-19 | 1994-10-25 | Doren Rosenthal | Method for securing software against corruption by computer viruses |
US5440723A (en) * | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US5398196A (en) * | 1993-07-29 | 1995-03-14 | Chambers; David A. | Method and apparatus for detection of computer viruses |
JPH10501354A (en) * | 1994-06-01 | 1998-02-03 | クワンタム・リープ・イノヴェーションズ・インコーポレーテッド | Computer virus trap device |
US5613002A (en) * | 1994-11-21 | 1997-03-18 | International Business Machines Corporation | Generic disinfection of programs infected with a computer virus |
US5485575A (en) * | 1994-11-21 | 1996-01-16 | International Business Machines Corporation | Automatic analysis of a computer virus structure and means of attachment to its hosts |
US5442699A (en) * | 1994-11-21 | 1995-08-15 | International Business Machines Corporation | Searching for patterns in encrypted data |
US5559960A (en) * | 1995-04-21 | 1996-09-24 | Lettvin; Jonathan D. | Software anti-virus facility |
US5623600A (en) * | 1995-09-26 | 1997-04-22 | Trend Micro, Incorporated | Virus detection and removal apparatus for computer networks |
-
1996
- 1996-02-09 US US08/605,285 patent/US6067410A/en not_active Expired - Lifetime
-
1997
- 1997-02-03 EP EP97904106A patent/EP0880743B1/en not_active Expired - Lifetime
- 1997-02-03 AU AU18485/97A patent/AU1848597A/en not_active Abandoned
- 1997-02-03 WO PCT/US1997/001510 patent/WO1997029425A2/en active IP Right Grant
- 1997-02-03 DE DE69702335T patent/DE69702335T2/en not_active Expired - Lifetime
- 1997-02-03 CA CA002244892A patent/CA2244892C/en not_active Expired - Lifetime
Also Published As
Publication number | Publication date |
---|---|
US6067410A (en) | 2000-05-23 |
EP0880743B1 (en) | 2000-06-21 |
DE69702335T2 (en) | 2000-11-30 |
EP0880743A2 (en) | 1998-12-02 |
WO1997029425A3 (en) | 1997-09-25 |
CA2244892C (en) | 2002-05-21 |
DE69702335D1 (en) | 2000-07-27 |
WO1997029425A2 (en) | 1997-08-14 |
AU1848597A (en) | 1997-08-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2244892A1 (en) | Emulation repair system | |
US6732220B2 (en) | Method for emulating hardware features of a foreign architecture in a host operating system environment | |
WO1998030957A3 (en) | Polymorphic virus detection module | |
CN102129531B (en) | Xen-based active defense method | |
US7647589B1 (en) | Methods and systems for safe execution of guest code in virtual machine context | |
GB2397415A (en) | A method for providing system integrity and legacy environment emulation | |
WO1996010224A3 (en) | Mechanism for linking together the files of emulated and host system for access by emulated system users | |
US20010027383A1 (en) | Method and apparatus to test an instruction sequence | |
US20020059268A1 (en) | Method for fast execution of translated binary code utilizing database cache for low-level code correspondence | |
WO2001025917A3 (en) | Environment service architectures for netcentric computing systems | |
DE69609980T2 (en) | METHOD AND SYSTEM FOR DETECTING POLYMORPHIC VIRUSES | |
US7555592B1 (en) | Kernel acceleration technology for virtual machine optimization | |
US20040221273A1 (en) | Method and apparatus for performing incremental validation of program code conversion | |
BR0114066A (en) | Code Signing System and Method | |
JPH03502263A (en) | COMPUTER DATA AND SOFTWARE INTEGRITY PROTECTION APPARATUS AND METHODS | |
WO1998003916A1 (en) | Pre-fetch queue emulation | |
EP1800434A2 (en) | Proactive computer malware protection through dynamic translation | |
RU2514142C1 (en) | Method for enhancement of operational efficiency of hardware acceleration of application emulation | |
AU2559400A (en) | Apparatus and method for handling peripheral device interrupts | |
US7856547B1 (en) | Fast stub and frame technology for virtual machine optimization | |
CN101499016B (en) | Virtual machine monitor, virtual machine system and process handling method of client operating system | |
Sun et al. | SIDE: Isolated and efficient execution of unmodified device drivers | |
Vogl et al. | X-TIER: Kernel module injection | |
CA2256831A1 (en) | Direct vectored legacy instruction set emulsion | |
CN1329828C (en) | Method and device for preventing computer virus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKEX | Expiry |
Effective date: 20170203 |