Method and apparatus for detection of hostile software
First Claim
1. A method for detecting hostile software in a computer system comprising:
- storing a representation of configuration data associated with an operating system for the computer system obtained at a first time;
comparing the stored representation of the configuration data obtained at the first time with a representation of the configuration data associated with the operating system for the computer system obtained at a second time; and
if deviation is detected between the stored representation of the configuration data obtained at the first time and the representation of the configuration data obtained at the second time, automatically performing at least one remedial measure in response to the deviation detected.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatuses are presented for detecting hostile software in a computer system involving storing a representation of configuration data associated with an operating system for the computer system obtained at a first time, comparing the stored representation of the configuration data obtained at the first time with a representation of the configuration data associated with the operating system for the computer system obtained at a second time, and if deviation is detected between the stored representation of the configuration data obtained at the first time and the representation of the configuration data obtained at the second time, automatically performing at least one remedial measure in response to the deviation detected. In one embodiment of the invention, the configuration data relates to identification of executable code installed in the computer system. The configuration data may be obtained from a registry key in a registry maintained by the operating system.
-
Citations
21 Claims
-
1. A method for detecting hostile software in a computer system comprising:
-
storing a representation of configuration data associated with an operating system for the computer system obtained at a first time;
comparing the stored representation of the configuration data obtained at the first time with a representation of the configuration data associated with the operating system for the computer system obtained at a second time; and
if deviation is detected between the stored representation of the configuration data obtained at the first time and the representation of the configuration data obtained at the second time, automatically performing at least one remedial measure in response to the deviation detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer system capable of detecting hostile software comprising:
-
a processing unit capable of being controlled by an operating system;
a storage unit coupled to the processing unit, the storage unit capable of storing a representation of configuration data associated with the operating system obtained at a first time;
wherein the processing unit is capable of comparing the stored representation of the configuration data obtained at the first time with a representation of the configuration data associated with the operating system obtained at a second time and, if deviation is detected between the stored representation of the configuration data obtained at the first time and the representation of the configuration data obtained at the second time, automatically performing at least one remedial measure in response to the deviation detected.
-
-
20. A system for detecting hostile software in a computer system comprising:
-
means for storing a representation of configuration data associated with an operating system for the computer system obtained at a first time;
means for comparing the stored representation of the configuration data obtained at the first time with a representation of the configuration data associated with the operating system for the computer system obtained at a second time; and
means for automatically performing at least one remedial measure in response to the deviation detected, if deviation is detected between the stored representation of the configuration data obtained at the first time and the representation of the configuration data obtained at the second time.
-
-
21. An article of manufacture comprising:
-
a computer usable medium having computer readable program code means embodied therein for causing hostile software to be detected in a computer system, the computer readable program code means in said article of manufacture comprising;
computer readable program code means for causing a computer to store a representation of configuration data associated with an operating system for the computer system obtained at a first time;
computer readable program code means for causing the computer to compare the stored representation of the configuration data obtained at the first time with a representation of the configuration data associated with the operating system for the computer system obtained at a second time; and
computer readable program code means for causing the computer to automatically perform at least one remedial measure in response to the deviation detected, if deviation is detected between the stored representation of the configuration data obtained at the first time and the representation of the configuration data obtained at the second time.
-
Specification