Efficient white listing of user-modifiable files
First Claim
1. A computer system for identifying malware in received files, the computer system comprising:
- a processor;
a communication connection for receiving a file; and
a memory;
wherein the computer system is configured such that, upon receiving a file at the communication connection;
determines whether the received file is a user-modifiable file, and if so;
selects those portions of the received file that are more permanent;
generates a file signature based on those selected portions of the received file that are more permanent; and
determines whether the received file is malware based on the generated file signature.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for efficiently determining that a received file is not malware is presented. In operation, when a file is received at a computing device, an evaluation is made as to whether the file includes user-modifiable, or superficial, data areas, i.e., areas of the file that by their nature do not typically carry or embed malware. If the file includes superficial data areas, those superficial data areas are filtered out and a file signature is generated based on the remaining portions of the received file. The file can then be compared to a list of know malware to determine if the file is malware. Alternatively, the file can be compared to a list of known, trusted files to determine whether the file is trustworthy.
100 Citations
18 Claims
-
1. A computer system for identifying malware in received files, the computer system comprising:
-
a processor;
a communication connection for receiving a file; and
a memory;
wherein the computer system is configured such that, upon receiving a file at the communication connection;
determines whether the received file is a user-modifiable file, and if so;
selects those portions of the received file that are more permanent;
generates a file signature based on those selected portions of the received file that are more permanent; and
determines whether the received file is malware based on the generated file signature. - View Dependent Claims (6)
-
- 2. The computer system of claim 2, wherein the computer system determines whether the received file is malware based on the generated file signature by comparing the generated file signature to file signatures in a white list data store comprising a collection of records of trusted files, wherein each record includes a file signature of a trusted file.
-
7. A method, executed on a computing device in response to receiving a file, for determining whether the received file is malware, the method comprising:
determining whether the received file includes superficial data areas, and if so;
filtering out those portions of the received file that are superficial data areas;
generating a file signature based on the remaining portions of the received file that were not filtered out; and
determining whether the received file is malware based on the generated file signature. - View Dependent Claims (8, 9, 10, 11, 12)
-
13. A computer-readable medium bearing computer-executable instructions which, when executed on a computing device capable of received files from an external source, carry out a method for determining whether a received file is malware, the method comprising:
determining whether the received file includes superficial data areas, and if so;
filtering out those portions of the received file that are superficial data areas;
generating a file signature based on the remaining portions of the received file that were not filtered out; and
determining whether the received file is malware based on the generated file signature. - View Dependent Claims (14, 15, 16, 17, 18)
Specification