Symantec claims new antivirus patent

Antivirus software company Symantec has been awarded a patent for a 5-year-old technology that allows antivirus researchers to scan multiple parts of a file for signs of virus infections, according to executives from the company.

The U.S. Patent and Trademark Office awarded Symantec U.S. patent No. 6,851,057 for "Data driven detection of viruses," a method of virus detection that allows researchers to program antivirus software to scan multiple areas of a file for signs of infection. The technology has been used across Symantec's antivirus product line since 1999, according to Carey Nachenberg, the inventor and a chief architect in Symantec's antivirus labs.

The Symantec patent specifically refers to a "virus detection system (that) operates under the control of P-code to detect the presence of a virus in a file having multiple entry points," but the reach of the patent could be much more broad, said Michael Schallop, director of intellectual property at Symantec.

"What's patented is a technology to use an intermediate language to drive antivirus functionality such as scanning and emulation," he said.

That could refer to any technology that allows antivirus researchers or antivirus products to use scripting to determine, dynamically, where in a file to scan and detect threats. It could also include the use of Javascript or other common scripting languages to direct antivirus scanning, Schallop said.

Symantec hasn't reviewed competitors' products to see if they might use its patented technique. Schallop said that the company is primarily interested in demonstrating its "thought leadership" in antivirus technology, and declined to speculate on whether the company would try to enforce its patent.

The newly-patented Symantec technology was developed to improve on traditional antivirus scanning methods that simply searched the beginning and end of files for signs of infection, which is where an older generation of viruses operated, Nachenberg said.

Using his patented invention, researchers can write instructions using a scripting language called P-code to direct an antivirus engine to scan specific areas of a file. Areas, or "entry points," that may be infected by a virus can be submitted to a virus emulation module to determine whether the file is corrupted, according to a copy of the patent.

Nachenberg compares the technology to a targeted x-ray or magnetic resonance imagery scans that are directed, by a physician, at specific areas of a body that are known to harbor signs of illness.

The patented technique makes it easier for antivirus products to detect a wide range of malicious code, including spyware and Trojan horse programs, in addition to viruses, Nachenberg said. Researchers can also use data-driven detection to respond to new malicious code developments, using P-code scripts to address new file formats or infection strategies, he said.

The technique was first prototyped in 1999 and it has been used across Symantec's antivirus product line ever since, Nachenberg said.

The computer security space has been fertile ground for patent attorneys in recent years. Symantec was forced to pay US$62.5 million in April 2004 to acquire U.S. Patent No. 5,319,776 from Clearswift that covers computer hardware and software that scans data in transit between two 'mediums.'

In January, McAfee said it was granted U.S. Patent No. 6,839,852 for a "Firewall system and method with network mapping capabilities," which has applications for network traffic monitoring between a local and remote computer and pinpointing the geographical source of an attack.