Method and apparatus for detecting malicious code in the form of a trojan horse in an information handling system
First Claim
1. A method for detecting malicious code on an information handling system, comprising:
- executing malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines;
applying the detection routines to executable code under investigation running on the information handling system during the execution of the MCDC, the detection routines being configured to associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines; and
determining whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines.
7 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.
155 Citations
50 Claims
-
1. A method for detecting malicious code on an information handling system, comprising:
-
executing malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines;
applying the detection routines to executable code under investigation running on the information handling system during the execution of the MCDC, the detection routines being configured to associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines; and
determining whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for detecting malicious code in the form of a Trojan horse on an information handling system having an operating system, comprising:
-
executing malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines configured to gather information about executable code under investigation running on the information handling system during execution of the MCDC, the detection routines including at least one selected from the group consisting of a) examining each code or program itself and b) searching for information about each code or program in the operating system, the detection routines further consisting of valid program detection routines and malicious code detection routines;
applying the detection routines to the executable code under investigation running on the information handling system, the detection routines further configured to associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of a respective detection routine; and
determining whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines, wherein determining whether the code under investigation is a valid program or malicious code includes scoring an execution of the detection routines as a function of the weights, and wherein scoring includes configuring a scoring algorithm to identify code under investigation as malicious code in response to at least one of a valid score and a malicious code score.
-
-
8. A method for detecting malicious code on a information handling system, comprising:
-
executing detection routines, the detection routines configured to examine at least one selected from the group consisting of characteristics and behaviors of executable code under investigation running on the computer system;
assigning weights as a function of the examined characteristics and behaviors, the assigned weights indicative of a valid program or malicious code as a function of respective detection routines; and
determining whether executable code under investigation is malicious code as a function of the weights assigned by the detection routines. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer program stored on computer-readable media for detecting malicious code in the form of a Trojan horse on an information handling system having an operating system, the computer program including instructions processable by the information handing system for causing the information handling system to:
-
execute malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines configured to gather information about executable code under investigation running on the computer during execution of the MCDC, the detection routines including at least one selected from the group consisting of a) examining each executable code or program itself and b) searching for information about each respective executable code or program in the operating system, the detection routines consisting of at least one of valid program detection routines and malicious code detection routines;
apply the detection routines to the executable code under investigation running on the information handling system, the detection routines being further configured to associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of a respective detection routine; and
determine whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines, wherein determining whether the code under investigation is a valid program or malicious code includes scoring an execution of the detection routines as a function of the weights, wherein scoring includes configuring a scoring algorithm to identify code under investigation as malicious code in response to at least one of a valid score and a malicious code score.
-
-
22. A computer program stored on computer-readable media for detecting malicious code on an information handling system, the computer program including instructions processable by the information handling system for causing the information handling system to:
-
execute detection routines, the detection routines configured to examine at least one selected from the group consisting of characteristics and behaviors of executable code under investigation running on the computer system;
assign weights as a function of the examined characteristics and behaviors, the assigned weights indicative of a valid program or malicious code as a function of respective detection routines; and
determine whether executable code under investigation is malicious code as a function of the assigned weights. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. An information handling system comprising:
-
a memory;
a processor;
an operating system; and
computer-readable code stored on said memory and processable by said processor for detecting malicious code in the form of a Trojan horse, said computer-readable code including instructions for causing the processor to execute malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines configured to gather information about executable code under investigation running on the information handling system during execution of the MCDC, the detection routines including at least one selected from the group consisting of a) examining each executable code or program itself and b) searching for information about each executable code or program in said operating system, the detection routines further consisting of valid program detection routines and malicious code detection routines, apply the detection routines to the executable code under investigation running on the information handling system, the detection routines further configured to assign weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of a respective detection routine, and determine whether executable code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines, wherein determining whether the code under investigation is a valid program or malicious code includes scoring an execution of the detection routines as a function of the weights, and wherein scoring further includes configuring a scoring algorithm to identify executable code under investigation as malicious code in response to at least one of a valid score and a malicious code score.
-
-
36. An information handling system comprising:
-
a memory;
a processor;
an operating system; and
computer-readable code stored on said memory and processable by said processor for detecting malicious code on said information handling system, said computer-readable code including instructions for causing the processor to execute detection routines, the detection routines configured to examine at least one selected from the group consisting of characteristics and behaviors of programs running on said information handling system, assign weights as a function of the examined characteristics and behaviors, the assigned weights indicative of a valid program or malicious code as a function of respective detection routines, and determine whether executable code under investigation is malicious code as a function of the weights assigned by the detection routines. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A method for detecting malicious code on an information handling system, comprising:
-
executing malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines;
applying the detection routines to code under investigation running on the information handling system during the execution of the MCDC, the detection routines being configured to associate weights to respective code under investigation in response to detections of malicious code as a function of respective detection routines; and
determining whether code under investigation is malicious code as a function of the weights associated by the detection routines. - View Dependent Claims (48, 49, 50)
-
Specification