Malware detection using a digital certificate
First Claim
1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
- analyze data related to a digital certificate associated with a file to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate;
assign a reputation to the digital certificate, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate;
determine, based on the assigned reputation to the digital certificate including the indication that the data is proper, whether the digital certificate is trusted or untrusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and
classify, based on a determination that the digital certificate is trusted, the file as trusted.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to analyze data related to a digital certificate and assign a reputation to the digital certificate, where the reputation includes an indication if the data is proper. The analysis of the data can include determining if code signing for the digital certificate matches binary code for the digital certificate, if the digital certificate has been grafted to the data by modifying a portable executable file header, or the digital certificate is the same as another trusted digital certificate associated with different data.
33 Citations
12 Claims
-
1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
-
analyze data related to a digital certificate associated with a file to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate; assign a reputation to the digital certificate, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate; determine, based on the assigned reputation to the digital certificate including the indication that the data is proper, whether the digital certificate is trusted or untrusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and classify, based on a determination that the digital certificate is trusted, the file as trusted. - View Dependent Claims (2, 3)
-
-
4. An apparatus comprising:
-
memory; and a hardware processor configured to; identify a file stored in the memory that includes a digital certificate and data related to the digital certificate; analyze the data related to the digital certificate to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate; assign a reputation to the file, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate; determine, based on the assigned reputation to the file including the indication that the data is proper, whether the digital certificate is trusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and classify, based on a determination that the digital certificate is trusted, the file as trusted. - View Dependent Claims (5, 6)
-
-
7. A method comprising:
-
analyzing data related to a digital certificate associated with a file to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate; assigning a reputation to the digital certificate, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate; determining, based on the assigned reputation to the digital certificate including the indication that the data is proper, whether the digital certificate is trusted or untrusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and classifying, based on a determination that the digital certificate is trusted, the file as trusted. - View Dependent Claims (8, 9)
-
-
10. A system for malware detection using a digital certificate, the system comprising:
-
memory in an electronic device; a hardware processor in the electronic device, wherein the hardware processor is configured to execute a digital certificate validation module configured for; identifying data stored in the memory related to a digital certificate associated with a file; analyzing the data related to the digital certificate to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate; assigning a reputation to the digital certificate, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate; determining, based on the assigned reputation to the digital certificate including the indication that the data is proper, whether the digital certificate is trusted or untrusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and classifying, based on a determination that the digital certificate is trusted, the file as trusted. - View Dependent Claims (11, 12)
-
Specification