Abstract: A method for detecting document-infecting computer viruses in a computer system having a plurality of documents, comprises the steps of maintaining a database of information associated with program objects associated with one or more of the documents, comparing one or more of the documents on the system with corresponding database entries in the database to detect certain document changes, and using a set of criteria to determine whether or not the detected document changes are likely to have been caused by viral activity.

Abstract: A computer application program subsystem (100) includes a program interpreter (120) and an application program interface (API 110) through which an external program requests an execution of a program of interest, such as a macro, in a specified simulated environment. The external program that requests the execution of the program of interest may further specify a simulated application state. The program of interest is written in a program language that the interpreter can interpret. The subsystem further includes an output path for returning to the external program at least one indication of what action or actions the program of interest would have taken if the program of interest had been run in a real environment that corresponds to the specified simulated environment.

Abstract: A system and method using of a trusted third party to provide a description of an information product to potential buyers without disclosing the entire contents of the information products, which might compromise the interests of the seller. The buyer trusts the third party to give an accurate description of the information that is for sale, while the seller trusts the third party not to reveal an excessive amount of the information product's content. The system can include a seller of information products, a buyer of such products, and a trusted third party summarizer, each operating as a node in a communications network, such as the internet.

Abstract: A system and method for verifying the integrity of a computer system's BIOS programs stored in alterable read only memory (such as FLASH ROM), and preventing malicious alteration thereof. The system and method regularly check the contents of the alterable read only memory using a digital signature encrypted by means of an asymmetrical key cryptosystem.

Abstract: The present system and method uses information about digital information (objects) to determine whether or not changes to the objects were caused by a normal system operation or by a malicious program. The invention uses a reference separation algorithm to separate, at a reference time, one or more digital objects into a plurality of reference subsets of information that describe the object contents. A plurality of these reference subsets are then selected by a selection algorithm and information associated with each selected reference subset is stored. At some later time, called the test time, a test separation algorithm is used to separate the digital signatures of the object into a plurality of test subsets of information that describe the object contents at test time. A plurality of these test subsets are then selected by the test selection algorithm. A test information algorithm that is associated with each selected test subset then develops test subset information about the respective a test subset.

Abstract: Information pertaining to the verification of the identity of, and reversal of, a transformation of computer data is derived automatically based on a set of samples. The most important class of transformations is computer viruses. The process extracts this information for a large, fairly general class of viruses. Samples consisting of host programs infected with the virus and sample pairs consisting of an infected host and the corresponding original, uninfected host are obtained. A description of how the virus attaches to the host program, including locations within uninfected host of components of both the original host and the virus is generated. Viral code is matched across samples to obtain a description of "invariant" regions of the virus. Host bytes embedded within the virus are located. A description of the original host locations permits ant-virus software on a user's machine to restore the bulk of a program that has been infected.

Abstract: A searching method determines, given a specified encryption method (or set of encryption methods) and a specified pattern (or set of patterns), whether a given text contains an encryption, with any key, of anything fitting the pattern or patterns. The procedure detects and locates patterns that are present within data that has been encrypted, provided that the encryption method is one of a variety of simple methods that are often employed by computer programs such as computer viruses. The method includes:1. applying an invariance transformation to the chosen pattern (or set of patterns) to be matched, to obtain a "reduced pattern";2. applying the same reduction to the encrypted data to obtain "reduced data";3. using standard string searching techniques to detect the existence of a match between the reduced pattern and the reduced data, thereby signalling the likely existence of the pattern in encrypted form within the encrypted data;4.

Abstract: A method includes the following component steps, or some functional subset of these steps: (A) periodic monitoring of a data processing system (10) for anomalous behavior that may indicate the presence of an undesirable software entity such as a computer virus, worm, or Trojan Horse; (B) automatic scanning for occurrences of known types of undesirable software entities and taking remedial action if they are discovered; (C) deploying decoy programs to capture samples of unknown types of computer viruses; (D) identifying machine code portions of the captured samples which are unlikely to vary from one instance of the virus to another; (E) extracting an identifying signature from the executable code portion and adding the signature to a signature database; (F) informing neighboring data processing systems on a network of an occurrence of the undesirable software entity; and (G) generating a distress signal, if appropriate, so as to call upon an expert to resolve difficult cases.