In memory heuristic system and method for detecting viruses

摘要

Characteristics of a call module originating a critical operating system function call are analyzed for indications of suspicious content and a virus threshold counter is incremented appropriately. For example, the memory image to the file image of the call module are compared for indications of suspicious content. If a determination is made that the virus threshold counter exceeds a virus threshold, there is a significant probability that malicious code is executing on the host computer system. Thus, the user of the host computer system and/or an administrator are notified that malicious code is possibly executing on the host computer system.