The technology, described in the patent as "data-driven detection of viruses," is used to uncover complex viruses, worms and spyware. Symantec features the tool throughout itsfor the business and consumer markets, and it is one of the central elements of the company's desktop, server and gateway products.
The company said the patented technology remains one of its most powerful tools for identifying new threats. Its researchers use the code to write simple programs for scanning and emulating executable files, and for working with complexsuch as self-mutating viruses, Symantec said.
Traditional antivirus software works by scanning the regions of a particular file that are most likely to contain a virus, typically the top or bottom of the file. Symantec said its tools are able to identify more complex threats, because they enable researchers to comb through other portions, such as the middle of a file. It also helps search for threats that have been spread across a file in an effort to cloak themselves from antivirus tools.
The detection tools were created by Carey Nachenberg, chief architect at Symantec Research Labs, who has been behind 16 security-related patents in the last eight years. Nachenberg said that he and his colleagues at Symantec, based in Cupertino, Calif., have been working on the antivirus technology since the mid-'90s.
The researcher likened theto the noninvasive MRI scanners being adopted in the medical field, which improve on their coffinlike predecessors by allowing doctors to focus on a specific area of the body, rather than trying to scrutinize the entire physique at once.
"Unfortunately, the latest infections are much more complex, they mutate themselves, polymorph themselves, inject themselves in the middle of a file or spread their infection throughout a file," Nachenberg said. "All of this is making it very difficult for traditional antivirus scanners to detect an infection, because the infection is located or spread into regions where you wouldn't expect to see them."