Abstract: A computer anti-virus system is disclosed. The computer anti-virus system can have multiple detection layers and can include a first memory and a second memory. The computer anti-virus system can have a reduced first memory size requirement for a fingerprint signature based anti-virus application program by putting off to the second memory those signatures that are redundantly detected on other layers. Thus, performance can be enhanced and/or costs can be reduced.

Abstract: In accordance with one or more embodiments of the present invention, a method of determining a suspect computer file is malicious includes parsing a suspect file to extract a byte code sequence, modeling the extracted byte code sequence using at least one entropy modeling test where each modeling test provides an entropy result based on the modeling of the extracted byte code sequence, comparing each entropy result to a table of entropy results to determine a probability value, and summing the probability values to determine a likelihood the byte code sequence is malicious.

Abstract: In accordance with an embodiment of the present invention, a method of managing computer process execution may include selecting a computer file prior to execution of the computer file, analyzing the selected computer file to determine at least one executable behavior, identifying the analyzed computer file as one of harmful or harmless, and disposing of the identified computer file as one of executable or non-executable, where the selected computer file is disposed as non-executable when the selected file is identified as harmful.

Abstract: In accordance with one or more embodiments of the present invention, a method of determining whether a suspect file is malicious includes the operations parsing the suspect file to determine if the suspect file purports to be a system file, performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file, and handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file. The suspect file is a purported system file when the suspect file includes at least one characteristic attribute of a system file.