A virus detection system (VDS) (400) uses a histogram to detect the presence
of a computer virus in a computer file. The VDS (400) has a P-code data
(410) for holding P-code, a virus definition file (VDF) (412) for
holding signature of known viruses, and an engine (414) for controlling
the VDS. The engine (414) contains a P-code interpreter (418) for
interpreting the P-code, a scanning module (424) for scanning regions of
the file (100) for the virus signatures in the VDF (412), and an
emulating module (426) for emulating instructions in the file. The emulating
module (426) contains a histogram generation module (HGM) (436) for
generating a histogram of characteristics of instructions emulated by the emulating
module (426) and a histogram definition module (HDF) (438) for specifying
the characteristics to be included in the generated histogram. The emulating module
(426) uses the generated histogram (500) to determine how many of
the instructions of the computer file (100) to emulate. The emulating module
(426) emulates (712) instructions and the HGM (436) generates
a histogram of the instructions until active instructions are note detected. When
active instructions are not detected (714), a P-code module is executed
(722) to analyze the histogram (500) and determine whether a the
file (100) contains a virus. The P-code can also decide to extend (728)
emulation. The HGM (436) is also used to detect (822) the presence
of dummy loops during virus decryption.