CA2244892A1 - Emulation repair system - Google Patents

Emulation repair system

Info

Publication number
CA2244892A1
CA2244892A1 CA002244892A CA2244892A CA2244892A1 CA 2244892 A1 CA2244892 A1 CA 2244892A1 CA 002244892 A CA002244892 A CA 002244892A CA 2244892 A CA2244892 A CA 2244892A CA 2244892 A1 CA2244892 A1 CA 2244892A1
Authority
CA
Canada
Prior art keywords
virus
file
virtual machine
module
infected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002244892A
Other languages
French (fr)
Other versions
CA2244892C (en
Inventor
Carey Nachenberg
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NortonLifeLock Inc
Original Assignee
Symantec Corporation
Carey Nachenberg
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Symantec Corporation, Carey Nachenberg filed Critical Symantec Corporation
Publication of CA2244892A1 publication Critical patent/CA2244892A1/en
Application granted granted Critical
Publication of CA2244892C publication Critical patent/CA2244892C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Abstract

An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virus-infected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted. The foundation and overlay modules (240, 262) are then loaded into the virtual machine (216) and control of the virtual machine (216) is given to the overlay module (262). The overlay module (262) calls repair routines in the foundation module (240), the overlay module (262), and the virus itself (224), as necessary, to restore over-written host bytes (228) from the infected host file (220) to their proper locations in the infected host file (220). Repairs made to the image (220") of the host file (220) in the virtual machine (216) are reflected to a back-up file (220') in the computer system (202).
CA002244892A 1996-02-09 1997-02-03 Emulation repair system Expired - Lifetime CA2244892C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US08/605,285 US6067410A (en) 1996-02-09 1996-02-09 Emulation repair system
US08/605,285 1996-02-09
PCT/US1997/001510 WO1997029425A2 (en) 1996-02-09 1997-02-03 Emulation repair system

Publications (2)

Publication Number Publication Date
CA2244892A1 true CA2244892A1 (en) 1997-08-14
CA2244892C CA2244892C (en) 2002-05-21

Family

ID=24423027

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002244892A Expired - Lifetime CA2244892C (en) 1996-02-09 1997-02-03 Emulation repair system

Country Status (6)

Country Link
US (1) US6067410A (en)
EP (1) EP0880743B1 (en)
AU (1) AU1848597A (en)
CA (1) CA2244892C (en)
DE (1) DE69702335T2 (en)
WO (1) WO1997029425A2 (en)

Families Citing this family (87)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6401210B1 (en) * 1998-09-23 2002-06-04 Intel Corporation Method of managing computer virus infected files
WO2000034867A1 (en) 1998-12-09 2000-06-15 Network Ice Corporation A method and apparatus for providing network and computer system security
US7389540B2 (en) * 1999-02-03 2008-06-17 Cybersoft, Inc. Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer
US7346929B1 (en) * 1999-07-29 2008-03-18 International Business Machines Corporation Method and apparatus for auditing network security
US6543007B1 (en) * 1999-10-28 2003-04-01 General Electric Company Process and system for configuring repair codes for diagnostics of machine malfunctions
US6851057B1 (en) 1999-11-30 2005-02-01 Symantec Corporation Data driven detection of viruses
US8006243B2 (en) * 1999-12-07 2011-08-23 International Business Machines Corporation Method and apparatus for remote installation of network drivers and software
US6954858B1 (en) 1999-12-22 2005-10-11 Kimberly Joyce Welborn Computer virus avoidance system and mechanism
GB2353372B (en) * 1999-12-24 2001-08-22 F Secure Oyj Remote computer virus scanning
US6971019B1 (en) 2000-03-14 2005-11-29 Symantec Corporation Histogram-based virus detection
AU2001257400A1 (en) * 2000-04-28 2001-11-12 Internet Security Systems, Inc. System and method for managing security events on a network
IL152502A0 (en) * 2000-04-28 2003-05-29 Internet Security Systems Inc Method and system for managing computer security information
US6907396B1 (en) * 2000-06-01 2005-06-14 Networks Associates Technology, Inc. Detecting computer viruses or malicious software by patching instructions into an emulator
US20040073617A1 (en) 2000-06-19 2004-04-15 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US6901519B1 (en) 2000-06-22 2005-05-31 Infobahn, Inc. E-mail virus protection system and method
US7093239B1 (en) 2000-07-14 2006-08-15 Internet Security Systems, Inc. Computer immune system and method for detecting unwanted code in a computer system
US9027121B2 (en) * 2000-10-10 2015-05-05 International Business Machines Corporation Method and system for creating a record for one or more computer security incidents
US7146305B2 (en) * 2000-10-24 2006-12-05 Vcis, Inc. Analytical virtual machine
US7231440B1 (en) * 2000-12-18 2007-06-12 Mcafee, Inc. System and method for distributing portable computer virus definition records with binary file conversion
US7130466B2 (en) * 2000-12-21 2006-10-31 Cobion Ag System and method for compiling images from a database and comparing the compiled images with known images
US7058667B2 (en) * 2000-12-27 2006-06-06 Microsoft Corporation Method and system for creating and maintaining version-specific properties in a file
AU2002243763A1 (en) * 2001-01-31 2002-08-12 Internet Security Systems, Inc. Method and system for configuring and scheduling security audits of a computer network
US6898712B2 (en) * 2001-02-20 2005-05-24 Networks Associates Technology, Inc. Test driver ordering
US7404212B2 (en) * 2001-03-06 2008-07-22 Cybersoft, Inc. Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer
US7114184B2 (en) * 2001-03-30 2006-09-26 Computer Associates Think, Inc. System and method for restoring computer systems damaged by a malicious computer program
US7010696B1 (en) 2001-03-30 2006-03-07 Mcafee, Inc. Method and apparatus for predicting the incidence of a virus
US20030167287A1 (en) * 2001-04-11 2003-09-04 Karl Forster Information protection system
CN1147795C (en) * 2001-04-29 2004-04-28 北京瑞星科技股份有限公司 Method, system and medium for detecting and clearing known and anknown computer virus
US7210041B1 (en) * 2001-04-30 2007-04-24 Mcafee, Inc. System and method for identifying a macro virus family using a macro virus definitions database
US20020188649A1 (en) * 2001-06-12 2002-12-12 Ron Karim Mechanism for safely executing an untrusted program
US7657419B2 (en) * 2001-06-19 2010-02-02 International Business Machines Corporation Analytical virtual machine
WO2003025722A2 (en) * 2001-09-14 2003-03-27 Computer Associates Think, Inc. Virus detection system
US7356736B2 (en) * 2001-09-25 2008-04-08 Norman Asa Simulated computer system for monitoring of software performance
US7310818B1 (en) * 2001-10-25 2007-12-18 Mcafee, Inc. System and method for tracking computer viruses
WO2003058451A1 (en) * 2002-01-04 2003-07-17 Internet Security Systems, Inc. System and method for the managed security control of processes on a computer system
US9652613B1 (en) 2002-01-17 2017-05-16 Trustwave Holdings, Inc. Virus detection by executing electronic message code in a virtual machine
US7607171B1 (en) 2002-01-17 2009-10-20 Avinti, Inc. Virus detection by executing e-mail code in a virtual machine
EP1490771A4 (en) 2002-04-03 2007-11-21 Powerquest Corp Using disassociated images for computer and storage resource management
US7565517B1 (en) 2002-04-03 2009-07-21 Symantec Corporation Retargeting a captured image to new hardware while in a pre-boot environment
US7290282B1 (en) * 2002-04-08 2007-10-30 Symantec Corporation Reducing false positive computer virus detections
US7103913B2 (en) * 2002-05-08 2006-09-05 International Business Machines Corporation Method and apparatus for determination of the non-replicative behavior of a malicious program
US7370360B2 (en) * 2002-05-13 2008-05-06 International Business Machines Corporation Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
US7409717B1 (en) * 2002-05-23 2008-08-05 Symantec Corporation Metamorphic computer virus detection
US8069480B1 (en) * 2002-09-30 2011-11-29 Mcafee, Inc. Method and system for defining a safe storage area for use in recovering a computer system
US7013483B2 (en) * 2003-01-03 2006-03-14 Aladdin Knowledge Systems Ltd. Method for emulating an executable code in order to detect maliciousness
US7913303B1 (en) 2003-01-21 2011-03-22 International Business Machines Corporation Method and system for dynamically protecting a computer system from attack
US7657938B2 (en) * 2003-10-28 2010-02-02 International Business Machines Corporation Method and system for protecting computer networks by altering unwanted network data traffic
US7437764B1 (en) * 2003-11-14 2008-10-14 Symantec Corporation Vulnerability assessment of disk images
US7971254B1 (en) * 2004-01-28 2011-06-28 Netgear, Inc. Method and system for low-latency detection of viruses transmitted over a network
US7721334B2 (en) 2004-01-30 2010-05-18 Microsoft Corporation Detection of code-free files
US7370233B1 (en) * 2004-05-21 2008-05-06 Symantec Corporation Verification of desired end-state using a virtual machine environment
US7490268B2 (en) * 2004-06-01 2009-02-10 The Trustees Of Columbia University In The City Of New York Methods and systems for repairing applications
US7636856B2 (en) * 2004-12-06 2009-12-22 Microsoft Corporation Proactive computer malware protection through dynamic translation
US20060137013A1 (en) * 2004-12-06 2006-06-22 Simon Lok Quarantine filesystem
US20060179484A1 (en) * 2005-02-09 2006-08-10 Scrimsher John P Remediating effects of an undesired application
US8046834B2 (en) * 2005-03-30 2011-10-25 Alcatel Lucent Method of polymorphic detection
US7784098B1 (en) * 2005-07-14 2010-08-24 Trend Micro, Inc. Snapshot and restore technique for computer system recovery
US8161548B1 (en) 2005-08-15 2012-04-17 Trend Micro, Inc. Malware detection using pattern classification
US7934229B1 (en) * 2005-12-29 2011-04-26 Symantec Corporation Generating options for repairing a computer infected with malicious software
US20080016572A1 (en) * 2006-07-12 2008-01-17 Microsoft Corporation Malicious software detection via memory analysis
EP1933248A1 (en) * 2006-12-12 2008-06-18 secunet Security Networks Aktiengesellschaft Method for secure data processing on a computer system
US7797743B2 (en) * 2007-02-26 2010-09-14 Microsoft Corporation File conversion in restricted process
US8856782B2 (en) 2007-03-01 2014-10-07 George Mason Research Foundation, Inc. On-demand disposable virtual work system
US8011010B2 (en) * 2007-04-17 2011-08-30 Microsoft Corporation Using antimalware technologies to perform offline scanning of virtual machine images
US8402529B1 (en) 2007-05-30 2013-03-19 M86 Security, Inc. Preventing propagation of malicious software during execution in a virtual machine
US8176477B2 (en) 2007-09-14 2012-05-08 International Business Machines Corporation Method, system and program product for optimizing emulation of a suspected malware
US20090241194A1 (en) * 2008-03-21 2009-09-24 Andrew James Thomas Virtual machine configuration sharing between host and virtual machines and between virtual machines
US20090241192A1 (en) * 2008-03-21 2009-09-24 Thomas Andrew J Virtual machine configuration sharing between host and virtual machines and between virtual machines
US8060476B1 (en) 2008-07-14 2011-11-15 Quest Software, Inc. Backup systems and methods for a virtual computing environment
US8046550B2 (en) 2008-07-14 2011-10-25 Quest Software, Inc. Systems and methods for performing backup operations of virtual machine files
US9098698B2 (en) 2008-09-12 2015-08-04 George Mason Research Foundation, Inc. Methods and apparatus for application isolation
US8429649B1 (en) 2008-09-25 2013-04-23 Quest Software, Inc. Systems and methods for data management in a virtual computing environment
KR101197182B1 (en) * 2008-12-23 2012-11-02 한국전자통신연구원 Method and apparatus for protecting a hacking in computer system
US8996468B1 (en) 2009-04-17 2015-03-31 Dell Software Inc. Block status mapping system for reducing virtual machine backup storage
US8839422B2 (en) 2009-06-30 2014-09-16 George Mason Research Foundation, Inc. Virtual browsing environment
US9778946B2 (en) * 2009-08-07 2017-10-03 Dell Software Inc. Optimized copy of virtual machine storage files
US9569446B1 (en) 2010-06-08 2017-02-14 Dell Software Inc. Cataloging system for image-based backup
US8898114B1 (en) 2010-08-27 2014-11-25 Dell Software Inc. Multitier deduplication systems and methods
WO2013082437A1 (en) 2011-12-02 2013-06-06 Invincia, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
US9311375B1 (en) 2012-02-07 2016-04-12 Dell Software Inc. Systems and methods for compacting a virtual machine file
US9002798B1 (en) * 2013-02-11 2015-04-07 Symantec Corporation Systems and methods for remedying corrupt backup images of host devices
CN104239163B (en) * 2013-06-19 2016-04-13 腾讯科技(深圳)有限公司 Software repair and device
RU2553056C2 (en) 2013-10-24 2015-06-10 Закрытое акционерное общество "Лаборатория Касперского" System and method of storage of emulator state and its further recovery
US20160006754A1 (en) * 2014-07-01 2016-01-07 Mcafee, Inc. Secure enclave-rendered contents
US9009836B1 (en) 2014-07-17 2015-04-14 Kaspersky Lab Zao Security architecture for virtual machines
US9742796B1 (en) * 2015-09-18 2017-08-22 Palo Alto Networks, Inc. Automatic repair of corrupt files for a detonation engine
CN112580037B (en) * 2019-09-30 2023-12-12 奇安信安全技术(珠海)有限公司 Method, device and equipment for repairing virus file data

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5321840A (en) * 1988-05-05 1994-06-14 Transaction Technology, Inc. Distributed-intelligence computer system including remotely reconfigurable, telephone-type user terminal
US5144660A (en) * 1988-08-31 1992-09-01 Rose Anthony M Securing a computer against undesired write operations to or read operations from a mass storage device
US5121345A (en) * 1988-11-03 1992-06-09 Lentz Stephen A System and method for protecting integrity of computer data and software
US4975950A (en) * 1988-11-03 1990-12-04 Lentz Stephen A System and method of protecting integrity of computer data and software
US5319776A (en) * 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
US5408642A (en) * 1991-05-24 1995-04-18 Symantec Corporation Method for recovery of a computer program infected by a computer virus
US5421006A (en) * 1992-05-07 1995-05-30 Compaq Computer Corp. Method and apparatus for assessing integrity of computer system software
US5359659A (en) * 1992-06-19 1994-10-25 Doren Rosenthal Method for securing software against corruption by computer viruses
US5440723A (en) * 1993-01-19 1995-08-08 International Business Machines Corporation Automatic immune system for computers and computer networks
US5398196A (en) * 1993-07-29 1995-03-14 Chambers; David A. Method and apparatus for detection of computer viruses
JPH10501354A (en) * 1994-06-01 1998-02-03 クワンタム・リープ・イノヴェーションズ・インコーポレーテッド Computer virus trap device
US5613002A (en) * 1994-11-21 1997-03-18 International Business Machines Corporation Generic disinfection of programs infected with a computer virus
US5485575A (en) * 1994-11-21 1996-01-16 International Business Machines Corporation Automatic analysis of a computer virus structure and means of attachment to its hosts
US5442699A (en) * 1994-11-21 1995-08-15 International Business Machines Corporation Searching for patterns in encrypted data
US5559960A (en) * 1995-04-21 1996-09-24 Lettvin; Jonathan D. Software anti-virus facility
US5623600A (en) * 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks

Also Published As

Publication number Publication date
US6067410A (en) 2000-05-23
EP0880743B1 (en) 2000-06-21
DE69702335T2 (en) 2000-11-30
EP0880743A2 (en) 1998-12-02
WO1997029425A3 (en) 1997-09-25
CA2244892C (en) 2002-05-21
DE69702335D1 (en) 2000-07-27
WO1997029425A2 (en) 1997-08-14
AU1848597A (en) 1997-08-28

Similar Documents

Publication Publication Date Title
CA2244892A1 (en) Emulation repair system
US6732220B2 (en) Method for emulating hardware features of a foreign architecture in a host operating system environment
WO1998030957A3 (en) Polymorphic virus detection module
CN102129531B (en) Xen-based active defense method
US7647589B1 (en) Methods and systems for safe execution of guest code in virtual machine context
GB2397415A (en) A method for providing system integrity and legacy environment emulation
WO1996010224A3 (en) Mechanism for linking together the files of emulated and host system for access by emulated system users
US20010027383A1 (en) Method and apparatus to test an instruction sequence
US20020059268A1 (en) Method for fast execution of translated binary code utilizing database cache for low-level code correspondence
WO2001025917A3 (en) Environment service architectures for netcentric computing systems
DE69609980T2 (en) METHOD AND SYSTEM FOR DETECTING POLYMORPHIC VIRUSES
US7555592B1 (en) Kernel acceleration technology for virtual machine optimization
US20040221273A1 (en) Method and apparatus for performing incremental validation of program code conversion
BR0114066A (en) Code Signing System and Method
JPH03502263A (en) COMPUTER DATA AND SOFTWARE INTEGRITY PROTECTION APPARATUS AND METHODS
WO1998003916A1 (en) Pre-fetch queue emulation
EP1800434A2 (en) Proactive computer malware protection through dynamic translation
RU2514142C1 (en) Method for enhancement of operational efficiency of hardware acceleration of application emulation
AU2559400A (en) Apparatus and method for handling peripheral device interrupts
US7856547B1 (en) Fast stub and frame technology for virtual machine optimization
CN101499016B (en) Virtual machine monitor, virtual machine system and process handling method of client operating system
Sun et al. SIDE: Isolated and efficient execution of unmodified device drivers
Vogl et al. X-TIER: Kernel module injection
CA2256831A1 (en) Direct vectored legacy instruction set emulsion
CN1329828C (en) Method and device for preventing computer virus

Legal Events

Date Code Title Description
EEER Examination request
MKEX Expiry

Effective date: 20170203