System and method for heuristic analysis to identify pestware

US 20060075501A1
Filed: 10/01/2004
Published: 04/06/2006
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method for blocking pestware activity, the method comprising:

detecting an initial pestware activity on a protected computer;

recording the initial pestware activity;

receiving an instruction from a user of the protected computer to block the initial pestware activity;

blocking the initial pestware activity;

detecting a subsequent pestware activity;

comparing the subsequent pestware activity with the initial pestware activity; and

responsive to the subsequent pestware activity matching the initial pestware activity, automatically blocking the subsequent pestware activity.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems for preventing pestware activity are described. One embodiment a heuristic engine configured to identify repeat pestware activity and configured to block the repeat pestware activity; an operating system pestware shield in communication with the heuristic engine, the operating system pestware shield configured to detect pestware activity and report the pestware activity to the heuristic engine; and a browser pestware shield in communication with the heuristic engine, the browser pestware shield configured to detect pestware activity and report the pestware activity to the heuristic engine.

Citations

29 Claims

1. A method for blocking pestware activity, the method comprising:
- detecting an initial pestware activity on a protected computer;
  
  recording the initial pestware activity;
  
  receiving an instruction from a user of the protected computer to block the initial pestware activity;
  
  blocking the initial pestware activity;
  
  detecting a subsequent pestware activity;
  
  comparing the subsequent pestware activity with the initial pestware activity; and
  
  responsive to the subsequent pestware activity matching the initial pestware activity, automatically blocking the subsequent pestware activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein detecting the initial pestware activity comprises:
    - detecting the initial pestware activity with an operating system shield.
  - 3. The method of claim 1, wherein detecting the initial pestware activity comprises:
    - detecting the initial pestware activity with a browser shield.
  - 4. The method of claim 1, wherein detecting the subsequent pestware activity comprises:
    - detecting an alteration of a registry file associated with the protected computer.
  - 5. The method of claim 1, wherein detecting the subsequent pestware activity comprises:
    - detecting an attempted installation at the protected computer of a plug-in.
  - 6. The method of claim 1, wherein detecting the subsequent pestware activity comprises:
    - detecting the attempted startup at the protected computer of a pestware program.
  - 7. The method of claim 6, wherein detecting the attempted startup of the pestware program comprises:
    - comparing an indication of the pestware program with a definition of the pestware program.
  - 8. The method of claim 1, wherein detecting the subsequent pestware activity comprises:
    - detecting the attempted installation at the protected computer of a pestware program.
  - 9. The method of claim 8, wherein detecting the attempted startup of the pestware program comprises:
    - comparing an indication of the pestware program with a definition of the pestware program.
  - 10. The method of claim 1, further comprising:
    - sending data from the protected computer to a host computer, the data indicating the subsequent pestware activity.
  - 11. The method of claim 1, further comprising:
    - collecting information from the registry file about the subsequent pestware activity; and
      
      sending the collected information from the protected computer to a host computer.
  - 12. The method of claim 1, further comprising:
    - identifying the process responsible for the subsequent pestware activity; and
      
      sending an identification of the process from the protected computer to a host computer.
  - 13. The method of claim 1, further comprising:
    - identifying the process responsible for the subsequent pestware activity; and
      
      injecting termination code into the process.
  - 14. The method of claim 1, further comprising:
    - identifying the file responsible for the subsequent pestware activity; and
      
      injecting termination code into the file.

15. A method for blocking pestware, the method comprising:
- receiving a trigger from a pestware shield, the trigger corresponding to a presently-detected pestware activity;
  
  determining if the received trigger is similar to a previously-received trigger received from the pestware shield, the previously-received trigger corresponding to previously-detected pestware; and
  
  responsive to the received trigger being similar to the previously-received trigger, automatically blocking the presently-detected pestware activity.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The method of claim 15, further comprising:
    - determining if a user elected to block the previously-detected pestware activity, which is associated with the previously-received trigger; and
      
      responsive to determining that the user elected to block the previously-detected pestware activity and responsive to the received trigger being similar to the previously-received trigger, automatically blocking the presently-detected pestware activity.
  - 17. The method of claim 15, wherein receiving the trigger from a pestware shield comprises:
    - receiving data regarding an attempted alteration of a registry file.
  - 18. The method of claim 17, wherein receiving data regarding the attempted alteration of the registry file comprises:
    - receiving a copy of the attempted alterations.
  - 19. The method of claim 15, wherein receiving the trigger comprises:
    - receiving a copy of a file name associated with a process that is attempting to startup.
  - 20. The method of claim 15, wherein receiving the trigger comprises:
    - receiving a copy of a file name associated with an attempted installation of a plug-in.
  - 21. The method of claim 15, wherein receiving the trigger comprises:
    - receiving a copy of a file name associated with an attempted installation of a pestware program.
  - 22. The method of claim 15, further comprising:
    - collecting information from the registry file corresponding to the received trigger; and
      
      sending the collected information from the protected computer to a host computer.
  - 23. The method of claim 15, further comprising:
    - identifying the process responsible for the pestware activity corresponding to the received trigger; and
      
      sending an identification of the process from the protected computer to a host computer.

24. A system for blocking pestware activity, the system comprising:
- a heuristic engine configured to identify repeat pestware activity and configured to block the repeat pestware activity;
  
  an operating system pestware shield in communication with the heuristic engine, the operating system pestware shield configured to detect pestware activity and report the pestware activity to the heuristic engine; and
  
  a browser pestware shield in communication with the heuristic engine, the browser pestware shield configured to detect pestware activity and report the pestware activity to the heuristic engine.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The system of claim 24, wherein the operating system pestware shield comprises:
    - a startup shield.
  - 26. The system of claim 24, wherein the operating system pestware shield comprises:
    - a memory shield.
  - 27. The system of claim 24, wherein the operating system pestware shield comprises:
    - a zombie shield.
  - 28. The system of claim 24, wherein the browser pestware shield comprises:
    - a hijack shield.
  - 29. The system of claim 24, wherein the browser pestware shield comprises:
    - a plug-in shield.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Greene, Michael P., Stowers, Bradley D., Thomas, Steve

Granted Patent

US 7,480,683 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2221/2101   Auditing as a secondary aspect

System and method for heuristic analysis to identify pestware

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for heuristic analysis to identify pestware

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links