Remote malware remediation

US 10,205,744 B2
Filed: 05/25/2017
Issued: 02/12/2019
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium comprising one or more instructions that when executed by a processor, cause the processor to:

identify, at an antimalware support system, an opportunity to assist with remediation of a file at a host device remote from the antimalware support system;

determine a remediation tool for remediation of the file;

initiate, by the antimalware support system remote from the host device, at least a portion of the remediation tool to be performed locally at the host device, where operations of the at least a portion of the remediation tool performed locally are applied to resources of the host device; and

receive feedback data at the antimalware support system from the host device identifying whether the at least a portion of the remediation tool performed locally remediated the file, wherein feedback data identifying that remediation of the file is incomplete causes the antimalware support system to apply another remediation tool to resources of the host device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An opportunity to assist with remediation of a file at a remote particular host device is identified. One or more remediation techniques are identified that can be applied to assist with remediation of the file at the particular host device. In one aspect, one or more remediation scripts are identified from a plurality of remediation scripts for remediation of the file and provided to the particular host device for execution on the particular host device. In another aspect, a remediation tool is identified and launched on a computing device remote from the particular host device with operations of the remediation tool applied to resources of the particular host device. In another aspect, at least a portion of the remediation techniques are remotely initiated to be performed locally at the particular host device.

58 Citations

22 Claims

1. A non-transitory computer-readable medium comprising one or more instructions that when executed by a processor, cause the processor to:
- identify, at an antimalware support system, an opportunity to assist with remediation of a file at a host device remote from the antimalware support system;
  
  determine a remediation tool for remediation of the file;
  
  initiate, by the antimalware support system remote from the host device, at least a portion of the remediation tool to be performed locally at the host device, where operations of the at least a portion of the remediation tool performed locally are applied to resources of the host device; and
  
  receive feedback data at the antimalware support system from the host device identifying whether the at least a portion of the remediation tool performed locally remediated the file, wherein feedback data identifying that remediation of the file is incomplete causes the antimalware support system to apply another remediation tool to resources of the host device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the operations of the at least a portion of the remediation tool performed locally act on the resources of the host device.
  - 3. The non-transitory computer-readable medium of claim 2, wherein the resources include at least one of a memory block, file, or register of the host device.
  - 4. The non-transitory computer-readable medium of claim 2, wherein the operations are applied through an agent on the host device.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the remediation tool is a first remediation tool, further comprising a second remediation tool.
  - 6. The non-transitory computer-readable medium of claim 5, wherein the first and second remediation tools are defined to be run in series.
  - 7. The non-transitory computer-readable medium of claim 1, wherein the instructions, when executed, further cause the processor to provide the file to the remediation tool.
  - 8. The non-transitory computer-readable medium of claim 1, wherein the remediation tool is executed in a virtual environment.
  - 9. The non-transitory computer-readable medium of claim 1, wherein determining whether to use the remediation tool in response to a subsequent opportunity to remediate the file is based at least in part on the feedback data.
  - 10. The non-transitory computer-readable medium of claim 1, wherein the remediation tool is at least one of an anti-virus tool, an anti-spyware tool, and an antirootkit tool.
  - 11. The non-transitory computer-readable medium of claim 1, wherein applying the operations of the remediation tool to the resources remediates the file from the host device.
  - 12. The non-transitory computer-readable medium of claim 1, wherein the opportunity is identified based on a query from the host device for additional reputation information for the file.
  - 13. The non-transitory computer-readable medium of claim 12, wherein the query prompts a determination by an antimalware support system remote from the host device that the file should be remediated.
  - 14. The non-transitory computer-readable medium of claim 1, wherein identifying the opportunity includes receiving a request for remediation of the file from the host device.
  - 15. The non-transitory computer-readable medium of claim 14, wherein the request for remediation is based on a determination at the host device that the file should be remediated.
  - 16. The non-transitory computer-readable medium of claim 15, wherein the determination of the host device is in response to receiving reputation information for the file from an antimalware support system remote from the host device.
  - 17. The non-transitory computer-readable medium of claim 16, wherein the instructions, when executed, further cause the processor to:
    - receive a query from the host device; and
      
      return response data including the reputation information in response to the query.
  - 18. The non-transitory computer-readable medium of claim 1, wherein another portion of the remediation tool is to be executed by the antimalware support system.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the remediation tool comprises a first remediation tool, and the instructions, when executed, further cause the processor to:
    - identify, at an antimalware support system, an opportunity to assist with remediation of the file at a second host device remote from the antimalware support system;
      
      determine a second remediation tool for remediation of the file on the second host device, wherein the second remediation tool is different from the first remediation tool;
      
      initiate, by the antimalware support system remote from the second host device, at least a portion of the second remediation tool to be performed locally at the second host device, wherein operations of the at least a portion of the second remediation tool performed locally are applied to resources of the second host device; and
      
      receive feedback data at the antimalware support system from the second host device identifying whether the at least a portion of the second remediation tool performed locally remediated the file, wherein feedback data identifying that remediation of the file is incomplete causes the antimalware support system to apply another remediation tool to resources of the second host device.
  - 20. The non-transitory computer-readable medium of claim 18, wherein the file comprises a first file, the remediation tool comprises a first remediation tool, and the instructions, when executed, further cause the processor to:
    - identify, at an antimalware support system, an opportunity to assist with remediation of a second file at the host device remote from the antimalware support system;
      
      determine a second remediation tool for remediation of the second file on the host device, wherein the second remediation tool is different from the first remediation tool;
      
      initiate, by the antimalware support system remote from the host device, at least a portion of the second remediation tool to be performed locally at the host device, wherein operations of the at least a portion of the second remediation tool performed locally are applied to resources of the host device; and
      
      receive feedback data at the antimalware support system from the host device identifying whether the at least a portion of the second remediation tool performed locally remediated the second file, wherein feedback data identifying that remediation of the second file is incomplete causes the antimalware support system to apply another remediation tool to resources of the host device.

21. A method comprising:
- identifying, at an antimalware support system, an opportunity to assist with remediation of a file at a host device remote from the antimalware support system;
  
  determining a remediation tool for remediation of the file;
  
  initiating, by the antimalware support system remote from the host device, at least a portion of the remediation tool to be performed locally at the host device, wherein operations of the at least a portion of the remediation tool performed locally are applied to resources of the host device; and
  
  receiving feedback data at the antimalware support system from the host device identifying whether the at least a portion of the remediation tool performed locally remediated the file, wherein feedback data identifying that remediation of the file is incomplete causes the antimalware support system to apply another remediation tool to resources of the host device.

22. A system comprising:
- at least one processor device;
  
  at least one memory element; and
  
  an antimalware support server adapted when executed by the at least one processor device to;
  
  identify, at an antimalware support system, an opportunity to assist with remediation of a file at a host device remote from the antimalware support system;
  
  determine a remediation tool for remediation of the file;
  
  initiate, by the antimalware support system remote from the host device, at least a portion of the remediation tool to be performed locally at the host device, wherein operations of the at least a portion of the remediation tool performed locally are applied to resources of the host device; and
  
  receive feedback data at the antimalware support system from the host device identifying whether the at least a portion of the remediation tool performed locally remediated the file, wherein feedback data identifying that remediation of the file is incomplete causes the antimalware support system to apply another remediation tool to resources of the host device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Teddy, John D., Bean, James Douglas, Dalcher, Gregory William, Hetzler, Jeff
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Kaplan, Benjamin A

Application Number

US15/604,964
Publication Number

US 20180083983A1
Time in Patent Office

628 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2115   Third party

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Remote malware remediation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Remote malware remediation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others