[54] METHOD FOR DETECTING INFECTION OF SOFTWARE PROGRAMS BY MEMORY RESIDENT SOFTWARE VIRUSES
[76] Inventor: Eyal Dotan, 28 rue Etienne Ganneron, 77600 Bussy St. George, France
Appl. No.: 631,917
Filed: Apr. 15, 1996
[51] Int. CI.6 H04L 9/00; H04K 1/00
[52] U.S. CI 395/186; 395/183.14; 395/183.15
[58] Field of Search 395/186, 183.14,
395/182.04, 183.15, 185.01
[56] References Cited
U.S. PATENT DOCUMENTS
5,319,776 6/1994 Hile 395/575
5,349,655 9/1994 Mann 395/575
5,359,659 10/1994 Rosenthal 380/4
5,398,196 3/1995 Chambers 364/580
5,408,642 4/1995 Mann 395/575
5,448,668 9/1995 Perelson et al 395/182.19
5,473,769 12/1995 Cozza 395/183.15
5,493,649 2/1996 Slivka et al 395/185.01
5,502,815 3/1996 Cozza 395/183.14
5,613,002 3/1997 Kephart et al 380/4
Primary Examiner—Robert W. Beausoliel, Jr.
A method for detecting the infection of executable computer software programs by memory resident computer software virus programs is provided. The invented method comprises comparing an initial state of an executable program to a final state of the program. If the final state of the program is different than the initial state, then the method generates an alarm signal to inform a user that the program has been modified by a virus and is infected. Particularly, as a program is called into memory, that state of the program is marked as the initial state. When execution of the program is completed, that state of the program is marked as the final state. Alternatively, at the moment when processing of the program commences, that state of the program is marked as the final state of the program. The method compares the final and initial states to determine if the two states match. If the two states are the same, then it is confirmed that the program was not modified and is not infected. If it is determined that the two states are different, then the method generates an alarm signal to inform the user that the program is infected. Additionally, if the final state does not match the initial state, a known backup and restore technique can be invoked by the method for restoring the infected program to its initial state.
11 Claims, 4 Drawing Sheets
