WO2008043976A1 - Virus detection method - Google Patents
Virus detection method Download PDFInfo
- Publication number
- WO2008043976A1 WO2008043976A1 PCT/GB2006/003761 GB2006003761W WO2008043976A1 WO 2008043976 A1 WO2008043976 A1 WO 2008043976A1 GB 2006003761 W GB2006003761 W GB 2006003761W WO 2008043976 A1 WO2008043976 A1 WO 2008043976A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- computer
- graphical information
- signature
- virus
- blocks
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
Abstract
A method of detecting a computer virus comprising: retrieving a computer file, the computer file comprising a sequence of blocks of length M, retrieving a signature of a computer virus to be detected, the signature comprising a sequence of blocks of length N, searching for the signature within the computer file, and determining whether the computer file contains the signature. The searching comprises comparing a first pair of blocks comprising the Nth block of the signature and a Pth block of the computer file, and, if the first pair of blocks are the same, comparing a second pair of blocks comprising the (N-1)th block of the signature and the (P-1)th block of the computer file, or if the first pair of blocks are not the same, comparing a third pair of blocks comprising the Nth block of the signature and the (P+X)th block of the computer file, where X is less than or equal to N and X is determined based upon the result of said first comparison.
Description
VTRTTS DETECTION METHOD
The present invention relates to methods for detecting computer viruses. In particular, but not exclusively, the present invention relates to methods of scanning computer files in order to detect computer viruses. The present invention also relates to an improved graphical user interface for displaying graphical user interface information such as advertising.
Computers now form an integral part of everyday life. Indeed, without the assistance provided by computers many aspects of everyday life would be considerably impaired. For instance, computers are used to assist in the management of critical national infrastructures such as transport networks, power generation and telecommunications. Computers are also playing an increasingly dominant role in consumer products, such as entertainment products. There has been a large increase in recent years in mobile computing devices, such as mobile phones and personal digital assistants (PDAs), for both business and personal use.
Furthermore, in recent years there has been a large increase in the connectivity of computing devices. Use of the Internet is widespread, as well as the connection of computing devices to corporate and other private networks. There are an increasing number of methods of connecting computing devices to networks, including wired connections to a local area network (LAN), short range wireless communications, such as Bluetooth®, and wireless access through public telecommunications networks, such as GSM.
While the increased connectivity of computing devices has brought widespread benefits such as easier access to information, the tendency to allow computing devices to remain connected to external networks for extended periods of time has brought new security risks. Computing devices are at an increased risk from computer viruses when connected to a network, especially an uncontrolled public network such as the Internet.
The term "computer virus" is used hereinafter in a broad sense to include all unwanted software, including malicious programs that pose a threat to data and applications stored on the computing device, or the security of users, and more benign yet still unwanted programs. The term "computer virus" is intended, in the present context, to include conventional self-replicating computer programs that spread by inserting copies of themselves into other programs and documents, as well other forms of unwanted programs such as worms, Trojans and spyware as will be known to those skilled in the art.
If a computing device is infected with a computer virus (in the broad sense of the term given above), then both the computing device and the user of the computing device are at risk of a number of undesirable effects, including loss of data, interruption of other uses of the computing device and identity theft. There is a recognised requirement to detect the presence of computer viruses on a computing device, and where possible to remove the computer virus, or at least prevent it from spreading to other computing devices or causing further damage.
Known antivirus software comprises computer programs that attempt to identify, interrupt and remove computer viruses. Conventional antivirus programs typically use at least one of two different approaches to detect viruses.
A first approach comprises scanning computer files to locate known viruses. A computer virus is typically detected by scanning computer files on a computing device to detect a characteristic signature of the virus, either in a distinct file or in an otherwise useful file that has been infected by the virus. This approach is reliant upon prior identification of a new computer virus, and determining a characteristic signature for that virus.
A second known approach for antivirus software is to identify suspicious behaviour from legitimate computer programs, which might indicate that the program has been infected by a computer virus. This second approach is advantageous in that it is possible to detect a previously unknown computer virus based upon the effects of that virus.
While both approaches to virus detection are commonly used, the traditional emphasis has been on the first approach of looking for characteristic signatures of known viruses.
Once a virus has been detected then one of the following options may be possible: it may be possible to remove the virus from the computer file (known as cleaning the file). If cleaning is not possible, then the computer file may be quarantined to prevent the onward spread of the virus, and prevent the virus from causing further harm. A third option is to simply delete the file.
Scanning computer viruses to detect the characteristic signatures of known computer viruses is a time consuming process that can involve searching for a large number of different signatures amongst each of a potentially even larger number of computer files. This time consuming process is disadvantageous as it can prevent use of the computing device for more productive activities. If computer files are being accessed while also being scanned for viruses then the antivirus software can significantly slow down the operation of legitimate programs. Perhaps more seriously, this slow down of the computing device may tempt users to switch off antivirus software, thereby once again exposing the computing device and the user to the risks posed by computer viruses.
A computer virus signature typically comprises a known sequence of blocks within a computer file. Each block may be a single byte. There are a number of known techniques for a searching for a known string of blocks within a computer file. A simple known technique is to compare the first block of the signature with the first block of the computer file: if the compared blocks match then the following pair of blocks are compared, if the first pair of blocks do not match then the first block of the signature is compared with the second block of the computer file. The process continues until either all of the blocks of the signature are matched in order to a contiguous series of blocks within the computer file, or the end of the computer file is reached without successfully matching the whole signature. While this first approach is attractive due to being simple to implement, it can be slow.
It is known to provide advertising on computing devices, for instance on Internet pages when displayed in an Internet browser. Such advertising may take the form of banners, which comprise words, pictures or moving images in a portion of the Internet page advertising a sponsor of that page. Typically, if a user clicks on that portion of the page, for instance with a computer mouse, the Internet browser will be redirected to an Internet page associated with the advertiser.
For conventional computer based advertising, it is normally the case that advertising material is downloaded from a remote host at the same time as downloading the rest of the Internet page.
It is an aim of embodiments of the present invention to obviate or mitigate one or more of the problems of the prior art, whether identified herein or elsewhere.
According to the present invention there is provided a method and apparatus for detecting a computer virus. The method comprises retrieving a computer file, the computer file comprising a sequence of blocks of length M; retrieving a signature of a computer virus to be detected, the signature comprising a sequence of blocks of length N; searching for the signature within the computer file; and determining whether the computer file contains the signature. The searching comprises comparing a first pair of blocks comprising the N block of the signature and a Pft block of the computer file, and, if the first pair of blocks are the same, comparing a second pair of blocks comprising the (N- 1)* block of the signature and the (P-I)* block of the computer file, or if the first pair of blocks are not the same, comparing a third pair of blocks comprising the N01 block of the signature and the (P+X)th block of the computer file, where X is less than or equal to N and X is determined based upon the result of said first comparison.
The searching employed in embodiments of the present invention is based upon the Boyer Moore search algorithm. This is a known string-searching algorithm, which has heretofore been used for string search applications. The Boyer Moore algorithm is particularly efficient due to the fact that it does not require checking of every
character of the file to be searched. The efficiency is derived from the fact that information from every unsuccessful attempt to match the search string is used to rule out as many other blocks from the file as possible, so that they need not be checked. The inventors have surprisingly realised that a virus detection method based upon the Boyer Moore algorithm can be implemented so as to achieve beneficial results from the point of view of efficiency.
Each of the blocks will typically be a byte. The P* block of the computer file may be the Nώ block of the computer file. Alternatively, an offset value Y may be specified and the Pth block of the computer may be the (Y+N)*11 block of the computer file.
When a virus is detected, a number of operations can be carried out. For example, a file containing a virus may be quarantined, deleted or cleaned, cleaning involving removing the detected virus from the processed computer file. Indeed, it should be noted that a virus signature may not represent the entirety of that which needs to be removed in order to successfully remove the virus from a computer file. That is, the signature may take the form of a relatively small number of characteristic blocks. When this small number of characteristic blocks is detected, this can cause the methods described herein to delete a larger collection of blocks which define the virus.
It will be appreciated that the described method may be applied to detect one or more computer viruses in one or more computer files. The comparison between each signature and each computer file may be carried out using the method described above. For example, in some applications a library of virus signatures will be used, and processing will be carried out to determine whether any file stored in a particular file store includes any of the signatures. Alternatively, a single file, specified by a user may be processed to determine whether viruses associated with any of the signatures in the library of viruses are contained within that file. Files may be processed when they are opened or closed or on demand.
A virus signature may comprise a plurality of sequences of blocks, and searching for the signature within the computer file may comprise searching for each of said
sequences of blocks within the computer file. Each of the sequences of blocks may have a respective offset, and the method may comprises searching for each of said sequences of blocks in a part of said file determined by its respective offset. The use of offsets in this way can provide additional efficiency
According to a further aspect of the present invention, there is provided a method and apparatus for displaying graphical information. The method comprises determining graphical information to be displayed; retrieving graphical information to be displayed from a local store; and displaying the retrieved graphical information. The local store may be arranged to store the graphical information in association with schedule information, and said determining may comprise selecting graphical information for display associated with schedule information that meets a predetermined scheduling criteria.
Aspects of the present invention have applications in advertising, and the graphical information may comprise an advertisement. A plurality of items of graphical information may be displayed in a repeated loop.
The term "graphical information" as used herein is intended broadly to cover anything that is displayed to a user by means of a suitable display device. In particular, the term includes text, and/or images. Graphical information may be accompanied by suitable sounds. Graphical information further includes moving image content such as video content. Additionally, the graphical information may provide interactivity and may take the form of, for example, a game.
The method may further comprise displaying a user interface element that is selectable by a user; receiving an indication that a user has selected the user interface element; and executing link information associated with said displayed graphical information, said link information being executed in response to selection of the user interface element.
Executing the link information may comprise launching an Internet browser and directing the Internet browser to an Internet page determined by the link information.
The link information may be configured to cause a purchase request to be transmitted to a remote computer. The method may be carried out at a computing device having an associated account, and the method may comprise debiting said account in respect of said purchase.
The graphical information may be displayed concurrently with execution of a second computing operation. The graphical information may be displayed by a computer program, and the second computing operation may be carried out by that computer program. For example, the computer program may establish two threads, a first thread controlling display of the graphical information, and a second thread carrying out the second computing operation. The second computing operation may comprise detecting a computer virus, for example by using a method as described above.
For example, when virus detection is carried out information indicating progress of said virus detection may be displayed; and said graphical information may be displayed concurrently with said information indicating progress of said virus detection.
The invention further provides a method and apparatus for displaying graphical information. The method comprises determining graphical information to be displayed; retrieving graphical information to be displayed from a local store; and displaying the retrieved graphical information. The graphical information is displayed at the same time as a virus detection operation is carried out, the virus detection operation comprising retrieving a computer file, retrieving a signature of a computer virus to be detected, searching for the signature within the computer file and determining whether the computer file contains the signature. The graphical information is displayed by a first computer program and said virus detection operation is carried out by said first computer program.
The invention also provides a method and apparatus for displaying graphical information. The method comprises determining graphical information to be displayed, the graphical information being stored in a local store, the local store being arranged to store the graphical information in association with link information;
retrieving graphical information to be displayed; displaying the retrieved graphical information; displaying a user interface element that is selectable by a user; receiving an indication that a user has selected the user interface element; and executing link information associated with said displayed graphical information, said link information being executed in response to selection of the user interface element.
It will be appreciated that all aspects of the present invention can be implemented as methods or apparatus. Suitable apparatus include suitably programmed computers. Aspects of the invention can also be implemented by suitable computer programs. Such computer programs can be carried on suitable carrier media including both tangible and non-tangible carrier media.
It will further be appreciated that features described in connection with a particular aspect of the invention can be applied to other embodiments of the invention.
Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 schematically illustrates a known method of searching for a virus signature in a computer file;
Figure 2 schematically illustrates a method of searching for a virus signature in a computer file in accordance with an embodiment of the present invention;
Figure 3 schematically illustrates a file format for storing virus signatures for use within the method of searching for a virus signature in a computer file of Figure 2;
Figure 4 schematically illustrates in the form of a flow chart the method of searching for a virus signature in a computer file as shown in Figure 2;
Figure 5 schematically illustrates in the form of a flow chart an expanded portion of the flow chart of Figure 4;
Figure 6 schematically illustrates an apparatus suitable for implementing the method of searching for a virus signature in a computer file as shown in Figure 2;
Figure 7 schematically illustrates in the form of a flow chart the method of searching for a virus signature in a computer file as shown in Figure 2 in an on demand file scanning configuration;
Figure 8 schematically illustrates in the form of a flow chart the method of searching for a virus signature in a computer file as shown in Figure 2 in an automatic file scanning configuration;
Figure 9 schematically illustrates an apparatus suitable for implementing the method of displaying advertising content in accordance with an embodiment of the present invention;
Figure 10 schematically illustrates a file format for storing advertising content for use within the method of displaying advertising content of Figure 8; and
Figures 11 to 24 illustrate screen shots taken from a computer program implementing embodiments of the present invention.
Embodiments of the present invention relate to an improved method of searching for characteristic signatures of computer viruses within computer files. Specifically, embodiments of the present invention relate to an improved method of searching for a computer virus signature comprising a first sequence of blocks within a computer file, said file comprising a second sequence of blocks. The sequence of blocks forming the computer file is typically much longer than the sequence of blocks forming the virus signature. Each block is typically a single byte. Each byte may thus be represented by a single character, such that the virus signature comprises a string of characters.
Referring to Figure 1, this schematically illustrates a known technique used in antivirus software for searching for a virus signature. A computer file 1 is schematically represented by a sequence of blocks. The computer file 1 is thirty
blocks long. A virus signature 2 is schematically represented by a second shorter sequence of blocks. The virus signature 2 is five blocks long. It can be seen than for the purposes of ready comprehension of Figure 1, the virus signature 2 comprises the English word "ISSSUE". By inspection of the computer file 1, it can be seen that the computer file does contain the signature "ISSSUE" between the eighth and twelfth blocks. It will of course be appreciated that in reality both the computer file 1 and the signature 2 may be much longer.
In accordance with the known technique used within conventional antivirus software, virus signature 2 is initially positioned at the start of computer file 1 (shown in Figure
1 as being at the left of the Figure). The first block of the virus signature 2, indicated by arrow 3, is compared with the first block of the computer file 1. It can readily be seen that the compared blocks do not match. Li the event of no match, virus signature
2 is moved one place along the computer file 1, shown schematically as being in the direction indicated by arrow 4. The first block of the virus signature 2 is now compared with the second block of computer file 1. Again there is no match and signature 2 is moved a further place to the right, and so on.
At the eighth attempt the first block of signature 2 matches the eighth block of computer file 1. This time, as there is a match, processing passes to the second block of the signature, which is compared to the ninth block of the computer file 2. Assuming the second block of the virus signature matches, processing passes to the third block and so on until the whole of the virus signature 2 has been located in the computer file 1.
If a subsequent block of the virus signature 2 does not match then there is only a partial match. Processing then begins again with the first block of the virus signature 2 being compared to the last block of the computer file checked so far. If the whole of the virus signature 2 is found in computer file 1 then it can be determined that the computer file 1 is infected with the computer virus and appropriate action may be taken. If the end of the computer file is reached without the whole of the virus signature being found, then it may be determined that the computer file has not been infected with the computer virus. For practical embodiments of antivirus software,
processing of the same computer file 1 may begin again with a virus signature for a different computer virus, or the same virus signature 2 may be searched for in a different computer file.
A problem associated with the known the searching technique depicted in Figure 1 is that every block within computer file 1 up to the last block of the virus signature embedded in the file (or the last block of computer file 1 if the virus signature is not present) must be checked.
Referring now to Figure 2, an improved method of searching for virus signatures 2 within computer files, in accordance with an embodiment of the present invention, will be described. In accordance with the improved search method, not every block of the computer file up to the end of an embedded virus signature, or the end of the file if no virus signature us detected, need be checked.
Efficiency improvements arise due to processing of the virus signature, which is either done in advance of searching for computer viruses or while the virus scanning is in process (as will be described in greater detail below). This differs from known search techniques, which provide some efficiency improvements by pre-processing the computer file, and then amortise the computational expense of this pre-processing by searching each file repeatedly for multiple virus signatures. The processing of each virus signature need only be done once, and then the result maybe saved for future searches for that signature in other computer files. In accordance with certain embodiments of the present invention the process of searching for computer virus signatures within computer files becomes quicker the longer the signature. This is particularly advantageous for certain computer viruses, which have particularly long signatures.
The efficiency of methods of detecting computer viruses in accordance with the present invention derives from the fact that information is gathered from every unsuccessful attempt to match the computer virus signature. That information is then used to rule out as many other blocks from the computer file as possible, so that they need not be checked. Embodiments of the present invention are particularly suitable
for antivirus software implemented on mobile computing devices, which may have limited processing ability. For such devices it is desirable to implement software as efficiently as possible to free resources for other uses.
Figure 2 shows the same computer file 1 as for Figure 1, and the same virus signature 2. As for Figure 1, signature 2 is positioned at the start of the computer file 1. However, instead of comparing the first block of the signature with the first block of the computer file, the method of detecting computer virus signatures begins by comparing the last block of the signature 2, indicated by arrow 5, with a corresponding block of the computer file. In some embodiments of the present invention the computer virus signature may specify an offset. The offset indicates that the virus signature will only be found within the computer file after a particular point given by the offset. The presence of an offset is advantageous as the process of comparing pairs of blocks from the virus signature and the computer file need not begin until after the offset. In the example of Figure 2 there is no offset (that is, there is an offset of zero).
The embodiment of the invention depicted in Figure 2 works backwards from the end of the signature 2 to the beginning. If, for instance, the fifth block of file 2 was an "E", and hence was a match, then the method would continue by checking the fourth block and so on until either the beginning of the signature was reached, indicating that the signature had been found in the file, or there was a mismatched block.
The advantage of starting with the last block of the signature is shown clearly in Figure 2, where it can be seen that there is no match between the last block of the signature "E" and the corresponding block of the computer file "Y". As the block "Y" does not appear anywhere within the signature 2 it can be seen that not only is there no match for the signature 2 at the start of computer file 1, but also that there can be no match for the signature for another four blocks along the file in the direction of arrow 4. This is because if the last block of the signature were aligned with any of the sixth to ninth blocks of the file, then even if that block matched (that is, the block was an "E") then the signature still could not be present at that position in the file due to the presence of the "Y" in the fifth block location of the file.
Therefore, in a second iterative attempt to match a pair of blocks, the last block of the signature 2 is compared to the tenth block of the computer file 1. Again there is no match as the tenth block of the computer file 1 is an "S". However, this time the mismatched block in the computer file does appear within the signature. Consequently, for the third matching attempt the signature must be moved along the computer file by less than the full length of the signature. The process of determining exactly how far to move the signature will be described in greater detail below. In the example of Figure 2 the signature is moved the minimum distance required for the "S" in the tenth block of the computer file to match the second "S" in the signature. Consequently the signature is moved by two places. At the third attempt to match a pair of blocks the last block "E" of the signature matches the twelfth block of the computer file.
Once the last block of the signature has been matched, the process continues in an analogous fashion to that of the known method described for Figure 1, except that this time pairs of blocks are compared starting from the end of the signature and working towards the beginning until either there is a mismatch or the signature is fully matched to a contiguous sequence of blocks within the computer file.
The method of detecting computer virus signatures described with reference to Figure 2 provides significant efficiency gains over known virus detection methods as the number of pairs of blocks checked is significantly reduced. The reduction of checking is dependent upon the length of the signature, and the composition of the signature and the computer file. Li the best case, for a computer file of length M blocks and a signature of length N blocks, only M/N blocks need to be checked, hi the worst case, the number of blocks to be checked may be M*N. This worst case scenario arises when the computer file comprises a series of repetitions of a single block, and the signature comprises N-I instances of that block preceded by a single, different, block. However, even in the worst case scenario (which is unlikely to occur often in virus detection) the performance is still comparable with that of detecting virus signatures in accordance with the known method of Figure 1.
Referring now to Figure 3, in accordance with embodiments of the present invention the characteristic signatures of known viruses are stored in a predefined format. The predefined virus signature storage format comprises a series of concatenated instructions defining a single virus signature. The virus signatures are held in a locally stored virus definition store for ready access by virus scanning software.
Figure 3 shows a single virus signature comprising a concatenated series of instructions 10. The sequences of blocks making up the signature are stored in portions 11, preceded by search headers 12 indicating that following data defines how search operations should be carried out. That is, the search headers 12 indicate that offset and length information 13 follows, together with a partial signature definition 11. For a given virus signature it may be known that a particular part of the virus signature will not be found before a given point in the computer file, therefore the process of comparing pairs of blocks between that part of the virus signature and the computer file need not begin before that offset. This is indicated in the offset and length information 13. Length information indicates how many blocks after the offset need to be searched for the virus signature. This information is captured by the offset and length information 13. It will be appreciated that the length information is effectively a further offset specified relative to a first offset, hi alternative embodiments, the length information maybe replaced by a second offset specified relative to the start of the file.
The virus definition instructions 10 begin with a virus signature header 14 identifying the virus. The virus signature header 14 includes a virus name, details of file types susceptible to infection by the virus, and other useful information, hi certain embodiments of the present invention, the virus signature information may be stored in a hierarchical format, for instances of computer viruses which have inherently hierarchical structures. That is, particular sequences of blocks may be common to a plurality of viruses, and individual virus definitions can specify sequences of blocks associated with individual ones of the viruses.
hi general terms, it will be appreciated that virus definitions can be stored in any suitable form, such forms being apparent to those of ordinary skill in the art. The
signature file will generally consist of three main sections. A first, header, section includes a file version, indicating when the file was produced and a minimum engine required to parse the file. A second, main, section includes signatures. The data in this second section is compressed and encrypted. This prevents the file being changed after compilation and also prevents unauthorised persons producing new signature files. A third, cleaning data, section defines what action should be taken to clear a file when a virus is detected. That is, given that a virus will typically be longer than the characteristic blocks making up its signature, the third section indicates what should be deleted to remove the entire virus.
The third section can contain a "signature" of the main section. This is a cryptographic checksum of the main section that has been encrypted using an asymmetric algorithm. This allows the software on a client to calculate its own hash and then decrypt the stored hash and compare to verify the file contents.
In certain embodiments of the present invention the virus scanning software may be arranged to automatically update the locally stored virus definitions, for instance via a network connection to a virus definitions server, in order to ensure that the locally held virus signature information is up to date and includes coverage of newly discovered viruses.
Referring now to Figure 4, this schematically illustrates in the form of a flow chart the method of detecting computer virus signatures depicted in Figure 2. At step SI a counter n is initialised to track the current block of the signature being compared to the computer file. Counter n is greater than or equal to 0 and less than or equal to N, where N is the length of the virus signature. At step S2 a counter m is initialised to track the current block of the computer file being compared with the signature. Counter m is greater than or equal to 0 and less than or equal to M, where M is the length of the computer file.
At step S3 counter n is set to N, and counter m is set to Y+N where Y is a known offset value for that virus signature. The last block of the signature is to be compared
to the correspondingly numbered block of the computer file after the counter m has been advanced to the offset position Y.
At decision step S4 block m of the computer file is compared to block n of the signature. If it is determined that they match, then at step S5 both counters are decremented.
At step S6 a check is made whether all of the blocks of the signature have already been successfully matched to the computer file, that is whether the signature block counter n has been decremented to zero. If all blocks of the signature have been checked, then the method ends at step S7 with a determination that the computer file does contain the virus signature, and thus the computer file has been detected. In accordance with embodiments of the present invention, appropriate action may then be taken to delete or quarantine the file. If, however, at step S6 it is determined that there are further blocks of the signature to be checked, then the process passes back to step S4 to check the new pair of blocks now pointed to by counters n and m.
At step S4, if the blocks pointed to by counters n and m do not match, then the process passes to step S8. At step S8 a determination is made of how many blocks of the computer file to jump past before again comparing the last block of the signature to a new block within the computer file. The number of blocks to jump by is denoted by X. The numbers of blocks to jump past is dependent upon the number of blocks of the signature that were matched before a mismatch was encountered, and whether the mismatched block is otherwise present in the signature.
For the simple example shown in Figure 2, the first attempt to match a pair of characters between the signature and the computer file failed with a mismatch for the last block of the signature. It is determined that the block at that position of the file is not found anywhere in the signature. Therefore, it was seen that the signature may be advanced along the computer file by the maximum possible distance, without a risk of missing the signature, that is X is equal to N (the length of the signature). The process of determining X will be described in greater detail below, in connection with Figure 5. The process of determining X is concerned with using the information derived
from the mismatch to rule out as many possible locations of the signature within the computer file as possible.
At step S9, the counter m is assigned the value of m + X. At decision step SlO it is determined whether the current value of counter m has exceeded M, that is whether the counter is pointing to a block beyond the end of the computer file. If this is the case then at step SI l it is determined that the virus signature has not been found within the computer file, and thus the computer file has not been infected. Otherwise at step S12 the signature block counter n is reset to the last block of the signature and the process of trying to match the signature to the computer file begins again at the new position within the computer file pointed to by counter m.
As noted above, at step S 8 variable X is calculated to determine how many blocks in the computer file to jump from the block currently pointed to by the counter m. In accordance with embodiments of the present invention, this determination may be dependent upon the number of blocks of the signature that were matched before a mismatch was encountered, and whether the mismatched block is otherwise present in the signature, based upon information calculated in advance from the signature itself. This processing of the signature can be done in advance of checking for the presence of the signature in a computer file.
hi an embodiment of the present invention a determination of how many blocks to advance counter m by is made solely on the identity of the block that causes the match to fail. This determination is made when attempting to match the last block of the signature to the computer file (that is the first attempted block match for each new position of the signature relative to the computer file), hi accordance with this embodiment of the present invention a table is computed to determine the value of X based upon the identity of the block found at that location in the computer file, for each possible block, based upon the position of each block in the signature. The table may be pre-computed in advance of scanning any computer file, or it may be calculated during the virus scanning process. For the signature "ISSUE" as shown in Figures 1 and 2 an exemplary table is shown in table 1.
Table 1
Table 1 is calculated as follow. Starting at the last block of the signature, this block is assigned an X of 0. Moving towards the first block of the virus signature, then for each position to the left the X value is increased by one. Thus the X value for "U" is 1. If a block value is already in the table (as is the case for the first "S" in "ISSUE") then this is not recorded in the table. All other blocks (i.e. blocks not in the virus signature) are assigned a value of X equal to the length of the virus signature.
As an example, when attempting to match a virus signature to a computer file at a given location within the computer file, if a block "S" in the computer file causes the match of the last block of the signature to fail then it can be seen that the virus signature does not fit at that location. However, the "S" could still be within the virus signature, the problem being that the virus signature is currently aligned to the wrong position in the computer file. By advancing the position of the signature relative to the computer file by two blocks (that is, by setting X to 2 and adding this to the current value of the block counter for the computer file) then the "S" which caused the mismatch could now line up with the second "S" in the signature "ISSUE", at the new location. Clearly, when matching the last block of signature "ISSUE" it is not possible for the block "E" in the computer file to cause a mismatch, hence the value of variable X for "E" is set to 0. For any block that does not appear in the signature, it is clear that if this causes a mismatch when attempting to match the last block of the signature, then the signature must be advanced along the file by at least the length of the signature before a match could be found (that is variable X is set to the length of the signature, and this is added to block counter m within the computer file).
If at least one block of the signature has been successfully matched before a mismatch appears, then variable X is set equal to the number of blocks that have been successfully matched plus one, in order to advance counter m beyond its position at the beginning of the previous attempt to match the virus signature (and reverse the decrement of counter at step S5).
In accordance with a further embodiment of the present invention the determination of the number of blocks within the computer file to jump when a mismatched block is encountered is based upon how many blocks were successfully matched before the mismatched block is occurred. For each possible combination of blocks before a mismatch the least number of blocks by which the signature must be shifted to the right before a match could occur is calculated. For the signature "ISSUE" as shown in Figures 1 and 2 an exemplary table is shown in table 2. In table 2 the notation, for instance, "sUE" denotes that the sequence of blocks "UE" is successfully matched, before the block "S" is not matched. In other words, the computer file contains the blocks "UE", preceded by any block other than "S". In accordance with the flow chart of Figure 4, the variable X is equal to the shift value, plus one to account for the decrementing of computer file block counter m in step S5.
Table 2
In the exemplary table 2 shown above the shift value increases by one for each additional block successfully matched. However, for signatures with repeating series of blocks the pattern may differ.
In accordance with another embodiment of the present invention, the method of determining the value of X may comprise a combination of the approach indicated by
table 1 (for a mismatch at the first block checked of the signature) and the approach indicated by table 2 (for a mismatch that occurs after at least one block has been successfully matched).
Referring to Figure 5, this schematically illustrates in the form of a flow chart the process of the determining the number of blocks to move the signature (that is, the X value) when a pair of blocks are mismatched, following the combined approach of both tables 1 and 2. Figure 5 forms an expanded part of the flow chart of Figure 4, detailing the operation of step S8. At a first step S8a a determination is made whether the mismatch occurred when comparing the last block of the virus signature with a block within the computer file.
If the mismatch did occur for the last block of the signature then at step S 8b the block value within the signature causing the mismatch is determined. At step S8c the block value determined within step S8b is located within table 1 (calculated as above either in advance of the scanning operation or within step S 8 c). The value X is retrieved to be added to the current file block counter m in step S 9 of Figure 4.
If the mismatch did not occur for the last block of the signature then at step S8d the number of blocks of the signature that were successfully matched before the mismatch occurred is calculated. This value is used to look up a shift value in step S8e and at step S8f the X value is set to the shift value plus one (to account for the decrement of the file block counter m in step S5). The value X is added to the current file block counter m in step S 9 of Figure 4.
It has been described above that a single virus signature may comprise a plurality of sequences of blocks. In such a case a search can be carried out for each sequence of blocks in turn, taking into account any offset associated with each sequence of blocks.
Referring now to Figure 6, this schematically illustrates a system for detecting computer viruses in accordance with an embodiment of the present invention. Virus definition store 20 stores the virus definitions depicted in Figure 3. This virus definition store 20 is accessed by an engine 21. The engine 21 comprises a file
decomposer 22, a command processor 23, and an implementation of the search algorithm described above in relation to Figures 2 and 4.
The file decomposer 22 is provided to allow appropriate decomposition of files to be processed to check for viruses. For example some files may have a composite nature such as .zip archive files. The file decompresser 22 decompresses such files.
The command processor 23 receives the virus signature from the virus definition store 20 and processes the signature to provide appropriate data to the search algorithm 24. That is, sequences of blocks and their associated offsets are extracted from a virus signature file by the command processor 23 for use by the signature search algorithm.
The signature search algorithm is applied by a scanner 25. The scanner 25 is also responsible for utilising content module 26 (which will be described in further detail below) and running a user interface module 27. The scanner 25 retrieves a computer file from file store 28, and searches for the virus signature within that file using the information retrieved from engine 21 by implementing the search algorithm 24. As indicated above, some files are first processed by the file decomposer 22, before being passed to the scanner 25.
In certain embodiments of the present invention, files are scanned for virus signatures each time a file is opened, or when a file that has been exposed to the risk of infection by a computer virus is closed. In such an embodiment of the invention the scanner 25 retrieves information from the operating system 29 identifying files to be retrieved from the file store 28. This information is provided by a file store filter 30 which provides details of all file store operations of interest.
Embodiments of the present invention relate to both a system in which computer files are searched for the signatures of computer viruses on demand, and an automatic system in which files are scanned for viruses each time they are opened and each time a file is closed, where the file has been exposed to the risk of infection by a computer virus.
Referring now to Figure 7 this depicts in the form of a flow chart one embodiment of the present invention for on demand scanning of computer files for computer viruses. On demand scanning may comprise a user manually selecting one more computer files for immediate scanning. Alternatively, in certain embodiments of the present invention the virus scanning software may be configured to scan for viruses at predetermined intervals, which may be set by the user, and at the time of each scanning to scan a predefined list of computer files for computer viruses.
At step S13 a user of the antivirus software initiates an on demand virus scan (or this is initialised by a predetermined schedule). The user may select a single file for scanning or the user may select a number of files for scanning from the file store 28. At step S 14 the scanner 24 retrieves the file to be scanned from the file store 28. Each file in turn is then iteratively searched using the virus signature information retrieved from engine 21 at step S 15. At step S16 after each file has been searched using all of the virus signature information the file is disposed. The disposal may comprise acknowledging that the file is clean of viruses, deleting the file from file store 28, cleaning the file or quarantining the file. The process then returns to step S 14, where a check is made to see whether there are any further files to scan. If there are no further files, then the scanning process finishes at step S 17.
Referring now to Figure 8 this depicts in the form of a flow chart a further embodiment of the present invention in which computer files are automatically searched. The automatic search may be triggered either when a file is opened at step Sl 8 or when a file that has been exposed to the risk of infection is closed at step S 19. After a file to be searched has been identified, the scanning (step S20), disposal (step S21) and finishing (step S22) continue as for the on demand scanning method of Figure 7.
Further embodiments of the present invention relate to methods of displaying graphical user interface information. In particular, embodiments of the present invention relate to methods of displaying advertising material on computing devices. Advertising information may comprise both still images and moving images relating to an advertiser. In accordance with certain embodiments of the present information
advertising material is locally stored on the computing device and then displayed at an appropriate time on a display of a computing device.
In accordance with certain embodiment of the present invention the advertising material is stored in a local store alongside scheduling information determining when the advertising material should be displayed. For instance, the scheduling information may comprise a date after which the advertisement should not be displayed, the frequency at which the advertising material should be displayed or the priority of the advertising material (in relation to how frequently it should be displayed compared to other stored advertising material). A program arranged to access the advertising material may be adapted to access the scheduling information in order to determine which advertising material to display at any time.
The advertising material may be displayed at the same time as the computing device is performing some other operation. For instance, the advertising material may be displayed at the same time as scanning for viruses, in particular the improved method of scanning for viruses described above.
Referring now to Figure 9, this schematically illustrates an embodiment of the present invention for displaying advertising material while computer files are scanned for computer viruses. The system of Figure 9 comprises scanner 25as in the system of Figure 4, together with the content module 26 and the user interface module 27. The scanner 25 operates in the same way as the scanner of Figure 6. The user interface module 27 is designed to display the graphical user interface elements of scanner 25, to allow the user to interact with and control the virus scanning process. Aspects of the virus scanner graphical user interface will be described in greater detail below. The content module 26 is responsible for the display of advertising material during the virus scanning process.
The content module 26 retrieves advertising material from a content file 40. As noted above, the content file 40 may store scheduling information alongside the advertising content. The storage format of the advertising content will be described below with reference to Figure 10.
Upon receiving notification from the scanner 25 that advertising material is to be displayed, the content module 26 retrieves advertising material from the content file 40. If scheduling information is included, then this is parsed to determine advertising material to be displayed on the computing device. Selected advertising material is then passed to the user interface module 27, which is arranged to display the advertising material in the appropriate part of the graphical user interface, and to determine the duration for which each advertising image is displayed. In accordance with certain embodiments of the invention, a series of advertising images may be displayed in rotation. The advertising images may relate to a single advertiser, or to separate advertisers.
hi accordance with certain embodiments of the invention, advertising information is stored within the content file 40 in combination with link information defining, for instance, a link to the advertiser's Internet page. The user interface module 27 is further arranged to display an additional user interface element, such as a button, which may, for instance, be marked "BUY". When a user sees an advert of interest they may select the buy button triggering a buy input 41. Selection of the buy input 41 is detected by an event listener 42. The event listener 42 is arranged to wait until it detects that the buy button has been selected, and at that time send a request to the content module 26 for associated link information. The content module 26 may already have the associated link information for the current advert, or it may itself refer this request to the content file, before returning the link to event listener 42.
As noted above, the link information may comprise a URL link to an Internet page associated with the advertiser. If that is the case then the event listener is arranged to launch an Internet browser window and direct the browser to the appropriate Internet page. In other alternative embodiments of the present invention, upon receiving link information from the content module 26, the event listener 42 may initiate any other response. For instance, if the advert related to a product for sale, for instance a digital music file that may be downloaded from the Internet, selecting the buy button initiates a series of actions in which the music file is automatically downloaded from the Internet and an account associated with the user is debited by the amount due for the
purchase of the music file. Such an arrangement is particularly suitable for embodiments of the present invention relating to the display of advertising material on a mobile computing device, such as a mobile phone where payment for the music file can be debited from a mobile phone account.
Referring now to Figure 10, this schematically illustrates the storage format within the content file 40. Multiple items of advertising content 50 may be stored within a single file store, schematically illustrated as an array of four items of advertising content. Associated with each content item is a type identifier 51, which may for instance identify if the advertising content is a still image or a video. Furthermore, associated with each content item link information 52 and schedule information 53 is stored.
Advertising content stored in the content file may be periodically updated via a network connection. In embodiments of the present invention, which relate to the display of advertising content at the same time as scanning computer files for computer viruses, the advertising content may be updated at the same time as updating the stored virus signature information stored in virus definition store 20.
Embodiments of the present that relate to both displaying advertising content and scanning computer files for viruses may take place in a multi threaded environment, with one thread reserved for the scanning operations and one for the display of adverts. This is advantageous because it prevents the display of advertising material from unduly delaying the scanning of computer files, and vice versa.
As noted above, virus scanning software in accordance with embodiments of the present invention, provides a graphical user interface. In certain embodiments of the invention the graphical user interface is adapted to display advertising content during the process of searching for virus signatures within computer files. An exemplary graphical user interface arranged to display advertising content during virus scanning will now be described in connection with Figures 11 to 24, which illustrate such a graphical user interface.
Referring to Figure 11, this shows a first screen shot 60 of the virus scanning software, such as would be displayed during the launch of the virus scanning software. Display 60 provides basic information to the user regarding the program that is starting.
Referring to Figure 12, this illustrates a main menu 61 for the virus scanning software. Main menu 61 comprises a plurality of user interface buttons 62 to 68. Buttons 62 to 68 may be selected by a user of the software. Selection of each button causes a different response, as will be described below.
Button 62 is labelled "Scan". Selecting button 62 initiates an on demand scan of a predefined one or more of the locally stored computer files, as described above-. Selecting button 62 launches a scanning window, such as is illustrated in Figure 13.
As described above, when a virus signature is detected within a computer file, one possible outcome is that the computer file is quarantined to prevent the further spread of the virus. Selecting button 63, which is labelled "Quarantine" launches a window such as that shown in Figure 17 displaying all of the currently quarantined computer files, allowing the user the option of deleting some or all of the quarantined files, or restoring some or all of the files to their original locations.
The virus definition files and the advertising content files which are stored on the computing device may be periodically updated. Button 64 is labelled "Update". Selecting button 64 initiates an update of these files, by connecting to an appropriate network server from which these files may be downloaded. This connection is shown in Figure 20.
Selecting button 65, labelled "Options" opens up a window such as is shown in Figure 22, allowing the user to configure the virus scanning software. Selecting button 66, labelled "Help" opens up a window providing a user with help information relating to operation of the software. Selecting button 67, labelled "Visit Us" opens up an Internet browser window displaying an Internet page relating to the software vendor. Selecting button 68, labelled "Exit" closes the virus scanning software.
Referring to Figure 13, as noted above this illustrates a screen 70, which is displayed during a scanning operation. Screen 70 comprises a display area 71, which displays the file path of a computer file currently being searched for virus signatures. Display area 72 displays a conventional status progress bar, showing the relative progress of the virus scanning operation. Screen 70 further comprises a user interface button 73 labelled "Abort". Selecting the Abort button launches a dialog box 74, shown in
Figure 14, requesting the user to confirm that the virus scan should be aborted by selecting button 75 labelled "Yes" or to cancel the abort request by selecting button 76 labelled "No".
Referring back to Figure 13, this illustrates a further display area 77, which is arranged to display advertising content during a scanning operation, as has been described above in relation to Figures 9 and 10. Finally, Figure 13 shows a user interface button 78 labelled "Buy". Selection of button 78 initiates the action described above in relation to the buy input 41, shown in Figure 9.
Referring to Figure 15, once a virus scan has successfully completed, screen 80 is displayed, which displays information relating to how many files were scanned for viruses, how many infected files were found, and how many files were deleted. Screen 80 further displays user interface button 81 labelled "Done", selection of which causes the virus scanning software to return to the main menu shown in Figure 12 and a user interface button 82 labelled "View Log". Selecting the View Log button 82 displays a log screen 83, such as is shown in Figure 16. Log screen 83 displays a series of log entries 84 detailing when each scan operation has begun and ended.
As noted above, a screen such as is shown in Figure 17 is displayed when a user selects the quarantine button 63 from main menu 61 shown in Figure 12. Quarantine screen 90 comprises a first display area 91 providing details of each quarantined file, and its size. A second display area 92 provides the time at which a quarantined file selected from the first display area 91 was quarantined. A third display area 93 provides the original location of a selected quarantined file.
W
Quarantine screen 90 further displays a user interface button 94 labelled "Delete". Selecting button 94 deletes the currently selected quarantined file (or may launch a dialog box requesting confirmation that the selected file should be deleted). In the event that there are no quarantined files when button 94 is selected, then dialog box 95, as shown in Figure 18, is displayed notifying the user.
Quarantine screen 90 further displays a user interface button 96 labelled "Restore". Selecting button 96 restores the currently selected quarantined file to its original location as shown in display area 93 (or may launch a dialog box requesting confirmation that the selected file should be restored). In the event that there are no quarantined files when button 96 is selected, then dialog box 97, as shown in Figure 19, is displayed notifying the user. A further button 98 labelled "Done" is displayed on the quarantine screen 90. Selection of button 98 returns the user to the main menu screen 61.
As noted above, selecting the update button 64 from main menu screen 61 causes the software to attempt to download updated virus definition files and advertising content files from a network server. Selecting button 64 launches dialog box 100 as shown in Figure 20, requesting the user to confirm the update action by selecting button 101 labelled "Yes", or cancel the update action by selecting button 102 labelled "No". If button 101 is selected then the software begins the download process, and in the meantime displays screen 103 shown in Figure 21. Screen 103 includes status bar 104 providing information to the user about the relative progress of the update process.
As noted above, selecting the options button 65 from main menu screen 61 displays a series of options to the user for configuring the virus scanning software. Options screen 110 shown in Figure 22 is displayed. A first pair of radio buttons 111 allow the user to turn a scheduler on or off. That is, the user can decide whether automatic scans of the files stored on the computing device should be scheduled to take place at regular intervals. Drop down menu 112 allows the user to choose the interval at which scheduled file scans take place. The user is also able to configure the frequency at which automatic updates take place from drop down menu 113. Drop
W
down menu 114 allows the user to determine the language in which the graphical user interface is displayed. Button 115 labelled "Done" returns the user to the main menu 61.
If automatic file scans are scheduled by selecting the on radial button 111 then after the chosen interval a dialog box 116 will be displayed to the user as shown in Figure 23, regardless of the program being used, allowing the user to either continue with the scheduled scan by selecting "Yes" button 117, or cancel the scheduled scan by selecting the "No" button 118.
If the scanning program determines that an update of the virus definitions and the advertising content has not taken place for some time then a dialog box 119 will be displayed to the user as shown in Figure 24, regardless of the program being used, allowing the user to either continue with an update by selecting "Yes" button 120, or cancel the update by selecting "No" button 121.
Further modifications and applications of the present invention will be readily apparent to the appropriately skilled person from the teaching herein, without departing from the scope of the appended claims.
It will be appreciated that the methods described herein can be implemented on any suitable computing device. Such computing devices include desktop and laptop computers. However, such devices also include portable computing devices such as mobile telephones and personal digital assistants. Indeed, any stored program computer can be programmed to carry out the methods described herein. In order to display graphical information as described herein such computing devices will be provided with appropriate display devices.
Additionally, it should be noted that the methods described herein are not limited to the scanning of files stored on a local file store. Indeed, streams of data received at a device from a remote device may also be scanned for viruses. That is, such data streams are to be considered "files" in the way in which that term is used in this document, hi particular, information downloaded over a computer network such as
the Internet may be scanned as it is received at a computing device. Such data my take the form of a Hypertext Transfer Protocol (HTTP) stream. Email and bluetooth traffic may similarly be scanned.
Claims
1. A method of detecting a computer virus comprising: retrieving a computer file, the computer file comprising a sequence of blocks of length M; retrieving a signature of a computer virus to be detected, the signature comprising a sequence of blocks of length N; searching for the signature within the computer file; and determining whether the computer file contains the signature; wherein said searching comprises comparing a first pair of blocks comprising the N* block of the signature and a Pth block of the computer file, and, if the first pair of blocks are the same, comparing a second pair of blocks comprising the (N-I)411 block of the signature and the (P-I)*11 block of the computer file, or if the first pair of blocks are not the same, comparing a third pair of blocks comprising the N411 block of the signature and the (P+X)4*1 block of the computer file, where X is less than or equal to N and X is determined based upon the result of said first comparison.
2. A method of detecting a computer virus according to claim 1, wherein each of said blocks is a byte.
3. A method of detecting a computer virus according to claim 1 or claim 2, wherein the P411 block of the computer file is the NΛ block of the computer file.
4. A method of detecting a computer virus according to claim 1 or claim 2, wherein the signature further comprises an offset value Y and the Pth block of the computer file is the (Y+N)th block of the computer file.
5. A method of detecting a computer virus according to any preceding claim, wherein said searching comprises an iterative cycle of comparing pairs of blocks between the signature and the computer file until either the beginning of the signature is reached or a pair of blocks are not the same.
6. A method of detecting a computer virus according to any preceding claim, wherein said determination comprises determining that the computer file does contain the signature if all N blocks of the signature match a contiguous series of blocks within the computer file.
7. A method of detecting a computer virus according to any preceding claim, wherein said determination of X is based upon the value of the block within the computer file that is not the same as the corresponding block within the signature.
8. A method of detecting a computer virus according to claim 5 or any claim dependent thereon, wherein said determination of X is based upon the number of blocks of the signature that are successfully compared to blocks of the computer file before a pair of blocks are compared that are not the same.
9. A method of detecting a computer virus according to any preceding claim, further comprising quarantining the computer file if it is determined that the computer file contains the virus signature.
10. A method of detecting a computer virus according to any one of claims 1 to 8, further comprising deleting the computer file if it is determined that the computer file contains the virus signature.
11. A method of detecting a computer virus according to any one of claims 1 to 8, further comprising removing the virus from the computer file if it is determined that the computer file contains the virus signature.
12. A method of detecting a computer virus according to any preceding claim, further comprising: retrieving a plurality of signatures of respective viruses; wherein said determining determines whether said computer file contains any of said plurality of signatures.
13. A method of detecting a computer virus according to any preceding claim, further comprising: retrieving a plurality of computer files; wherein said determining determines whether any of said files contains said signature.
14. A method of detecting a computer virus according to claim 13, further comprising searching for virus signatures in a group of computer files at a predetermined time.
15. A method of detecting a computer virus according to any one of claims 1 to 12, further comprising searching for a virus signature in a computer file when that computer file is opened or closed.
16. A method of detecting a computer virus according to any preceding claim, wherein said signature comprises a plurality of sequences of blocks, and searching for the signature within the computer file comprises searching for each of said sequences of blocks within the computer file.
17. A method of detecting a computer virus according to claim 16, wherein each of said sequences of blocks has a respective offset, and said method comprises searching for each of said sequences of blocks in a part of said file determined by its respective offset.
18. A method according to claim 17, wherein each of said sequences of blocks is associated with a further offset, and said method comprises searching for each of said sequences of blocks in a part of said file determined by said offsets.
19. A method according to claim 18, wherein said offsets for a particular sequence of blocks defines a start point and an end point of a part of a file to be searched.
20. A method of detecting a computer virus according to any one of claims 16 to 19, wherein said signature is defined by a sequence of operator operand pairs.
21. A method according to claim 20, wherein said operator operand pairs define each of said sequences of blocks and associates an offset with each sequence.
22. A carrier medium carrying computer readable code for controlling a computer to carry out the method of any one of claims 1 to 21.
23. A computer apparatus for detecting a computer virus, the apparatus comprising: a memory storing processor readable instructions; and a processor configured to read and execute instructions stored in said memory; wherein the processor readable instructions comprise instructions controlling the processor to carry out the method of any one of claims 1 to 21.
24. A method of displaying graphical information, comprising: determining graphical information to be displayed; retrieving graphical information to be displayed from a local store; and displaying the retrieved graphical information; wherein the local store is arranged to store the graphical information in association with schedule information, and said determining comprises selecting graphical information for display associated with schedule information that meets a predetermined scheduling criteria.
25. A method of displaying graphical information according to claim 24, wherein the schedule information includes a range of dates between which the associated graphical information is to be displayed.
26. A method of displaying graphical information according to claim 24 or 25, wherein the schedule information includes a priority level indicating a relative priority for displaying the graphical information relative to other stored graphical information.
27. A method of displaying graphical information according to any one of claims 24 to 26, wherein the graphical information comprises an advertisement.
28. A method of displaying graphical information according to any one of claims 24 to 27, further comprising displaying a plurality of items of graphical information in a repeated loop.
29. A method of displaying graphical information according to any one of claims 24 to 28, further comprising: displaying a user interface element that is selectable by a user; receiving an indication that a user has selected the user interface element; and executing link information associated with said displayed graphical information, said link information being executed in response to selection of the user interface element.
30. A method of displaying graphical information according to claim 29, wherein executing the link information comprises launching an Internet browser and directing the Internet browser to an Internet page determined by the link information.
31. A method of displaying graphical information according to claim 29 or 30, wherein the link information is configured to cause a purchase request to be transmitted to a remote computer.
32. A method of displaying graphical information according to claim 31, wherein the method is carried out at a computing device having an associated account, and the method comprises debiting said account in respect of said purchase.
33. A method of displaying graphical information according to any one of claims 24 to 32, wherein the graphical information is displayed concurrently with execution of a second computing operation, the graphical information being displayed by a computer program, and the second computing operation being carried out by said computer program.
34. A method of displaying graphical information according to claim 33, wherein said computer program establishes two threads, a first thread controlling display of said graphical information, and a second thread carrying out said second computing operation.
35. A method of displaying graphical information according to claim 33 or 34, wherein the second computing operation comprises detecting a computer virus.
36. A method of displaying graphical information according to claim 35, further comprising: causing virus detection to be carried out; displaying information indicating progress of said virus detection; and displaying said graphical information concurrently with said information indicating progress of said virus detection.
37. A method of displaying graphical information according claim 35 or 36, wherein the second computing operation comprises a method according to any one of claims 1 to 21.
38. A carrier medium carrying computer readable code for controlling a computer to carry out the method of any one of claims 24 to 37.
39. A computer apparatus for displaying graphical information, the apparatus comprising: a program memory storing processor readable instructions; and a processor configured to read and execute instructions stored in said program memory; wherein the processor readable instructions comprise instructions controlling the processor to carry out the method of any one of claims 24 to 37.
40. A method of displaying graphical information, comprising: determining graphical information to be displayed; retrieving graphical information to be displayed from a local store; and displaying the retrieved graphical information; wherein: the graphical information is displayed at the same time as a virus detection operation is carried out, the virus detection operation comprising retrieving a computer file, retrieving a signature of a computer virus to be detected, searching for the signature within the computer file and determining whether the computer file contains the signature; and the graphical information is displayed by a computer program and said virus detection operation is carried out by said computer program.
41. A method of displaying graphical information according to claim 38, wherein detecting a computer virus comprises detecting a computer virus in accordance with any one of claims 1 to 21.
42. A method of displaying graphical information according to claim 40 or 41, wherein the graphical information comprises an advertisement.
43. A method of displaying graphical information according to any one of claims 40 to 42, further comprising displaying a plurality of items of graphical information in a repeated loop.
44. A method of displaying graphical information according to any one of claims 40 to 43, wherein said computer program establishes two threads, a first thread controlling display of said graphical information, and a second thread carrying out said second computing operation.
45. A method of displaying graphical information according to any one of claims 40 to 44, further comprising: displaying information indicating progress of said virus detection; and displaying said graphical information concurrently with said information indicating progress of said virus detection.
46. A carrier medium carrying computer readable code for controlling a computer to carry out the method of any one of claims 40 to 45.
47. A computer apparatus for displaying graphical information, the apparatus comprising: a program memory storing processor readable instructions; and a processor configured to read and execute instructions stored in said program memory; wherein the processor readable instructions comprise instructions controlling the processor to carry out the method of any one of claims 40 to 45.
48. A method of displaying graphical information, comprising: determining graphical information to be displayed, the graphical information being stored in a local store, the local store being arranged to store the graphical information in association with link information; retrieving graphical information to be displayed; displaying the retrieved graphical information; . displaying a user interface element that is selectable by a user; receiving an indication that a user has selected the user interface element; and executing link information associated with said displayed graphical . information, said link information being executed in response to selection of the user interface element.
49. A method of displaying graphical information according to claim 48, wherein executing the link information comprises launching an Internet browser and directing the Internet browser to an Internet page determined by the link information.
50. A method of displaying graphical information according to claim 48 or 49, wherein the link information is configured to cause a purchase request to be transmitted to a remote computer.
51. A method of displaying graphical information according to claim 50, wherein the method is carried out at a computing device having an associated account, and the method comprises debiting said account in respect of said purchase.
52. A method of displaying graphical information according to any one of claims 48 to 51, wherein the graphical information is displayed concurrently with execution of a second computing operation, the graphical information being displayed by a computer program, and the second computing operation being carried out by said computer program.
53. A method of displaying graphical information according to claim 52, wherein said computer program establishes two threads, a first thread controlling display of said graphical information, and a second thread carrying out said second computing operation.
54. A method of displaying graphical information according to claim 52 or 53, wherein the second computing operation comprises detecting a computer virus.
55. A carrier medium carrying computer readable code for controlling a computer to carry out the method of any one of claims 48 to 54.
56. A computer apparatus for displaying graphical information, the apparatus comprising: a program memory storing processor readable instructions; and a processor configured to read and execute instructions stored in said program memory; wherein the processor readable instructions comprise instructions controlling the processor to carry out the method of any one of claims 48 to 54.
57. Apparatus for detecting a computer virus comprising: means for retrieving a computer file, the computer file comprising a sequence of blocks of length M; means for retrieving a signature of a computer virus to be detected, the signature comprising a sequence of blocks of length N; means for searching for the signature within the computer file; and means for determining whether the computer file contains the signature; wherein said means for searching is configured to compare a first pair of blocks comprising the N01 block of the signature and a P111 block of the computer file, and, if the first pair of blocks are the same, to compare a second pair of blocks comprising the (N-I)* block of the signature and the (P-l)th block of the computer file, or if the first pair of blocks are not the same, to compare a third pair of blocks comprising the NΛ block of the signature and the (P+X)Λ block of the computer file, where X is less than or equal to N and X is determined based upon the result of said first comparison.
58. Apparatus for displaying graphical information, comprising: means for determining graphical information to be displayed; means for retrieving graphical information to be displayed from a local store; and means for displaying the retrieved graphical information; wherein the local store is arranged to store the graphical information in association with schedule information, and said determining is configured to select graphical information for display associated with schedule information that meets a predetermined scheduling criteria.
59. Apparatus for displaying graphical information, comprising: means for determining graphical information to be displayed; means for retrieving graphical information to be displayed from a local store; and means for displaying the retrieved graphical information; wherein: the apparatus is configured to display graphical information at the same time as a virus detection operation is carried out, the virus detection operation being configured to retrieve a computer file, retrieve a signature of a computer virus to be detected, search for the signature within the computer file and determine whether the computer file contains the signature; and the apparatus is configured to display the graphical information using a computer program and said virus detection operation is carried out by said computer program.
60. Apparatus for displaying graphical information, comprising: means for determining graphical information to be displayed, the graphical information being stored in a local store, the local store being arranged to store the graphical information in association with link information; means for retrieving graphical information to be displayed; means for displaying the retrieved graphical information; means for displaying a user interface element that is selectable by a user; means for receiving an indication that a user has selected the user interface element; and means for executing link information associated with said displayed graphical information, said link information being executed in response to selection of the user interface element.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0620044.8 | 2006-10-10 | ||
| GB0620044A GB2442758A (en) | 2006-10-10 | 2006-10-10 | Computer virus detection using a Boyer Moore search algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2008043976A1 true WO2008043976A1 (en) | 2008-04-17 |
Family
ID=37491221
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/GB2006/003761 WO2008043976A1 (en) | 2006-10-10 | 2006-10-11 | Virus detection method |
Country Status (2)
| Country | Link |
|---|---|
| GB (1) | GB2442758A (en) |
| WO (1) | WO2008043976A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150512A (en) * | 2013-03-18 | 2013-06-12 | 珠海市君天电子科技有限公司 | Honeypot system and method for detecting trojan by using same |
| CN103455757A (en) * | 2012-05-31 | 2013-12-18 | 北京金山安全软件有限公司 | Method and device for identifying virus |
| CN103593611A (en) * | 2013-11-05 | 2014-02-19 | 安一恒通(北京)科技有限公司 | Method and device for fast recognizing viruses |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020188926A1 (en) * | 2001-05-15 | 2002-12-12 | Hearnden Stephen Owen | Searching for sequences of character data |
| EP1291749A2 (en) * | 2001-09-06 | 2003-03-12 | Networks Associates Technology, Inc. | Automatic builder of detection and cleaning routines for computer viruses |
| US20030074573A1 (en) * | 2001-10-15 | 2003-04-17 | Hursey Nell John | Malware scanning of compressed computer files |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040107361A1 (en) * | 2002-11-29 | 2004-06-03 | Redan Michael C. | System for high speed network intrusion detection |
| US7305708B2 (en) * | 2003-04-14 | 2007-12-04 | Sourcefire, Inc. | Methods and systems for intrusion detection |
| US7463590B2 (en) * | 2003-07-25 | 2008-12-09 | Reflex Security, Inc. | System and method for threat detection and response |
| WO2005069578A1 (en) * | 2004-01-05 | 2005-07-28 | Corrent Corporation | Method and apparatus for network intrusion detection system |
-
2006
- 2006-10-10 GB GB0620044A patent/GB2442758A/en not_active Withdrawn
- 2006-10-11 WO PCT/GB2006/003761 patent/WO2008043976A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020188926A1 (en) * | 2001-05-15 | 2002-12-12 | Hearnden Stephen Owen | Searching for sequences of character data |
| EP1291749A2 (en) * | 2001-09-06 | 2003-03-12 | Networks Associates Technology, Inc. | Automatic builder of detection and cleaning routines for computer viruses |
| US20030074573A1 (en) * | 2001-10-15 | 2003-04-17 | Hursey Nell John | Malware scanning of compressed computer files |
Non-Patent Citations (3)
| Title |
|---|
| "Sophos Antivirus - Windows NT/2000/XP single user Installation guide", INTERNET CITATION, 28 January 2004 (2004-01-28), XP002312356, Retrieved from the Internet <URL:http://www.sophos.com/sophos/docs/eng/instguid/ntsu_ien.pdf> [retrieved on 20050103] * |
| ANDREW D. BIRRELL: "An Introduction to Programming with C# Threads", MICROSOFT RESEARCH REPORT MSR-TR-2005-68, May 2005 (2005-05-01), XP002443668, Retrieved from the Internet <URL:ftp://ftp.research.microsoft.com/pub/tr/TR-2005-68.pdf> [retrieved on 20070723] * |
| BOYER R S ET AL: "A FAST STRING SEARCHING ALGORITHM", ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, vol. 20, no. 10, 1 October 1977 (1977-10-01), pages 762 - 772, XP000604483 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103455757A (en) * | 2012-05-31 | 2013-12-18 | 北京金山安全软件有限公司 | Method and device for identifying virus |
| CN103150512A (en) * | 2013-03-18 | 2013-06-12 | 珠海市君天电子科技有限公司 | Honeypot system and method for detecting trojan by using same |
| CN103150512B (en) * | 2013-03-18 | 2015-10-21 | 珠海市君天电子科技有限公司 | Honeypot system and method for detecting trojan by using same |
| CN103593611A (en) * | 2013-11-05 | 2014-02-19 | 安一恒通(北京)科技有限公司 | Method and device for fast recognizing viruses |
Also Published As
| Publication number | Publication date |
|---|---|
| GB0620044D0 (en) | 2006-11-22 |
| GB2442758A (en) | 2008-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9703958B2 (en) | Rollback feature | |
| US7984503B2 (en) | System, method and computer program product for accelerating malware/spyware scanning | |
| US9479520B2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| US8171550B2 (en) | System and method for defining and detecting pestware with function parameters | |
| US8844039B2 (en) | Malware image recognition | |
| US8739285B1 (en) | Differential virus scan | |
| US20060236397A1 (en) | System and method for scanning obfuscated files for pestware | |
| US20070240219A1 (en) | Malware Detection System And Method for Compressed Data on Mobile Platforms | |
| US7953984B1 (en) | Enhanced malware detection utilizing transparently integrated searching | |
| US8776240B1 (en) | Pre-scan by historical URL access | |
| US9355250B2 (en) | Method and system for rapidly scanning files | |
| US20130019310A1 (en) | Detection of rogue software applications | |
| EP2605174B1 (en) | Apparatus and method for analyzing malware in data analysis system | |
| EP2630604A1 (en) | Computer system analysis method and apparatus | |
| CN110023938B (en) | System and method for determining file similarity by using function length statistics | |
| US8205261B1 (en) | Incremental virus scan | |
| US20210182392A1 (en) | Method for Detecting and Defeating Ransomware | |
| WO2008043976A1 (en) | Virus detection method | |
| US8065664B2 (en) | System and method for defining and detecting pestware | |
| US11580248B2 (en) | Data loss prevention | |
| CN109145599B (en) | Protection method for malicious viruses | |
| CN116016174A (en) | Rule base upgrading method and device, electronic equipment and storage medium | |
| US8364705B1 (en) | Methods and systems for determining a file set | |
| KR102207554B1 (en) | Apparatus and Method for Protecting Files | |
| US20110191853A1 (en) | Security techniques for use in malicious advertisement management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 06794712 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 06794712 Country of ref document: EP Kind code of ref document: A1 |