1
Carey S Nachenberg: Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases. Symantec Corporation, Fenwick & West, March 12, 2002: US06357008 (329 worldwide citation)

A method for detecting computer viruses comprising three phases: a decryption phase, an exploration phase, and an evaluation phase. A purpose of the decryption phase is to emulate a sufficient number of instructions to allow an encrypted virus to decrypt its viral body. A purpose of the exploration ...


2
Carey S Nachenberg: Polymorphic virus detection module. Symantec Corporation, Fenwick & West, October 20, 1998: US05826013 (194 worldwide citation)

A Polymorphic Anti-virus Module (PAM) (200) comprises a CPU emulator (210) for emulating the target program, a virus signature scanning module (250) for scanning decrypted virus code, and an emulation control module (220), including a static exclusion module (230), a dynamic exclusion module (240), ...


3
Carey S Nachenberg, Kent E Griffin: Reducing malware signature set size through server-side processing. Symantec Corporation, Fenwick & West, August 7, 2012: US08239944 (121 worldwide citation)

A server provides a reduced set of malware signatures to clients. The reduced set of malware signatures has the same scope of coverage as a comprehensive set of malware signatures stored on the server, but with a higher rate of false positive detections. The server receives signature detection event ...


4
Carey S Nachenberg: Data driven detection of viruses. Symantec Corporation, Fenwick & West, February 1, 2005: US06851057 (117 worldwide citation)

A virus detection system (VDS) (400) operates under the control of P-code to detect the presence of a virus in a file (100) having multiple entry points. P-code is an intermediate instruction format that uses primitives to perform certain functions related to the file (100). The VDS (400) executes t ...


5
Carey S Nachenberg, Elias E Guy: Stream scanning through network proxy servers. Symantec Corporation, Fenwick & West, April 10, 2007: US07203959 (110 worldwide citation)

Methods, systems, and computer readable media for managing transmission of a requested computer file (140) from a remote host compute (125) to a client computer (120). A proxy server computer (110) receives a first chunk (315) of the requested computer file (140). The proxy server (120) generates a ...


6
Carey S Nachenberg: Histogram-based virus detection. Symantec Corporation, Fenwick West, November 29, 2005: US06971019 (89 worldwide citation)

A virus detection system (VDS) (400) uses a histogram to detect the presence of a computer virus in a computer file. The VDS (400) has a P-code data (410) for holding P-code, a virus definition file (VDF) (412) for holding signature of known viruses, and an engine (414) for controlling the VDS. The ...


7
Carey S Nachenberg: State-based cache for antivirus software. Symantec Corporation, Fenwick & West, December 29, 1998: US05854916 (86 worldwide citation)

A computer-implemented method for executing a computer file in a CPU emulator (154) to detect a computer virus. The method includes simulating (302) the execution of a predetermined number of instructions of the computer file in the CPU emulator (154), suspending (303) the execution, constructing (3 ...


8
Carey S Nachenberg, Kevin R Marcus: Processor emulator module having a variable pre-fetch queue size for program execution. Fenwick & West, June 9, 1998: US05765030 (78 worldwide citation)

An emulation module (110) includes a pre-fetch queue (116) having an adjustable size (126) to eliminate any dependence of virus decryption routines on the size of the pre-fetch queue (116) when emulating executable files to test for the presence of virus infections. An executable file is tested by s ...


9
Carey S Nachenberg: Method to analyze a program for presence of computer viruses by examining the opcode for faults before emulating instruction in emulator. Symantec Corporation, Fenwick & West, October 12, 1999: US05964889 (72 worldwide citation)

A computer-implemented apparatus and method for countering attempts of polymorphic viruses to evade detection by emulation-based scanners. Such attempts try to exploit differences between the real and virtual execution of instructions. The invention includes a fault manager (158) integrated into the ...


10
Carey S Nachenberg, William E Sobel: Backtracked incremental updating. Symantec Corporation, Fenwick & West, December 26, 2000: US06167407 (66 worldwide citation)

A computer readable file of an original state is updated to a final state. The original state and the final state are both states within a sequence (100) of states, which sequence (100) includes at least one hub state and one non-hub state. A first hub version, which corresponds to a hub state which ...