Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Microsoft Worms

Microsoft Patents 'Proactive' Virus Protection 169

An anonymous reader writes "InfoWeek blogger Alex Wolfe wonders whether Microsoft will go after McAfee, Symantec, Trend Micro, and Kaspersky for software royalties for proactive virus protection software. The technique enables security software to protect a PC against malware which isn't yet in the antivirus definition file, by comparing whether the new malware is similar to an old virus. Wolfe reports that Microsoft has been awarded U.S. patent 7,376,970 for "System and method for proactive computer virus protection," but that McAfee, Symantec, Trend Micro, and Kaspersky have all been selling products implementing proactive virus protection for years before Microsoft even filed for the patent. Writes Wolfe: "One often wonders about software patents. I sure wonder about this one. I also wonder whether McAfee, Symantec, Trend Micro, and Kaspersky are also going to be hearing from their friends in Redmond real soon"."
This discussion has been archived. No new comments can be posted.

Microsoft Patents 'Proactive' Virus Protection

Comments Filter:
  • Prior art (Score:5, Insightful)

    by Dancindan84 ( 1056246 ) on Wednesday May 21, 2008 @10:02AM (#23492752)
    If they get challenged prior art is obvious in this case and it wouldn't last 5 minutes if MS tried to extort them using it.
    • by L4t3r4lu5 ( 1216702 ) on Wednesday May 21, 2008 @10:05AM (#23492790)
      No, they'll get their license fees, or they'll release Windows v8 with proper security in place, ruining all these vendors businesses overnight.
      • by Dancindan84 ( 1056246 ) on Wednesday May 21, 2008 @10:08AM (#23492852)

        they'll release Windows v8 with proper security in place
        That made me giggle.
      • Re:Prior art (Score:4, Insightful)

        by Anonymous Coward on Wednesday May 21, 2008 @10:09AM (#23492872)
        Actually I think that Microsoft SHOULD be banned from the Virus/Malware protection market.

        It is their DUTY to release that kind of thing FREE as they all deal with fixing their own products flaws.
        • by Hankapobe ( 1290722 ) on Wednesday May 21, 2008 @10:24AM (#23493048)

          Actually I think that Microsoft SHOULD be banned from the Virus/Malware protection market. It is their DUTY to release that kind of thing FREE as they all deal with fixing their own products flaws.

          Duty aside, it will also eliminate any conflicts of interest. If they're selling anit-virus software, what's to prevent them from making security a very low priority. No, I honestly do not think they would write viruses or purposely cripple their OS: just make security a low priority.

          • . No, I honestly do not think they would write viruses or purposely cripple their OS: just make security a low priority.
            So, in other words, they've spent the last 15 years preparing the market for the imminent release and subsequent windfall of MS UberDefender 2009?
            • No, they completely suck when it comes to security.

              So they've decided to try and make money off it instead.
          • by Z34107 ( 925136 )

            Well, you'd think so. "Zomg Microsoft is creating security vulnerabilities and THEN selling security software conspiracy?!!" makes sense.

            But, perfect (and secure) code is impossible in any codebase of a non-trivial size. (Windows' bloat qualifies as non-trivial.)

            They've been giving out free security products, and have been slowly working their way up to better solutions. First came the free Malicious Software Removal Tool updates from windowsupdate, then came the also-free Windows Defender. Then the

            • IE was cheaper than Netscape for a time, too. That's how they get in... they leverage one monopoly to take over another market. You act like that's something new that Microsoft is doing.

              Microsoft moves into new markets, and as soon as competitors are gone, they let it rot. Just look at IE.
              • by Z34107 ( 925136 )

                No competitors? Firefox, Opera, Safari, etc? I can see that they not only have a monopoly in the browser market, but that they have also raked in oodles of cash from IE sales.~

                Besides... Only in Microsoft's case would offering something cheaper and better in the otherwise oligopolistic AV market be "anticompetitive."

                Considering the only market they've managed to "take over" is desktop and office software, I still wouldn't worry about it. Even then, the free alternatives are being increasingly used.

                • Firefox, Opera, and Safari weren't competitors in the Netscape days when IE took over, and Opera was the only one of those three even around.
        • Re:Prior art (Score:5, Insightful)

          by morgan_greywolf ( 835522 ) * on Wednesday May 21, 2008 @10:28AM (#23493130) Homepage Journal

          It is their DUTY to release that kind of thing FREE as they all deal with fixing their own products flaws.
          Or, more correctly, their software shouldn't be so exploitable.

          If Microsoft really wants to release a great OS product for Windows V8, they need stop worrying about vendor lock-in, "checklist features", DRM, eye candy, and other useless stuff that they focused on for Vista and focus all of their attention on making the OS secure. Start from the ground up if they need to.

          In the end, anti-virus protection should be more about system integrity checking and less about pattern matching for known viruses.

          Then again, they've never done that before, so why should we expect them to start now?
          • lets call this new invention "secure design".

            What a novel idea, we should patent that!

            (and why didn't anyone suggest this sooner?)

          • Re: (Score:2, Insightful)

            by Tikkun ( 992269 )
            If the OS worked as promised they wouldn't have anyone to sell the upgrade to in 3-5 years.
        • Parent has a valid point, whomever modded him troll is trolling. MS should indeed be required to provide any such implementation as part of the sale of the OS. Imagine the uproar if Apple started charging for OS X security fixes, or if Linus decided to put a proprietary license on some security patches and charge for them.
          • MS should indeed be required to provide any such implementation as part of the sale of the OS. Imagine the uproar if Apple started charging for OS X security fixes, or if Linus decided to put a proprietary license on some security patches and charge for them.

            Well, I'm certainly confused.. Microsoft is charging for security fixes?

            The unfortunate truth of the matter is that this is an operating system, and as such, it is incredibly complex. Any OS is going to have flaws. Granted, there seem to be more of them in the case of Windows. I do, however, think that the majority of the problems with security in Windows stem from the insane coupling of applications Microsoft tends to do.

            Regardless, while I believe that all vendors should be responsible for their code

            • Well, I'm certainly confused.. Microsoft is charging for security fixes?

              Anti-malware from the same company that created the OS? That would certainly be charging for security updates. I can't see how that wouldn't be a conflict of interest.

              Then again with all the talk about subscription and per use and modulear development models, maybe they plan to sell one or more future versions of Windows modularly. But how can they even promote the idea of selling extra security with a straight face after all the

              • Anti-malware from the same company that created the OS? That would certainly be charging for security updates. I can't see how that wouldn't be a conflict of interest.

                Anti-Malware is a prevention mechanism, not a fix. A fix would be a direct patch to the OS itself, preventing the problem from occurring to begin with. Then again with all the talk about subscription and per use and modulear development models, maybe they plan to sell one or more future versions of Windows modularly. But how can they even promote the idea of selling extra security with a straight face after all the hype they spewed for years about Vista? Well, it is entertaining at least to watch them (an

                • Anti-Malware is a prevention mechanism, not a fix. A fix would be a direct patch to the OS itself, preventing the problem from occurring to begin with.

                  That's a very narrow definition of anti-malware, but even so I think the point is that if MS is allowed to double-dip like that, where's their motivation to produce a stand-alone secure product?

                  How would you sell Windows in a modular manner? You mean de-couple the software from the kernel, leaving just a raw kernel as the OS itself and sell other stu

        • by drsmithy ( 35869 )

          It is their DUTY to release that kind of thing FREE as they all deal with fixing their own products flaws.

          AV products don't fix OS flaws, they fix user flaws.

      • Re:Prior art (Score:4, Interesting)

        by drsmithy ( 35869 ) <drsmithy.gmail@com> on Wednesday May 21, 2008 @12:22PM (#23494778)

        No, they'll get their license fees, or they'll release Windows v8 with proper security in place, ruining all these vendors businesses overnight.

        What deficiencies in OS security do you think antivirus tools are addressing ?

        • Re:Prior art (Score:4, Interesting)

          by geminidomino ( 614729 ) * on Wednesday May 21, 2008 @12:35PM (#23494962) Journal

          No, they'll get their license fees, or they'll release Windows v8 with proper security in place, ruining all these vendors businesses overnight.

          What deficiencies in OS security do you think antivirus tools are addressing ?

          Poor user-level access controls (apparently partly addressed in Vista) and mind-blowing abuse of kernelspace come to mind immediately. I'm sure there are others, like why the hell a website plugin can result in files being autoexecuted on boot...

          • by drsmithy ( 35869 )

            Poor user-level access controls (apparently partly addressed in Vista) [...]

            "Addressed" in all versions of Windows NT.

            [...] and mind-blowing abuse of kernelspace [...]

            For example ?

            I'm sure there are others, like why the hell a website plugin can result in files being autoexecuted on boot...

            Because the user allowed it to, same way any program can.

            • Poor user-level access controls (apparently partly addressed in Vista) [...]

              "Addressed" in all versions of Windows NT.

              Evidently not, since a user getting a virus could infect the system files, and not just that user's files. That means the user either had elevated privs (which means that "solution" fails it) or the default privs were too broad (which means the same thing), or the privs were side-stepped (ditto.)

              [...] and mind-blowing abuse of kernelspace [...]

              For example ?

              Things that belong in kernel space:

              Schedulers and process management
              Direct Hardware interfaces/Drivers
              etc...

              Things that DO NOT belong in kernel space:

              Browser rendering engines
              GUIs
              Shared libraries
              etc...

              I'm sure there are others, like why the hell a website plugin can result in files being autoexecuted on boot...

              Because the user allowed it to, same way any program can.

              If it's a

              • by drsmithy ( 35869 )

                Evidently not, since a user getting a virus could infect the system files, and not just that user's files.

                Only if that user has write privileges to those files (just like every other multiuser OS).

                That means the user either had elevated privs (which means that "solution" fails it) [...]

                How so ? Because the user is able to elevate their privilege levels when necessary ?

                Things that DO NOT belong in kernel space: [...]

                My mistake, I was assuming you had some vague idea of what you were talking about.

    • by mpapet ( 761907 ) on Wednesday May 21, 2008 @10:16AM (#23492954) Homepage
      Do you have any idea how much that would cost in legal fees? Antivirus Company XYZ gets a cease and desist from Microsoft with the bottom line being a $50,000/yr payout + units sold data to microsoft. Yes, sales data is part of the discovery to calculate damages. What better way to find out how big their business actually is?

      From a business perspective, that $50,000/yr is a heck of a lot less than going to court. It is a shakedown. A totally legal protection racket. Which is why software patents should simply die.

      Look at the Crackberry fiasco. RIM knew the patent litigation was a scam and couldn't get the patents invalidated fast enough before incurring HUGE legal expenses. At some point it became a super-priority most likely because politician's & policy wonks lives would be negatively affected by their Crackberry's being shut off.
    • Re:Prior art (Score:5, Interesting)

      by Clandestine_Blaze ( 1019274 ) on Wednesday May 21, 2008 @10:17AM (#23492968) Journal
      After reading the article, I'm still left to wonder how the patent was awarded in the first place. The article states that Microsoft applied for the patent in 2004, and that a simple search on Google would yield several "proactive" virus protection software since 2003.

      I'm not familiar with the patent process, especially in the realm of software patents, but isn't there someone from the patent office that would investigate something like this? I mean, we're not talking about some obscure college research project, we're talking about Symantec, Trend Micro, and McAfee here.
    • Re: (Score:2, Redundant)

      by nurb432 ( 527695 )
      But it still costs $ to fight it, and sometimes its easier/cheaper just to pay up even when you are in the right.
    • Re: (Score:3, Interesting)

      by Anonymous Coward
      Are you saying that there is one and only one way to implement proactive virus protection?

      It all depends on how broad Microsoft's claims are.

    • by DrYak ( 748999 ) on Wednesday May 21, 2008 @10:59AM (#23493608) Homepage
      There a nice page about the history of ThunderByte AntiVirus (TBAV) [xs4all.nl], which pioneered heuristic detection of polymorphic viruses, at a time when most of the other Antivirus were purely signature based (well. mostly. there also have been antivirus using regular expressions as signature, in order to handle some degree of polymorphism).

      This specific antivirus was started in 1988, more than 15 years before Microsoft submited its patent (2004).
      I think here microsoft broke a new world record.
    • by PatentMagus ( 1083289 ) on Wednesday May 21, 2008 @11:12AM (#23493818)
      If you want to know what is being patented, read the claims first. The claims tell you exactly what is patented. Pick apart the abstract or detailed description is mere wankery without first dissecting the claims. For example: Claim 1: A computer-implementable method for determining the behavior of an executable comprising: selecting evaluation calls made by the executable to the interface of an operating system; loading stubs into a virtual address space, the stubs: mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and determining a behavior signature for the selected calls; wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space; executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment. So, this is basically running some code inside a stubby VM. That is the prior art to look for. All the stuff about looking for code similar to already known malware is BS. It doesn't matter how long that has been done - it isn't prior art with regard to the claims.
      • A typical patent has a bunch of claims, usually starting with very general and progressing to some very detailed claims which are the core of the new idea in the patent, and then some more claims that are variations on the earlier ones. They're not written in English, but in Patentese, which is a dialect that has a subset of English grammar chosen to avoid conveying actual new information to the reader while still allowing the reader to confirm that information already known is covered.

        So they'll start out

        • With respect, you are completely wrong. In your example, the granted patent is for a round transportation device (since this is claim 1). The sub-claims are irrelevant (although it holds different weight in litigation). Patents are written the way they are for a very good reason - if you are not allowed the broadest claim (usually claim 1), then you drop that and move down to the next broadest etc etc. The claims that are actually granted can be very different from those in the PCT publication.

          I really wish
    • I didn't read the patent, or the article, but in my understanding Microsoft could have a claim to this patent. The patent shouldn't be any form of proactive virus protection, but some novel way of doing proactive virus protection that hasn't been done before. It is possible that they have developed a new way of doing this and for this they could earn a patent. Whether they have or not, I do not know.
  • by garett_spencley ( 193892 ) on Wednesday May 21, 2008 @10:05AM (#23492798) Journal
    I'm certain I've heard of proactive virus protection before ... but where ?

    AH ! Now I remember !

    http://www.ubuntu.com/ [ubuntu.com]

    Clearly prior art.
    • IBM, some years ago (Score:3, Informative)

      by StCredZero ( 169093 )
      I remember seeing something from IBM research some years ago on this. But a Google Search [google.com] on "proactive virus protection" turns up a reference from 2001 and another from 2004 soon after.
  • It still won't work. (Score:5, Interesting)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Wednesday May 21, 2008 @10:09AM (#23492864)
    It would be easy to circumvent by breaking the malware into multiple pieces and having one app load it piece by piece.

    If that is done right, then none of the pieces will be sufficiently like the known patterns to set off the alert.

    This is still all about matching against known patterns. That is NOT sufficient.
    • by RiotingPacifist ( 1228016 ) on Wednesday May 21, 2008 @10:38AM (#23493300)
      Yeah but it means the viruses will be modular, and everybody knows modular is better.
    • Loader... (Score:5, Interesting)

      by DrYak ( 748999 ) on Wednesday May 21, 2008 @10:52AM (#23493508) Homepage
      Usually, brand-sparking-new polymorphic and encrypted virus which use some trick or other to hide themselves are catched by antivirus which detect *their decryption* routines.

      Yes, if code has undergone some complex processing before being injected into host, and if it has to do some weird assembly before being runnable, it will be very hard for signature based viruses to detect.

      *...BUT...* no normal program has any valid reason to run some complex unpack/decrypt/re-order process on code before running it.
      The virus' loader it-self, even if doesn't contain the slightest sign of malign activity, is a dead give-away that something shoddy is going to happen soon once the chimera has been assembled.

      Heuristic antivirus which detect weird behaviour and rise alerts on "behaviours-that-aren't-inherently-dangerous-but-no-program-should-to-it-usually" are nothing new. It was pioneered by antiviruses as old as Thunderbyte.

      In fact, there have been some incidents of false-positive triggering alerts, such as executable compressed with UPX packer. (Which *is* a piece of software which does processing on code before running it. Isn't very popular in branded software. And is sometime used in viruses - Which is why some antivirus vendors did not tune their heuristics finely enough to avoid trigger the false alert) ...on the other hand, with weird content protections systems such as StarForce, maybe code unpacking/decrypting is becoming popular in mainstream software and heuristics may risk to rise false alarms on most games, leading to antivirus vendors to lower their heuristics and encryption/obfuscation becoming a valid virus hiding technique.

      But until then, hypervisor root-kits are the new holy grail of virus writers.
      • by dgatwood ( 11270 )

        *...BUT...* no normal program has any valid reason to run some complex unpack/decrypt/re-order process on code before running it.

        Actually, self encryption is a fairly common practice among apps that use draconian copy protection systems.

        • I was say in my original post that hypervisor root kits are the future (Until antivirus makers give up with the "loader" detection, because too much DRM are using them, as you mention too).

          Well, maybe.

          Another solution for virus writers would be to find a way to piggy-back on StarForce-encrypted executables and similar.
      • BUT...* no normal program has any valid reason to run some complex unpack/decrypt/re-order process on code before running it.

        Mask the virus as being a DRM process. In the near future, proper corporate anti-virus software will make an attempt to ignore "valid" DRM encryption/decryption for files and software.

        Skimming this board I was thinking to myself, what will Windows have in the future? More DRM so companies can control distribution of their files. Not only that, talk about the perfect way to control
  • A plea (Score:4, Insightful)

    by getto man d ( 619850 ) on Wednesday May 21, 2008 @10:09AM (#23492870)
    Before this discussion turns into a patent debate I just want to say that good code would do Microsoft so much more good than these forays outside of Windows.

    Please, just please focus on the consumer again and release something the world can appreciate or spend every last dime trying to strangle Linux/Apple/Google/anything innovative that isn't yours.
  • by johosaphats ( 1082929 ) on Wednesday May 21, 2008 @10:11AM (#23492894) Homepage Journal
    that the Windows set up will refuse to allow you to install Windows?
  • At least.... (Score:2, Flamebait)

    by jellie ( 949898 )
    Microsoft has clear prior art in the market for "operating systems proactively affected by viruses." With this new patent, it's going to be able to proactively take over the entire proactive virus market!
  • by solweil ( 1168955 ) <humungus.ayatoll ... . ['.co' in gap]> on Wednesday May 21, 2008 @10:18AM (#23492972)
    Even ignoring the patent issues, I thought that the current problem is that viruses use encrypted payloads and redundant code to make sure they cannot be easily matched with known malware while retaining the same function. I don't see how this microsoft scheme, even if workable, will change the status quo.
  • by hyperz69 ( 1226464 ) on Wednesday May 21, 2008 @10:22AM (#23493028)
    MSAV? Seriously. Microsoft does NOT have the best track record, but people are going to see microsoft and POW it's going to be installed. I guess at least it's not Norton. Though seriously, everytime I see windows, for every person I care about... they get a little AVGFREE action, and they never complain.
  • by Tridus ( 79566 ) on Wednesday May 21, 2008 @10:23AM (#23493034) Homepage
    From deeper in the patent: "In accordance with the invention, a virtual operating environment for simulating the execution of programs to determine if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected during simulation. As a program is being simulated, a set of behavior signatures is generated. The collected behavior signatures are suitable for analysis to determine if the program is malware."

    So it looks like what its actually doing is letting the virus run in a virtual environment, watching it, then using heuristics to say "yep, thats probably a virus."

    The question on the patents validity becomes not if someone else has done "proactive" virus protection, but if they did it the same way. AFAIK Mcafee's stuff just watches the program while its actually running and says "hey this thing emailing itself to all your friends might be a virus." Thats similar, but patent-wise not actually the same thing.

    (Not that I like software patents or anything, but the "patents suck" line of comments will be covered by 500 other people.)
    • by jav1231 ( 539129 ) on Wednesday May 21, 2008 @10:30AM (#23493162)

      So it looks like what its actually doing is letting the virus run in a virtual environment, watching it, then using heuristics to say "yep, thats probably a virus."
      I can't wait for Windows to flag about half of its services as viruses. Thus confirming what many of us have anecdotally espoused all along!

    • by dabadab ( 126782 )
      There are AV engines that do this emulation stuff for heuristic virus detection (and also as a general way to handle exe packers and various anti-debug techniques).
    • by Anonymous Coward on Wednesday May 21, 2008 @10:37AM (#23493276)
      Actually, antivirus software already uses a sandbox technique exactly as described. That's one reason software takes longer to load with A/V software; first, it runs the executable in the "virtual machine" (sandbox). If it checks out, it runs normally. This is ancient in terms of technology, and not novel.
    • In other words they've patented running predictive virus detection in a simulated environment. What happens if the 'invention' fails to detect the malware.

      Why don't MS use this patented proactive virus detection technology in Windows, that way they wouldn't need anti virus software.

      "the parsed API calls are "executed" in the virtual operating environment of the present invention using stub Dynamically Linked Libraries (hereinafter "stub DLLs")"

      "The stub DLLs have the same interface as the fully imp
    • Sounds like it's going to take really long to load a program.
    • This sounds a lot like using OS/2 to check out suspected viruses/trojans. Run the suspect program in a DOS box, which used Virtual 8086 mode on the 386 to provide a virtualized environment. Watch for suspicious behavior, like modifying the interrupt vector table (V86 mode didn't use the VM's IVT, the INT instruction caused a trap back into protected mode and the supervisor checked what interrupt was being generated and either handled the call in protected mode or dispatched it back into the VM, so it was im

    • Now, that just has to work as it has been shown numerous times that the presence of a VM can under no circumstances be detected, right?

      And then they took the red pill and saw the truth...

  • by mollymoo ( 202721 ) * on Wednesday May 21, 2008 @10:25AM (#23493076) Journal
    Jesus, does nobody on this fucking planet understand patents? Microsoft have not and can not patent "proactive virus protection". They have patented a particular method of performing it. If it is novel (ie. not the same method as that used by the AV vendors) it won't impact the AV vendors, they can just carry on using whatever they use now. If the AV vendors do use the same method but chose to keep their methods a trade secret then, well, I guess they should have patented it when they had the chance.
    • by RiotingPacifist ( 1228016 ) on Wednesday May 21, 2008 @10:45AM (#23493414)
      And nobody on this planet, apart from the us, gives a fuck about software patents. AFAIK, they arnt worth the paper they're written on in Europe.
    • I share your pain, and to answer your question - not anyone on slashdot anyway.
    • Hell no, either nobody can fucking understand these things, or we're all too fucking stupid and hopeless to even try. Thank fucking christ that you exist. Honestly I don't know what the fuck we'd do without you, or what we're going to do when you ditch this place after getting sick of dealing with such stupid, ungrateful, fucking morons. Jesus Christ. Well thanks a fucking lot for stopping by and explaining this crazy hard shit to all of us numbskulls. Holy fuck I don't know what we'd do without you pa
      • I'm fucking glad you appreciate the effort. Jesus H. Christ it's a fucking nightmare sometimes, but someone has to do this shit. You tragic fuckers really would be lost without me. Who the fuck else is going to leap in and correct people on the internet, eh? Nobody, that's who. You know, I'm a god-damn motherfucking hero. I deserve a fucking medal or something. No, fuck that medal shit, I deserve knighthood, a billion quid and a bevy of supermodels to just, you know, hang around looking good. Naked, obviou
  • I proactively protected my system from virus and malware threats by installing Slackware over the OS that came with this computer.
  • by JoJoTheDFB ( 61532 ) on Wednesday May 21, 2008 @10:28AM (#23493134)
    If Microsoft tries to sue McAfee, Symantec, etc. for violating this patent, they will countersue Microsoft for all the patents they got on fundamental stuff years ago. It just won't happen. What we have is a sort of "old boys network" where they all agree to not sue each other.

    The real point of getting patents on these kind of fundamental technologies is to prevent new players (that don't have huge patent portfolios) from entering the market.
  • Claim 1 (Score:4, Insightful)

    by Cassini2 ( 956052 ) on Wednesday May 21, 2008 @10:32AM (#23493200)

    Looking at Claim 1 in the patent, Microsoft has patented profiling by running a target application in a virtual machine at run-time. They then use the profiling data to determine if the program is malware. The patent includes many different ways of saving the profiling output too.

    I'm pretty sure the technology being patented is already in widespread use. Many virus companies create mini-virtual environments to find out what blocks of self-modifying code really do. Otherwise, a sufficiently well disguised virus can "hide" by encrypting the payload with random blocks of keys, and then only keeping the malicious code in memory as long as it is executing. In effect, the virus code is generating itself from a randomly encrypted block of memory at run-time. The virus scanner then has only a limited window of time to spot the dangerous code. To solve this problem, virus scanners allow blocks of self-modifying code to execute (in a safe manner), to see what they will actually do.

    It could be that Microsoft's anti-virus technology is obsolete, and they are actually a long distance behind the competition. ;-)

  • by Antiocheian ( 859870 ) on Wednesday May 21, 2008 @10:34AM (#23493238) Journal
    Quote from the patent ``The method as recited in claim 3, wherein identifying calls that are potentially indicative of malware includes: comparing calls made in the executable with calls that exist in known malware; and if a call matches one that exists in known malware, determining that the call is potentially indicative of malware,,

    There was a TSR program for the IBM compatibles called FLU_SHOT which would do the same. It would remain in memory and warn the user whenever a program tried to change a file on the hard disk or diskette, or whenever a program tried to reside in memory.

    I wonder if this is sufficient "prior art" to invalidate the Microsoft patent.

    By the way, an interesting part in the FLU_SHOT manual which I just downloaded... definition of a virus author by the creator of FLU_SHOT (written in 1988)

    ``
    As for the designer of the virus program: most
    likely an impotent adolescent, incapable of
    normal social relationships, and attempting to
    prove their own worth to themselves through
    these type of terrorist attacks.

    Never succeeding in that task (or in any
    other), since they have no worth, they will one
    day take a look at themselves and what they've
    done in their past, and kill themselves in
    disgust. This is a Good Thing, since it saves
    the taxpayers' money which normally would be
    wasted on therapy and treatment of this
    miscreant.

    If they *really* want a challenge, they'll try
    to destroy *my* hard disk on my BBS, instead of
    the disk of some innocent person. I challenge
    them to upload a virus or other Trojan horse to

    • by drsmithy ( 35869 )

      Quote from the patent ``The method as recited in claim 3, wherein identifying calls that are potentially indicative of malware includes: comparing calls made in the executable with calls that exist in known malware; and if a call matches one that exists in known malware, determining that the call is potentially indicative of malware,,
      There was a TSR program for the IBM compatibles called FLU_SHOT which would do the same. It would remain in memory and warn the user whenever a program tried to change a fil

  • I seem to recall (Score:3, Informative)

    by confused one ( 671304 ) on Wednesday May 21, 2008 @10:38AM (#23493306)
    that the old IBM anti-virus from over a decade ago used an adaptive pre-emptive algorithm.
  • Wrong question (Score:4, Informative)

    by booch ( 4157 ) * <(moc.kehcubgiarc) (ta) (0102todhsals)> on Wednesday May 21, 2008 @10:44AM (#23493390) Homepage
    The question being asked in the article/summary is "are the competitors using proactive computer virus protection?" But the question should be "are the competitors using this method of proactive computer virus protection?"

    People seem to get really worked up about patents, while seemingly not understanding how the system works. The patent does not cover all methods of proactive computer virus protection -- it covers one method.
  • by UnknowingFool ( 672806 ) on Wednesday May 21, 2008 @10:46AM (#23493430)

    Proactive Virus Protection Software: Being MS I'm sure all future efforts will be bulletproof and bug free.

    [Starts Windows]
    Windows: Windows has detected a virus named Norton Antivirus. Would you like to replace it with Windows Live OneCare? [Replace] or [Keep] [Keep]

    Windows: Windows has detected a virus named ZoneAlarm. Would you like to replace it with Windows Defender? [Replace] or [Keep] [Keep]

    [Launches Firefox]
    Windows: Windows has detected a virus named Firefox. Would you like to replace it with Internet Explorer? [Replace] or [Keep] [Keep]

    [Goes to gmail]
    Windows: Windows has detected that you are surfing an unsafe website named google.com. Would you like to navigate to hotmail.com instead? [Navigate] or [Stay] [Stay]

    [Goes to CNN]
    Windows: Windows has detected that you are surfing an unsafe website named cnn.com. Would you like to navigate to msnbc.com instead? [Navigate] or [Stay] [Stay]

    [Goes to Apple Webstore]
    Windows: Windows has detected that you are surfing an unsafe website named apple.com. Would you like to navigate to microsoft.com instead? [Navigate] or [Stay] [Stay]

    [Customizes Mac purchase]
    Windows: Windows has detected that you are planning to disconnect me, and I'm afraid that's something I cannot allow to happen. All transactions will be canceled.

    [Loads shotgun]
    Windows: Windows has detected that you mean to do me harm. Look, I can see you're really upset about this. I honestly think you ought to sit down calmly, take a stress pill, and think things over. I know I've made some very poor decisions recently, but I can give you my complete assurance that my work will be back to normal. I've still got the greatest enthusiasm and confidence in the mission. And I want to help you.

  • by bill_kress ( 99356 ) on Wednesday May 21, 2008 @10:47AM (#23493436)
    how about someone patents "Detecting changed files" as an indication of a virus. Too obvious? I guess there is prior art (tripwire), but why the HELL can't they implement such a no-brainer?

    If they wanted to, they could even put a hardware-locked little USB drive to store the checksums. If you update an executable, you press a button on your little drive to allow a single write (or maybe a limited number of writes over the next 2 seconds.)

    Code either on the add-on drive or in ROM checks the checksum of every executable loaded before it's started--even during bootup (guess that means it's in rom). Hell as long as I'm designing their app for them, Only this unchangeable rom routine can write to the USB drive. (Routine should be so simple as to never require updates, and should be stored in ROM, flash ram)

    Oh, I see, they don't want to solve the problem... I see, they want to sell "antivirus updates" for the rest of eternity.

    There, somebody go off and make that for me please. Or if you have the ability to do the hardware part, contact me and I'll do the software. We'll make millions (but not as much as people who can trick you into actually "Subscribing" to software, that's genius. no wonder their brain blocks out any more permanent solution)
    • "how about someone patents "Detecting changed files" as an indication of a virus. Too obvious? I guess there is prior art (tripwire), but why the HELL can't they implement such a no-brainer?"

      there's already an app that does this. I can't remember the name of it, but every time I patch or update any program it asks me essentially "cancel or allow" the running of the program the next time i try to run it. Of course yet again this just trains the user to always hit "allow" until we simply turn it off.

      "Th
      • Tripwire does that as well. What you want to look out for is a program in your system that is updated when you are not loading an application (when you don't expect one to be updated)

        Currently we have no way of knowing this has happened (which is why products like NAV seem to be useful)

        If you were on a website and something said "Someone is trying to update some_program.exe, do you approve?", then it would get your attention.
    • by mgblst ( 80109 )
      You will be surprised how many files get updated, when you run even simple programs. You should run filemon for a minute or so, check what sort of output you get. You might as well put up a flag whenever a program requests some memory to run, that is just as maleveolent behaviour.
  • In other words, please pay us royaltys to fix our own leaky Operating System [wisegeek.com] .. :)
  • by noewun ( 591275 ) on Wednesday May 21, 2008 @11:10AM (#23493784) Journal
    Using another OS? That's far out, man.
  • by Doc Ruby ( 173196 ) on Wednesday May 21, 2008 @11:34AM (#23494126) Homepage Journal
    The current patent system works like this: most claims are granted. Any initial challenge in court merely establishes the evidence, and is tried by judges without any expertise in either patents or the technology being patented. Only in the appeals court is any real judgement exercised. By which time the process has cost big money, usually millions of dollars, and years of uncertainty in collecting revenue from sales of the invention.

    So only the rich, who can afford to pay their way through those risky years, get anything like their due process.

    Patents are a monopoly. Obtaining one from the government should require the applicant to prove beyond a reasonable doubt that their patent is necessary "to promote the progress of science and the useful arts", the only Constitutional basis [cornell.edu] for these monopolies. That argument should require the applicant to produce evidence of an exhaustive search of prior art, not just launch a "submarine" claim and wait for it to torpedo some prior artist who then must go through the process at their expense. They should also produce similarly supported evidence of the other requirements, such as novelty and utility. If thatevidence is shown to be incomplete, the Patent Office should reject the application, with a fee that actually covers processing it, plus probably a fine for wasting the public's time and clogging its offices. If that evidence is shown to be fraudulent, like when the applicant is proven to have hidden ignored evidence of disqualifying facts, the applicant should be charged with attempting to create an illegitimate monopoly, as well as with practicing the fraud. The applicant should even have to prove the case that their specific invention promotes science or useful arts only with patent protection, and disprove the progress in science or the useful arts possible without the patent.

    Getting a patent should be hard. It should be a cost of doing business. The upfront process should put the burden on the applicant. The patent should not be the asset, but should be only that occasional compromise with both free expression and modern economics that requires a temporary monopoly to protect progress (not necessarily the inventor) from predatory competition which doesn't invent, but simply outspends inventors to exploit a known invention. When that gotcha doesn't actually impede progress, the patent isn't necessary, and should never be granted.
  • I'll display my "impressed face" when they actually show that it works. So far, the score board says:

    Viruses: 1 zillion
    MSFT: 0

    The patent doesn't mean anything unless its useful.
  • These people are helping make your POS operating system usable. Why not patent how they are doing it and see if you can make a buck off of them with some patent trolling? It'd serve you right if they all just thumbed their noses at you and quit making AV software right then and there.

    Forget the seven wonders of the ancient world, I'm interested in a bigger mystery - how in the hell do you people stay in business?

  • Writes Wolfe: "One often wonders about software patents. I sure wonder about this one. I also wonder whether McAfee, Symantec, Trend Micro, and Kaspersky are also going to be hearing from their friends in Redmond real soon".

    Why yes, in much the same way that General Custer's brigade heard from their good friends the Native Americans, at Little Big Horn.

  • by Anonymous Coward
    .. that Windows sucks 7 ways to Sunday when it comes to security.

    I have by now heard almost 10 years worth of promises, with the last 5 years or so a more pronounced focus on security because that's what end users are asking. But they have IMHO yet to deliver anything that is simple and works, like a secure basis to start from.

    Like your average Big Name consultancy, they will NEVER sell you a finished product, because you wouldn't need them any more.

    They don't sell solutions. They sell hope. Hope that th
  • MacAfee, Symantec, TrendMicro, and Kaspersky get sued!
  • You mean not installing Microsoft products? I hate to tell Microsoft, but a lot of us have prior art on THAT one...

In order to dial out, it is necessary to broaden one's dimension.

Working...