US 5,978,917 · Granted 1999-11-02

How Symantec Built a Virus Detector for Microsoft Office Macros

Back in the late 1990s, hackers were sneaking malicious code into Word and Excel documents using a feature called macros. Symantec figured out how to spot these sneaky macro viruses by simulating them in a sandbox and watching for suspicious behavior — like a macro trying to copy itself into places it shouldn't. Once caught, the virus could be automatically deleted.

Curated and verified by the IsItPatented Editorial team

The plain-English version

What it protects

The claim covers a software system that detects macro viruses by simulating macro execution in an isolated environment and flagging suspicious behavior. What's protected here is the specific method of testing macros in two different scenarios (first assuming they live in the global environment, then in local documents) and using bidirectional copying behavior as a detection criterion. The repair module that automatically removes flagged macros is also covered.

Why it matters

In the mid-to-late 1990s, macro viruses were a real plague — they spread silently through Office documents and infected millions of computers worldwide. This patent represents one of the early industrial-scale approaches to automating macro virus detection without requiring manual analysis. By automating both detection and removal, Symantec was able to offer users protection that was fast enough and reliable enough to ship in commercial antivirus software.

Real-world use

If you opened a suspicious Word document in the late 1990s or early 2000s, Symantec's antivirus software would have scanned it using this method to catch hidden macro viruses before they could spread to your other files.

Original USPTO abstract

Apparatus and method for detecting the presence of macro viruses within a digital computer (1). An application program (5) is associated with the digital computer (1). A global environment (13) is associated with the application program (5). The application program (5) generates at least one local document (11). Macros contained within the global environment (13) and the local document(s) (11) are executed in a simulated manner by an emulator (15). At least one preselected decision criterion is used by a detection module (17) to declare when a macro virus is deemed to be present. Such a criterion is typically the presence of a bidirectional macro, i.e., a macro that copies from a local document (11) to the global environment (13) and vice-versa. Macros deemed to be viruses are preferably deleted by a repair module (19). Additional deletion criteria may include the presence of macros that have the same source name or the same destination name as a bidirectional macro. In the preferred emulation steps, emulator (15) tests all of the macros associated with computer (1) in two steps. The first step assumes that the macros reside within the global environment (13), regardless of whether they reside within the global environment (13) or within a local document (11). The second step assumes that the macros reside within a local document (11), regardless of whether they reside within a local document (11) or within the global environment (13).

Patent details

Publication number: US 5,978,917
Filing date: 1997-08-14
Grant date: 1999-11-02
Assignee: Symantec Corporation
Inventor(s): CHI; DARREN
CPC class: A63B23/16

View original record on Google Patents →

Want to file your own patent?

Curious how modern malware detection actually works? Explore our patent database to see how cybersecurity companies continue evolving their defenses.

Free patentability scan