In a new system and method for proactive computer virus protection

May 22, 2008 16:07 GMT  ·  By

Future Microsoft security products could make use of an additional operating system running on top of Windows in order to protect the underlying platform from malware. A new patent from the Redmond company titled: "System and method for proactive computer virus protection," authored by Adrian Marinescu was awarded on May 20, 2008, describing a solution that is a step forward from the reactive antivirus approach. Proactive technology is currently implemented into all modern top security products available on the market, and as such objections might be raised to Microsoft owning a patent.

However, the Redmond company's patent specifically refers to delivering a dispensable, virtualized operating environment designed to masquerade the actual operating system in order to simulate the execution of potentially malicious code and determining from the behavior whether it is malware or not. The virtualized operating system which would run on top of Windows would be completely isolated from the platform in case the simulated executable is actually malware.

"In accordance with the invention, a virtual operating environment for simulating the execution of programs to determine if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected during simulation. As a program is being simulated, a set of behavior signatures is generated. The collected behavior signatures are suitable for analysis to determine if the program is malware," is explained in the description of the invention.

Microsoft has failed to inform whether the solution is a standalone product or integrated into its security offerings. The system described in the patent is tailored to Win 32 operating systems, but according to Microsoft, it can be easily extended onto other platforms which also make API calls. There are, of course, two major issues with this patent. First, members of the security market are bound to object to Microsoft owning a patent on proactive detection. Second, modern malware authors generally take precautions in writing malicious code that checks whether it is running in a virtualized operating.

"Components of the virtual operating environment include an interface, a virtual processing unit, API handling routines, an Input/Output emulator, a loader, a stack data structure, and a memory management unit that manages a virtual address space. These components perform operations similar to a real operating system that receives API calls including but not limited to generating events so that stub DLLs may be loaded into memory, employing a memory management unit to map physical locations in memory to a virtual address space, and allowing potential malware to generate Input/Output (hereinafter 'I/O') when making API calls. The present invention generates computer-executable instructions that are only capable of being filtered by the provided virtual operating environment," reads an excerpt of the patent.