WO1997029425A3 - Emulation repair system - Google Patents

Emulation repair system Download PDF

Info

Publication number
WO1997029425A3
WO1997029425A3 PCT/US1997/001510 US9701510W WO9729425A3 WO 1997029425 A3 WO1997029425 A3 WO 1997029425A3 US 9701510 W US9701510 W US 9701510W WO 9729425 A3 WO9729425 A3 WO 9729425A3
Authority
WO
WIPO (PCT)
Prior art keywords
virus
file
virtual machine
module
infected
Prior art date
Application number
PCT/US1997/001510
Other languages
French (fr)
Other versions
WO1997029425A2 (en
Inventor
Garey Nachenberg
Original Assignee
Symantec Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Symantec Corp filed Critical Symantec Corp
Priority to AU18485/97A priority Critical patent/AU1848597A/en
Priority to CA002244892A priority patent/CA2244892C/en
Priority to EP97904106A priority patent/EP0880743B1/en
Priority to DE69702335T priority patent/DE69702335T2/en
Publication of WO1997029425A2 publication Critical patent/WO1997029425A2/en
Publication of WO1997029425A3 publication Critical patent/WO1997029425A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Abstract

An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virus-infected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted. The foundation and overlay modules (240, 262) are then loaded into the virtual machine (216) and control of the virtual machine (216) is given to the overlay module (262). The overlay module (262) calls repair routines in the foundation module (240), the overlay module (262), and the virus itself (224), as necessary, to restore over-written host bytes (228) from the infected host file (220) to their proper locations in the infected host file (220). Repairs made to the image (220') of the host file (220) in the virtual machine (216) are reflected to a back-up file (220') in the computer system (202).
PCT/US1997/001510 1996-02-09 1997-02-03 Emulation repair system WO1997029425A2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
AU18485/97A AU1848597A (en) 1996-02-09 1997-02-03 Emulation repair system
CA002244892A CA2244892C (en) 1996-02-09 1997-02-03 Emulation repair system
EP97904106A EP0880743B1 (en) 1996-02-09 1997-02-03 Emulation repair system
DE69702335T DE69702335T2 (en) 1996-02-09 1997-02-03 EMULATING REPAIR SYSTEM

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US08/605,285 US6067410A (en) 1996-02-09 1996-02-09 Emulation repair system
US08/605,285 1996-02-09

Publications (2)

Publication Number Publication Date
WO1997029425A2 WO1997029425A2 (en) 1997-08-14
WO1997029425A3 true WO1997029425A3 (en) 1997-09-25

Family

ID=24423027

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1997/001510 WO1997029425A2 (en) 1996-02-09 1997-02-03 Emulation repair system

Country Status (6)

Country Link
US (1) US6067410A (en)
EP (1) EP0880743B1 (en)
AU (1) AU1848597A (en)
CA (1) CA2244892C (en)
DE (1) DE69702335T2 (en)
WO (1) WO1997029425A2 (en)

Families Citing this family (87)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6401210B1 (en) * 1998-09-23 2002-06-04 Intel Corporation Method of managing computer virus infected files
IL143573A0 (en) 1998-12-09 2002-04-21 Network Ice Corp A method and apparatus for providing network and computer system security
US7389540B2 (en) * 1999-02-03 2008-06-17 Cybersoft, Inc. Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer
US7346929B1 (en) * 1999-07-29 2008-03-18 International Business Machines Corporation Method and apparatus for auditing network security
US6543007B1 (en) * 1999-10-28 2003-04-01 General Electric Company Process and system for configuring repair codes for diagnostics of machine malfunctions
US6851057B1 (en) 1999-11-30 2005-02-01 Symantec Corporation Data driven detection of viruses
US8006243B2 (en) * 1999-12-07 2011-08-23 International Business Machines Corporation Method and apparatus for remote installation of network drivers and software
US6954858B1 (en) 1999-12-22 2005-10-11 Kimberly Joyce Welborn Computer virus avoidance system and mechanism
GB2353372B (en) * 1999-12-24 2001-08-22 F Secure Oyj Remote computer virus scanning
US6971019B1 (en) 2000-03-14 2005-11-29 Symantec Corporation Histogram-based virus detection
JP4700884B2 (en) * 2000-04-28 2011-06-15 インターナショナル・ビジネス・マシーンズ・コーポレーション Method and system for managing computer security information
US7921459B2 (en) * 2000-04-28 2011-04-05 International Business Machines Corporation System and method for managing security events on a network
US6907396B1 (en) * 2000-06-01 2005-06-14 Networks Associates Technology, Inc. Detecting computer viruses or malicious software by patching instructions into an emulator
US20040073617A1 (en) 2000-06-19 2004-04-15 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US6901519B1 (en) 2000-06-22 2005-05-31 Infobahn, Inc. E-mail virus protection system and method
US7093239B1 (en) * 2000-07-14 2006-08-15 Internet Security Systems, Inc. Computer immune system and method for detecting unwanted code in a computer system
US9027121B2 (en) * 2000-10-10 2015-05-05 International Business Machines Corporation Method and system for creating a record for one or more computer security incidents
US7146305B2 (en) * 2000-10-24 2006-12-05 Vcis, Inc. Analytical virtual machine
US7231440B1 (en) * 2000-12-18 2007-06-12 Mcafee, Inc. System and method for distributing portable computer virus definition records with binary file conversion
US7130466B2 (en) * 2000-12-21 2006-10-31 Cobion Ag System and method for compiling images from a database and comparing the compiled images with known images
US7058667B2 (en) * 2000-12-27 2006-06-06 Microsoft Corporation Method and system for creating and maintaining version-specific properties in a file
US20020147803A1 (en) * 2001-01-31 2002-10-10 Dodd Timothy David Method and system for calculating risk in association with a security audit of a computer network
US6898712B2 (en) * 2001-02-20 2005-05-24 Networks Associates Technology, Inc. Test driver ordering
US7404212B2 (en) * 2001-03-06 2008-07-22 Cybersoft, Inc. Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer
US7114184B2 (en) 2001-03-30 2006-09-26 Computer Associates Think, Inc. System and method for restoring computer systems damaged by a malicious computer program
US7010696B1 (en) 2001-03-30 2006-03-07 Mcafee, Inc. Method and apparatus for predicting the incidence of a virus
US20030167287A1 (en) * 2001-04-11 2003-09-04 Karl Forster Information protection system
CN1147795C (en) * 2001-04-29 2004-04-28 北京瑞星科技股份有限公司 Method, system and medium for detecting and clearing known and anknown computer virus
US7210041B1 (en) * 2001-04-30 2007-04-24 Mcafee, Inc. System and method for identifying a macro virus family using a macro virus definitions database
US20020188649A1 (en) * 2001-06-12 2002-12-12 Ron Karim Mechanism for safely executing an untrusted program
US7657419B2 (en) * 2001-06-19 2010-02-02 International Business Machines Corporation Analytical virtual machine
KR20040039357A (en) * 2001-09-14 2004-05-10 컴퓨터 어소시에이츠 싱크, 인코포레이티드 Virus detection system
US7356736B2 (en) * 2001-09-25 2008-04-08 Norman Asa Simulated computer system for monitoring of software performance
US7310818B1 (en) * 2001-10-25 2007-12-18 Mcafee, Inc. System and method for tracking computer viruses
AU2003202876A1 (en) * 2002-01-04 2003-07-24 Internet Security Systems, Inc. System and method for the managed security control of processes on a computer system
US7607171B1 (en) 2002-01-17 2009-10-20 Avinti, Inc. Virus detection by executing e-mail code in a virtual machine
US9652613B1 (en) 2002-01-17 2017-05-16 Trustwave Holdings, Inc. Virus detection by executing electronic message code in a virtual machine
US7565517B1 (en) 2002-04-03 2009-07-21 Symantec Corporation Retargeting a captured image to new hardware while in a pre-boot environment
AU2003226220A1 (en) 2002-04-03 2003-10-20 Powerquest Corporation Using disassociated images for computer and storage resource management
US7290282B1 (en) * 2002-04-08 2007-10-30 Symantec Corporation Reducing false positive computer virus detections
US7103913B2 (en) * 2002-05-08 2006-09-05 International Business Machines Corporation Method and apparatus for determination of the non-replicative behavior of a malicious program
US7370360B2 (en) * 2002-05-13 2008-05-06 International Business Machines Corporation Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
US7409717B1 (en) * 2002-05-23 2008-08-05 Symantec Corporation Metamorphic computer virus detection
US8069480B1 (en) * 2002-09-30 2011-11-29 Mcafee, Inc. Method and system for defining a safe storage area for use in recovering a computer system
US7013483B2 (en) * 2003-01-03 2006-03-14 Aladdin Knowledge Systems Ltd. Method for emulating an executable code in order to detect maliciousness
US7913303B1 (en) 2003-01-21 2011-03-22 International Business Machines Corporation Method and system for dynamically protecting a computer system from attack
US7657938B2 (en) * 2003-10-28 2010-02-02 International Business Machines Corporation Method and system for protecting computer networks by altering unwanted network data traffic
US7437764B1 (en) * 2003-11-14 2008-10-14 Symantec Corporation Vulnerability assessment of disk images
US7971254B1 (en) * 2004-01-28 2011-06-28 Netgear, Inc. Method and system for low-latency detection of viruses transmitted over a network
US7721334B2 (en) 2004-01-30 2010-05-18 Microsoft Corporation Detection of code-free files
US7370233B1 (en) * 2004-05-21 2008-05-06 Symantec Corporation Verification of desired end-state using a virtual machine environment
US7490268B2 (en) * 2004-06-01 2009-02-10 The Trustees Of Columbia University In The City Of New York Methods and systems for repairing applications
US20060137013A1 (en) * 2004-12-06 2006-06-22 Simon Lok Quarantine filesystem
US7636856B2 (en) * 2004-12-06 2009-12-22 Microsoft Corporation Proactive computer malware protection through dynamic translation
US20060179484A1 (en) * 2005-02-09 2006-08-10 Scrimsher John P Remediating effects of an undesired application
US8046834B2 (en) * 2005-03-30 2011-10-25 Alcatel Lucent Method of polymorphic detection
US7784098B1 (en) * 2005-07-14 2010-08-24 Trend Micro, Inc. Snapshot and restore technique for computer system recovery
US8161548B1 (en) 2005-08-15 2012-04-17 Trend Micro, Inc. Malware detection using pattern classification
US7934229B1 (en) * 2005-12-29 2011-04-26 Symantec Corporation Generating options for repairing a computer infected with malicious software
US20080016572A1 (en) * 2006-07-12 2008-01-17 Microsoft Corporation Malicious software detection via memory analysis
EP1933248A1 (en) * 2006-12-12 2008-06-18 secunet Security Networks Aktiengesellschaft Method for secure data processing on a computer system
US7797743B2 (en) * 2007-02-26 2010-09-14 Microsoft Corporation File conversion in restricted process
US8856782B2 (en) 2007-03-01 2014-10-07 George Mason Research Foundation, Inc. On-demand disposable virtual work system
US8011010B2 (en) * 2007-04-17 2011-08-30 Microsoft Corporation Using antimalware technologies to perform offline scanning of virtual machine images
US8402529B1 (en) 2007-05-30 2013-03-19 M86 Security, Inc. Preventing propagation of malicious software during execution in a virtual machine
US8176477B2 (en) 2007-09-14 2012-05-08 International Business Machines Corporation Method, system and program product for optimizing emulation of a suspected malware
US20090241192A1 (en) * 2008-03-21 2009-09-24 Thomas Andrew J Virtual machine configuration sharing between host and virtual machines and between virtual machines
US20090241194A1 (en) * 2008-03-21 2009-09-24 Andrew James Thomas Virtual machine configuration sharing between host and virtual machines and between virtual machines
US8046550B2 (en) 2008-07-14 2011-10-25 Quest Software, Inc. Systems and methods for performing backup operations of virtual machine files
US8060476B1 (en) 2008-07-14 2011-11-15 Quest Software, Inc. Backup systems and methods for a virtual computing environment
US9098698B2 (en) 2008-09-12 2015-08-04 George Mason Research Foundation, Inc. Methods and apparatus for application isolation
US8429649B1 (en) 2008-09-25 2013-04-23 Quest Software, Inc. Systems and methods for data management in a virtual computing environment
KR101197182B1 (en) 2008-12-23 2012-11-02 한국전자통신연구원 Method and apparatus for protecting a hacking in computer system
US8996468B1 (en) 2009-04-17 2015-03-31 Dell Software Inc. Block status mapping system for reducing virtual machine backup storage
US8839422B2 (en) 2009-06-30 2014-09-16 George Mason Research Foundation, Inc. Virtual browsing environment
US9778946B2 (en) * 2009-08-07 2017-10-03 Dell Software Inc. Optimized copy of virtual machine storage files
US9569446B1 (en) 2010-06-08 2017-02-14 Dell Software Inc. Cataloging system for image-based backup
US8898114B1 (en) 2010-08-27 2014-11-25 Dell Software Inc. Multitier deduplication systems and methods
US9081959B2 (en) 2011-12-02 2015-07-14 Invincea, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
US9311375B1 (en) 2012-02-07 2016-04-12 Dell Software Inc. Systems and methods for compacting a virtual machine file
US9002798B1 (en) * 2013-02-11 2015-04-07 Symantec Corporation Systems and methods for remedying corrupt backup images of host devices
CN104239163B (en) * 2013-06-19 2016-04-13 腾讯科技(深圳)有限公司 Software repair and device
RU2553056C2 (en) 2013-10-24 2015-06-10 Закрытое акционерное общество "Лаборатория Касперского" System and method of storage of emulator state and its further recovery
US20160006754A1 (en) * 2014-07-01 2016-01-07 Mcafee, Inc. Secure enclave-rendered contents
US9009836B1 (en) 2014-07-17 2015-04-14 Kaspersky Lab Zao Security architecture for virtual machines
US9742796B1 (en) * 2015-09-18 2017-08-22 Palo Alto Networks, Inc. Automatic repair of corrupt files for a detonation engine
CN112580037B (en) * 2019-09-30 2023-12-12 奇安信安全技术(珠海)有限公司 Method, device and equipment for repairing virus file data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0636977A2 (en) * 1993-07-29 1995-02-01 David Alan Chambers Method and apparatus for detection of computer viruses
WO1995033237A1 (en) * 1994-06-01 1995-12-07 Quantum Leap Innovations Inc. Computer virus trap

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5321840A (en) * 1988-05-05 1994-06-14 Transaction Technology, Inc. Distributed-intelligence computer system including remotely reconfigurable, telephone-type user terminal
GB2222899B (en) * 1988-08-31 1993-04-14 Anthony Morris Rose Securing a computer against undesired write operations or from a mass storage device
US5121345A (en) * 1988-11-03 1992-06-09 Lentz Stephen A System and method for protecting integrity of computer data and software
US4975950A (en) * 1988-11-03 1990-12-04 Lentz Stephen A System and method of protecting integrity of computer data and software
US5319776A (en) * 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
US5408642A (en) * 1991-05-24 1995-04-18 Symantec Corporation Method for recovery of a computer program infected by a computer virus
US5421006A (en) * 1992-05-07 1995-05-30 Compaq Computer Corp. Method and apparatus for assessing integrity of computer system software
US5359659A (en) * 1992-06-19 1994-10-25 Doren Rosenthal Method for securing software against corruption by computer viruses
US5440723A (en) * 1993-01-19 1995-08-08 International Business Machines Corporation Automatic immune system for computers and computer networks
US5613002A (en) * 1994-11-21 1997-03-18 International Business Machines Corporation Generic disinfection of programs infected with a computer virus
US5442699A (en) * 1994-11-21 1995-08-15 International Business Machines Corporation Searching for patterns in encrypted data
US5485575A (en) * 1994-11-21 1996-01-16 International Business Machines Corporation Automatic analysis of a computer virus structure and means of attachment to its hosts
US5559960A (en) * 1995-04-21 1996-09-24 Lettvin; Jonathan D. Software anti-virus facility
US5623600A (en) * 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0636977A2 (en) * 1993-07-29 1995-02-01 David Alan Chambers Method and apparatus for detection of computer viruses
WO1995033237A1 (en) * 1994-06-01 1995-12-07 Quantum Leap Innovations Inc. Computer virus trap

Also Published As

Publication number Publication date
DE69702335T2 (en) 2000-11-30
CA2244892C (en) 2002-05-21
EP0880743A2 (en) 1998-12-02
EP0880743B1 (en) 2000-06-21
DE69702335D1 (en) 2000-07-27
WO1997029425A2 (en) 1997-08-14
US6067410A (en) 2000-05-23
CA2244892A1 (en) 1997-08-14
AU1848597A (en) 1997-08-28

Similar Documents

Publication Publication Date Title
WO1997029425A3 (en) Emulation repair system
WO1998030957A3 (en) Polymorphic virus detection module
US6732220B2 (en) Method for emulating hardware features of a foreign architecture in a host operating system environment
US7647589B1 (en) Methods and systems for safe execution of guest code in virtual machine context
EP1800434B1 (en) Proactive computer malware protection through dynamic translation
WO1996010224A3 (en) Mechanism for linking together the files of emulated and host system for access by emulated system users
DE69609980D1 (en) METHOD AND SYSTEM FOR DETECTING POLYMORPHIC VIRUSES
WO2001025917A3 (en) Environment service architectures for netcentric computing systems
GB2397415A (en) A method for providing system integrity and legacy environment emulation
US7555592B1 (en) Kernel acceleration technology for virtual machine optimization
US20040221273A1 (en) Method and apparatus for performing incremental validation of program code conversion
US20010027383A1 (en) Method and apparatus to test an instruction sequence
BR0114066A (en) Code Signing System and Method
WO2010077000A2 (en) Method for separately executing software, apparatus, and computer-readable recording medium
CN102129531A (en) Xen-based active defense method
JPH03502263A (en) COMPUTER DATA AND SOFTWARE INTEGRITY PROTECTION APPARATUS AND METHODS
RU2514142C1 (en) Method for enhancement of operational efficiency of hardware acceleration of application emulation
AU2559400A (en) Apparatus and method for handling peripheral device interrupts
Vogl et al. X-TIER: Kernel module injection
CA2256831A1 (en) Direct vectored legacy instruction set emulsion
JP2886969B2 (en) Program conversion method
Murad et al. Evading virus detection using code obfuscation
CN1329828C (en) Method and device for preventing computer virus
Grimm et al. Automatic mitigation of kernel rootkits in cloud environments
KR101665850B1 (en) Method for Protecting Program by Using Heterogeneous Processor Emulation

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE HU IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK TJ TM TR TT UA UG UZ VN AM AZ BY KG KZ MD RU TJ TM

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): KE LS MW SD SZ UG AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
ENP Entry into the national phase

Ref document number: 2244892

Country of ref document: CA

Ref country code: CA

Ref document number: 2244892

Kind code of ref document: A

Format of ref document f/p: F

WWE Wipo information: entry into national phase

Ref document number: 1997904106

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1997904106

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP

Ref document number: 97528572

Format of ref document f/p: F

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWG Wipo information: grant in national office

Ref document number: 1997904106

Country of ref document: EP