Managing spyware and unwanted software through auto-start extensibility points

US 20050268112A1
Filed: 09/28/2004
Published: 12/01/2005
Est. Priority Date: 05/28/2004
Status: Abandoned Application

First Claim

Patent Images

1. For use in an unwanted software detection and removal program, a method of identifying potential unwanted software, the method comprising:

monitoring a plurality of auto-start extensibility points (ASEPs) for ASEP-hook related activity; and

detecting an unwanted software application through ASEP-hook related activity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A monitoring service is provided that detects spyware or other unwanted software at the time it is installed and/or allows for the spyware'"'"'s removal. The service monitors “Auto-Start Extensibility Points” (“ASEPs”) to detect spyware installations. ASEPs refer to the configuration points that can be “hooked” to allow programs to be auto-started without explicit user invocation. Such a service is particularly effective because an overwhelming majority of spyware programs infect systems in such a way that they are automatically started upon reboot and the launch of many commonly used applications. The monitoring service can thus lead to the subsequent complete removal of the spyware installation, and does not require a frequent signature-based cleaning. Spyware that is bundled with other software such as freeware or shareware can also be removed.

115 Citations

25 Claims

1. For use in an unwanted software detection and removal program, a method of identifying potential unwanted software, the method comprising:
- monitoring a plurality of auto-start extensibility points (ASEPs) for ASEP-hook related activity; and
  
  detecting an unwanted software application through ASEP-hook related activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein monitoring and detecting omit the use of known-software signatures.
  - 3. The method of claim 1 wherein the ASEP-hook related activity comprises an executable file associating with any of the plurality of ASEPs.
  - 4. The method of claim 1 wherein the ASEP-hook related activity comprises modifying an existing association between an executable file and any of the plurality of ASEPs.
  - 5. The method of claim 1 wherein the ASEP-hook related activity comprises modifying an executable file associated with any of the plurality of ASEPs.
  - 6. The method of claim 1 further comprising:
    - notifying a user of ASEP-hook related activity.
  - 7. The method of claim 1 further comprising:
    - comparing the ASEP-hook related activity to a list of known ASEP-hook related activities; and
      
      if the ASEP-hook related activity is not on the list, identifying as potential unwanted software at least one executable file associated with the ASEP-hook related activity.
  - 8. The method of claim 1 further comprising:
    - retrieving information regarding one or more processes performing ASEP-hook related activity; and
      
      identifying a bundle of one or more ASEP-hook related activities according to the process information of the processes performing those ASEP-hook related activities.
  - 9. The method of claim 8 further comprising:
    - retrieving activity information about one or more web browser instances;
      
      retrieving process information about one or more processes spawned by the one or more web browser instances; and
      
      associating, according to the retrieved process information, activity information about at least one of the web browser instances with at least one process spawned by the web browser instances.
  - 10. The method of claim 9 wherein the activity information for the web browser instances includes a log of uniform resource locators (URLs) visited by the web browser instances.

11. A user interface for assisting a computing device user with removal of unwanted software, the user interface comprising:
- a list of user-selectable items including auto-start executable files installed on the user'"'"'s computing device;
  
  wherein, if an executable file in the list was installed as part of a bundle of executable files deriving from a common installation, the list displays information regarding the bundle.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The user interface of claim 11 further comprising a user-selectable option to disable at least one auto-start executable file associated with at least one of the user-selectable items.
  - 13. The user interface of claim 12 further comprising a user-selectable option to disable a bundle of executable files associated with at least one of the user-selectable items.
  - 14. The user interface of claim 12 wherein disabling auto-start executable files comprises removing at least one association between at least one auto-start executable file and at least one auto-start extensibility point (ASEP).
  - 15. The user interface of claim 11 further comprising a user-selectable option to restore the system to a previously-stored checkpoint.

16. A method of discovering auto-start extensibility points (ASEPs) in software of a computing device, the method comprising:
- executing an auto-start trace; and
  
  detecting at least one previously unknown ASEP in the auto-start trace.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16 wherein detecting the at least one previously unknown ASEP comprises detecting an indirection pattern in the auto-start trace, wherein the indirection pattern comprises:
    - a file or registry query operation returning the name of an executable file;
      
      followed by an instantiation of the executable file.
  - 18. The method of claim 16 wherein detecting the at least one previously unknown ASEP comprises:
    - calculating the set of differences between a current state of the computing device and a past state of the computing device; and
      
      intersecting the set of differences with the results of the auto-start trace.

19. A computer-readable medium including computer-executable instructions facilitating the identifying of potential unwanted software, the computer-executable instructions performing the steps of:
- monitoring a plurality of auto-start extensibility points (ASEPs) for ASEP-hook related activity; and
  
  detecting an unwanted software application through ASEP-hook related activity.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer-readable medium of claim 19 wherein monitoring and detecting omit the use of known-software signatures.
  - 21. The computer-readable medium of claim 19 wherein the ASEP-hook related activity comprises an executable file associating with any of the plurality of ASEPs.
  - 22. The computer-readable medium of claim 19 wherein the ASEP-hook related activity comprises modifying an existing association between an executable file and any of the plurality of ASEPs.
  - 23. The computer-readable medium of claim 19 wherein the ASEP-hook related activity comprises modifying an executable file associated with any of the plurality of ASEPs.

24. A computer-readable medium including computer-executable instructions facilitating the discovering of hooks to auto-start extensibility points (ASEPs) in software of a computing device, the computer-executable instructions performing the steps of:
- storing at a first checkpoint a list of ASEP hooks known to exist on the computing device at the time of the first checkpoint'"'"'s creation;
  
  storing at a second checkpoint a list of ASEP hooks known to exist on the computing device at the time of the second checkpoint'"'"'s creation; and
  
  detecting at least one ASEP hook in the second checkpoint that is not in the first checkpoint.
- View Dependent Claims (25)
- - 25. The computer-readable medium of claim 24, the computer-executable instructions further performing the step of:
    - correlating the at least one detected ASEP hook with software known to have been installed on the computing device during the time interval between the first checkpoint'"'"'s creation and the second checkpoint'"'"'s creation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wang, Yi-Min, Verbowski, Chad E., Johnson, Aaron R., Roussev, Roussi A.

Application Number

US10/952,336
Publication Number

US 20050268112A1
Time in Patent Office

Days
Field of Search
US Class Current

713/188
CPC Class Codes

G06F 21/51 at application loading time...

G06F 21/554 involving event detection a...

Managing spyware and unwanted software through auto-start extensibility points

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Managing spyware and unwanted software through auto-start extensibility points

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links