	US 12,072,978 B2
	Fast antimalware scan
Andrey Kulaga, Istanbul (TR); Serguei Beloussov, Singapore (SG); and Stanislav Protasov, Singapore (SG)
Assigned to Acronis International GmbH, Schaffhausen (CH)
Filed by Acronis International GmbH, Schaffhausen (CH)
Filed on Feb. 24, 2022, as Appl. No. 17/652,285.
Prior Publication US 2023/0267202 A1, Aug. 24, 2023
Int. Cl. G06F 21/56 (2013.01)

CPC G06F 21/562 (2013.01) [G06F 21/564 (2013.01); G06F 2221/033 (2013.01)]

18 Claims

1. A system for detection of files not matching a known malware file in a computing environment, the system comprising:

a processor coupled to a memory storing instructions to permit the processor to function as an analyzer,

wherein the analyzer is configured to:

receive, as input, an unknown file and the known malware file;

compare the unknown file to the known malware file by comparing N (where N is greater than 1) blocks B₁, . . . , B_N, of lengths L₁, . . . , L_N, located at offsets O₁, . . . , O_Nof the unknown file to the corresponding blocks of the known malware file at the offsets such that a number of blocks N, the lengths and the offsets are calculated according to predefined algorithm based on malware file types, wherein each of the offsets is calculated for a first number of bytes at a beginning of a file, a second number of bytes at a middle of the file, and a third number of bytes before an end of the file; and

output a value based on the comparison, indicating that the unknown file is different from the known malware file if there exists at least one j such that 1<=i<=N and a B_jblock of the unknown file is different from a B_jblock of the known malware file.

15. A method for detection of files not matching a known malware file in a computing environment, the method comprising:

receiving an unknown file and the known malware file;

comparing the unknown file to the known malware file by comparing N (where N is greater than 1) blocks B₁, . . . , B_N, of pre-defined lengths L₁, . . . , L_N, located at offsets O₁, . . . , O_Nof the unknown file to the corresponding blocks of the known malware file at the offsets such that a number of blocks N, the lengths and the offsets are calculated according to predefined algorithm based on malware file types, wherein each of the offsets is calculated for a first number of bytes at a beginning of a file, a second number of bytes at a middle of the file, and a third number of bytes before an end of the file; and

outputting a value based on the comparison, indicating that the unknown file is different from the known malware file if there exists at least one j such that 1<=i<=N and a B_jblock of the unknown file is different from a B_jblock of the known malware file.