RU101235U1 - VALVE Malware Check System with Variable Validation Settings - Google Patents

Abstract

 1. A system for accelerating anti-virus scan of files by selecting the type of anti-virus scan, which consists of the following means: means for intercepting the launch of executable files, designed to intercept attempts to launch the executable file; ! risk assessment means associated with the tool for intercepting executable files and the risk database, wherein the risk assessment tool is intended to use a risk database in order to assess the risk of launching the executable file, data about which was obtained from the tool for intercepting the launch of executable files; means for selecting scan techniques associated with the risk assessment tool, wherein the scan technique selection tool is designed to accelerate anti-virus scanning of files by selecting the type of anti-virus scan for the executable file depending on the risk of launching the executable file; file verification tools associated with the verification technique selection tool, wherein the file verification tool is intended to be used by the selected scan tool selection techniques for all necessary types of anti-virus scanning and transferring the results to the tool for intercepting executable file launches to prohibit or allow further file execution. ! 2. The system according to claim 1, in which the risk assessment tool takes into account the source of the file, the full path of the file, the file size, whether the file is digitally signed, whether the file is a download utility, whether the file is packed, or if the file was received from the CD from CD-ROM drive, the value of the overall threat level received from the antivirus company. ! 3. The system according to claim 1, in which

Description

Technical field

The utility model relates to providing accelerated anti-virus scan of files by selecting the type of anti-virus scan.

State of the art

When performing an anti-virus scan on a user's computer, a certain part of the system resources is used, sometimes a very significant part of them, which leads to the fact that the user can cancel the long-term anti-virus scan, believing that it is unnecessary. Usually, if the user does not pay attention before starting the application, if the anti-virus scan of this application took one or two seconds. On the other hand, in such a short period of time, you can manage to perform only the most basic anti-virus checks, such as anti-virus signature checks. However, more resource-intensive checks like emulating or using a secure environment can take a lot more time. Various anti-virus scan systems are described in applications and patents, such as WO0022710, CN1801033, WO04075056, JP2003216445, WO2007042975 and others. However, the disadvantage of these systems is that it is not always necessary to carry out resource-intensive antivirus scans in cases where it is sufficient to use only the most basic ones, for example, based on time stamps, for example, as described in application US20080229419.

This implies the optimal use of time, which is spent on anti-virus scanning while ensuring the reliability of such a scan.

Utility Model Disclosure

The technical result of the utility model is to accelerate the anti-virus scan of files by selecting the type of anti-virus scan. This result is achieved through the use of a system that contains: means for intercepting the launch of executable files, designed to intercept attempts to launch the executable file; risk assessment means associated with the tool for intercepting executable files and the risk database, wherein the risk assessment tool is intended to use a risk database in order to assess the risk of launching an executable file, data about which was obtained from the tool for intercepting executable files; means for selecting a scan technique associated with a risk assessment tool, wherein the tool for selecting a scan technique is designed to accelerate anti-virus scanning of files by selecting the type of anti-virus scan for the executable file depending on the risk of launching the executable file; file verification tool associated with the scan technique selection tool, wherein the file verification tool is intended for use by the selected scan tool selection methods of all necessary types of anti-virus scanning and transferring the results to a tool for intercepting executable file launches to prohibit or allow further file execution.

In a particular embodiment, the risk assessment tool takes into account the source of the file, the full path of the file, the file size, whether the file is digitally signed, whether the file is a download utility, whether the file is packaged, whether the file was received from the CD from the CD-ROM drive, the value general threat level received from an antivirus company.

In another particular embodiment, the types of anti-virus scanning include heuristic detection algorithms, statistical analysis, sending a copy of the file to the server to check for the presence of malicious functionality, sending a checksum of the file to the server for anti-virus scanning, and launching the file in a protected environment.

Additional advantages of this utility model will be disclosed in the following description. In addition, examples of using the utility model with reference to the drawings will be given.

Brief Description of the Drawings

The accompanying drawings are included in the description to explain the essence and basic principles of the utility model. The following description discloses embodiments of the utility model with reference to the following drawings:

Figure 1 is a timing diagram of a utility model.

Figure 2 schematically represents a computer on which it is possible to use this utility model.

Figure 3 shows an exemplary risk growth curve depending on the number of risk factors.

Figure 4 illustrates an algorithm for selecting verification types depending on the degree of risk for the executable file.

Figure 5 depicts one embodiment of a utility model system.

Detailed Description of Embodiments

A detailed description of the claimed utility model will contain descriptions and examples of the use of all elements and subsystems that make up the utility model.

The first application of the utility model is to identify differences between known executable files (i.e. files that antivirus software previously checked on this computer) and unknown executable files. Thus, when a program known to the anti-virus system is launched (for example, an installed copy of Microsoft Word), the anti-virus scan will be quite simple, i.e. limit yourself to checking the virus signatures of dynamic libraries that connect when the program starts. On the other hand, when an unknown program is first launched, it will be subjected to exhaustive testing. In such a situation, the user may be additionally informed in a pop-up window or other interface element that a new unknown program was launched, which carries an increased risk of a possible virus infection of the computer. In such cases, the choice appears: do a full scan, do not do it, or run a quick / simplified anti-virus scan. For example, a full scan activates all possible verification mechanisms that it makes sense to perform (for example, signature verification, heuristic analysis, etc.). The next choice is to use more appropriate verification methods that match the conditions and background of the file in the computer system.

When new software appears on the Internet, including malware, it can take from several minutes to several hours before the databases of the antivirus product providers are updated. During this time, additional checks of the program that the user downloaded and tries to install for the first time are carried out, while requests to the server are sent - because this new software may be on the white list (the database of the software of verified or reliable programs or their executable files) or on the black list (the database of malware).

If the program is found in the black list, it means that the new downloaded software is highly likely to contain a virus, because the source of this software was previously seen in the distribution of malicious software, or because such software is often infected with viruses , as well as for a number of other reasons.

The presence of a program in the white list means, for example, that the source of the software or the type of program refers to cases where the presence of viruses is unlikely; in this case, it is enough to conduct a simplified check that does not require prolonged use of the user's computer resources. If the software is not available in both white and black lists, then options are possible. For example, the level of anti-virus scanning (and therefore the time spent on scanning) may depend on how the new software gets to the computer. For example, software that is distributed on storage media such as CD-ROM or DVD-ROM is less likely to be infected with viruses than software distributed via the Internet. For downloaded files, the source from which the file was received is important, i.e. URL address This difference is also taken into account when choosing the level of anti-virus scanning of the executable file.

Also, for each executable file, a set of anti-virus scan settings is selected depending on whether such a file has previously been encountered in the system. For example, for known files, a relatively simplified scan is performed (for example, based on file timestamps), while unknown files undergo a more complex anti-virus scan. For unknown files, a risk assessment is performed based on various factors associated with the executable file, after which a file metric is created. Thus, based on the file metric, various types of antivirus scans are performed.

If the file is packed (a compressed and / or modified and / or encrypted copy of the original file and the program for unpacking are written to the packed file), this is also a risk factor, since

malicious program files are often packaged (the purpose of packaging is to bypass signature checks used to detect viruses). The current location or path to the file should also be taken into account, especially if any of the executable files are installed in separate directories (folders, directories), for example, C: \ Windows. A large risk factor should be established for such files.

Another factor to consider is file size. For example, small executable files (several tens of kilobytes) are more suspicious compared to large executable files (tens and hundreds of megabytes). This factor is due to the impracticality of transferring multi-megabyte files, especially when using zombie computers (that is, computers that are used by third parties without the knowledge of the owners to use their resources, for example, to send spam). If a zombie computer sends very large infected files, then it is not able to send out a lot of copies of infected files due to the limited communication channel with the network and hardware resources. It is also practical to send a large number of email messages with fairly small attachments. Typical malicious files sent in this way are about 50-100 Kb in size. And if the file was packed, then the file size will be reduced to about 25-50 Kb. Thus, if the executable file is small, then the level of risk of its launch for execution increases.

The next risk factor may be small executable files that install themselves on the system and immediately activate the download of other files from a web server or file server. In this case, you can detect a call to the functions of downloading files from a source on the Internet, then to check the link address (URL) of the source against the blacklist of links. If the executable file downloads malicious or unknown programs, the risk is very high. Another factor that increases the overall level of risk is the fact that the executable did not warn the user about his own launch and installation on the system.

The method of creating the file is also suspicious, i.e. discovery of the process that created this file. If another file was downloaded before this file was created on disk - therefore, knowing the address of the link (URL) of the downloaded file, it becomes possible to assess the degree of risk. Similarly, the directory (folder, directory) in which the file was created is taken into account.

The next risk factor is the electronic signature of the file. If the file signature is trusted (that is, the file was signed by a reliable organization), then you can exclude anti-virus checks for this file, since the risk level is minimal.

Another risk factor may be the overall level of threat that all major antivirus companies have. As a rule, statistics on antivirus application triggers are kept, and during outbursts of various triggers, antivirus companies register so-called virus outbreaks and raise the overall threat level. Such a general threat level can be considered as an addition to the risk level of launching each executable file.

Settings for detailed anti-virus scanning include heuristic analysis, emulation of executable code execution, which includes emulation in a restricted environment or intrusion emulation, in which the emulator executes only specific instructions of the executable code in debug mode. The following setting activates the statistical analysis of the file, for example, analysis of the number of repetitions of certain instruction templates and / or the frequency of the corresponding instructions or groups of instructions (including those used to identify polymorphic viruses that cannot be tracked using signature checks). Other techniques include interactive file checks, in which either the entire file or the checksum from the file (for example, a hash or cyclic redundancy check, CRC), or some portion of the file (i.e. the first X bytes and the last Y bytes) sent for analysis to a third party server, i.e. antivirus company.

Thus, it is possible to form a certain dependence of the risk of running the executable file on the type of analysis (antivirus scan). Figure 3 shows an exemplary curve of risk growth depending on the number of risk factors. Some factors (for example, the file size or its location) do not yet indicate that the file is infected, therefore, even if we summarize these factors, we cannot say that the file is highly likely to be infected. However, other factors (for example, the location of the file or its source) can be interpreted as a signal for using more resource-intensive verification methods (for example, emulation). Thus, depending on the level of risk, a more detailed scan is required using various anti-virus scan methods.

Figure 5 shows one of the options for implementing the system of utility model. The tool for intercepting the launch of executable files 501 intercepts the attempt to launch the executable file in the system and redirects information about this file to the risk assessment tool 502, which uses the risk database 505 in order to assess the risk of launching the executable file. The tool for intercepting the launch of executable files 501 can be implemented as an anti-virus application driver that intercepts all attempts to launch executable files. Such a driver works in supervisor mode (they also talk about working at the kernel level), which provides maximum access to system resources. The risk assessment tool 502 operates in accordance with the data on risk factors described above. Risk assessment can be performed, for example, using the system described in patent US 7530106, in which risk assessment is based on rules, each of which describes a specific action in the operating system and the corresponding risk factor for this action. The risk value received from the risk assessment means 502 is transmitted to the selection tool 503, which determines the type of anti-virus scan for the executable file. Then, the file scan tool 504 uses all the necessary types of anti-virus scan selected by the scan tool 503 selection tool. The checker 503 and the file checker 504 can be implemented as an anti-virus application that uses various file verification algorithms, such as signature verification, emulation, heuristic analysis. File Checker 504 can also be implemented not only on the user side, but also on the server side. Also, in one embodiment, the technician selection tool 503 can be implemented as a task scheduler in the operating system that optimizes the load on the system by comparing the level of risks and the planned costs of anti-virus scanning. A similar approach can be traced in patents such as US 7555621, US 7591019, US 7584508. After interpreting the results obtained, the answer about the possibility of launching the executable file is sent to the tool to intercept the launch of executable files 501 to prohibit or allow further execution of the executable file.

Figure 1 shows a block diagram of the actions of the implementation of the utility model in accordance with figure 5. At block 102, a file is launched. At step 104, risks are analyzed using various techniques to identify risks (for example, based on risk analysis by URL, file size, and other risk factors). At the same stage, a risk assessment is performed using metrics that are combined to evaluate the file as representing high, medium and low risk levels. At step 106, the type of antivirus scan that is expected to best match the level of risk obtained is selected. Then, at step 108, the scan of the executable file begins using all the selected anti-virus scan methods. At step 110, according to the results of checking the executable file for the presence of malicious software, the probability of its presence was revealed, then at step 112 the execution of the file is blocked. At 114, execution of the file is permitted, provided that no malware has been detected.

Figure 4 shows the algorithm for selecting the types of checks depending on the degree of risk for the executable file at step 106. The check can be static 401, which means the use of signature databases for both malicious programs and white lists. Dynamic check 402 means using emulation methods, as well as running the executable file in a secure environment (sandbox), while distributed check 403 already uses methods to send data about the file to third-party servers (for example, an anti-virus company) in order to find out if the file is malicious or not. Finally, pending check 404 means that the executable file is prohibited from executing until its status is confirmed.

FIG. 2 shows an exemplary computer system that can act as a utility model of computer 202. Computer 202 includes one or more processors, such as processor 201. Processor 201 is connected to a communications infrastructure 206, such as a bus or network.

Computer 202 includes primary memory 208, (RAM), and may also include secondary memory 210. Secondary memory 210 may include, for example, an internal disk or data storage 212 (eg, a hard or optical disk) and / or a reader / writer 214 of a storage medium 216 (a magnetic tape storage device, an optical drive, etc.). The removable storage unit 216 is a magnetic tape, an optical disk, or other storage media read or written by a corresponding reader / writer 214 of the storage medium 216. The removable storage unit 216 may include a computer-readable storage medium having computer software stored thereon and / or data.

In an alternative embodiment, secondary memory 210 includes other means for downloading computer programs or other instructions to computer 202. It includes, for example, a removable memory unit 222 and an interface 220. It may include a removable memory chip (such as EPROM or PROM) and its associated connector or other removable memory blocks 222 and interfaces 220, which allow you to transfer software and data from removable memory blocks 222 to the computer 202.

Computer 202 also includes one or more connection interfaces, such as network interface 224. Network interface 224 allows data to be transferred between computer 202 and external devices. For example, the network interface 224 includes a modem, a network interface (e.g., an Ethernet card), a connection port, a PCMCIA slot and a card, etc. The software and data transmitted via the network interface 224 are in the form of signals 228, electronic, electromagnetic, optical and other types that can be received via the network interface 224. The signals 228 are provided by the network interface 224 via the communication channel 226. This channel 226 transmits signals 228 and is performed by wire or cable, fiber optic, RF channel and other communication channels. In an embodiment of the utility model, signals 228 comprise data packets sent to processor 201. Information representing the packets being processed may be sent in the form of signals 228 from processor201 through communication channel 226.

The term “computer-readable storage medium” or “computer-readable storage medium” is usually used to refer to a medium such as removable storage media 216 and 222, a hard disk installed as an internal hard disk 212, and signals 228 that enable software to be transmitted to a computer 202.

Computer programs are stored in main memory 208 and / or secondary memory. Computer programs can also be obtained through a network interface 224. In particular, computer programs, when executed, allow processor 201 to implement the present utility model. The software may be stored in a computer program product and downloaded to a computer 202 using a removable storage device 214, a hard disk 212, or a communication interface 224.

It should also be noted that the examples described in the description are illustrative and are not intended to limit the scope and essence of the claimed utility model, which are established in the attached formula.

Claims (3)

1. A system for accelerating anti-virus scan of files by selecting the type of anti-virus scan, which consists of the following means: means for intercepting the launch of executable files, designed to intercept attempts to launch the executable file; risk assessment means associated with the tool for intercepting executable files and the risk database, wherein the risk assessment tool is intended to use a risk database in order to assess the risk of launching the executable file, data about which was obtained from the tool for intercepting the launch of executable files; means for selecting scan techniques associated with the risk assessment tool, wherein the scan technique selection tool is designed to accelerate anti-virus scanning of files by selecting the type of anti-virus scan for the executable file depending on the risk of launching the executable file; file verification tools associated with the verification technique selection tool, wherein the file verification tool is intended to be used by the selected scan tool selection techniques for all necessary types of anti-virus scanning and transferring the results to the tool for intercepting executable file launches to prohibit or allow further file execution. 2. The system according to claim 1, in which the risk assessment tool takes into account the source of the file, the full path of the file, the file size, whether the file has a digital signature, whether the file is a download utility, whether the file is packed, or if the file was received from the CD from CD-ROM drive, the value of the overall threat level received from the antivirus company. 3. The system according to claim 1, in which the types of anti-virus scanning include heuristic detection algorithms, statistical analysis, sending a copy of the file to the server to check for the presence of malicious functionality, sending a checksum of the file to the server for anti-virus scanning, launching the file in a protected environment.