Efficient white listing of user-modifiable files

US 20060095971A1
Filed: 10/29/2004
Published: 05/04/2006
Est. Priority Date: 10/29/2004
Status: Active Grant

First Claim

Patent Images

1. A computer system for identifying malware in received files, the computer system comprising:

a processor;

a communication connection for receiving a file; and

a memory;

wherein the computer system is configured such that, upon receiving a file at the communication connection;

determines whether the received file is a user-modifiable file, and if so;

selects those portions of the received file that are more permanent;

generates a file signature based on those selected portions of the received file that are more permanent; and

determines whether the received file is malware based on the generated file signature.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for efficiently determining that a received file is not malware is presented. In operation, when a file is received at a computing device, an evaluation is made as to whether the file includes user-modifiable, or superficial, data areas, i.e., areas of the file that by their nature do not typically carry or embed malware. If the file includes superficial data areas, those superficial data areas are filtered out and a file signature is generated based on the remaining portions of the received file. The file can then be compared to a list of know malware to determine if the file is malware. Alternatively, the file can be compared to a list of known, trusted files to determine whether the file is trustworthy.

100 Citations

View as Search Results

18 Claims

1. A computer system for identifying malware in received files, the computer system comprising:
- a processor;
  
  a communication connection for receiving a file; and
  
  a memory;
  
  wherein the computer system is configured such that, upon receiving a file at the communication connection;
  
  determines whether the received file is a user-modifiable file, and if so;
  
  selects those portions of the received file that are more permanent;
  
  generates a file signature based on those selected portions of the received file that are more permanent; and
  
  determines whether the received file is malware based on the generated file signature.
- View Dependent Claims (6)
- - 6. The computer system of claim 1, wherein the computer system determines whether the received file is malware based on the generated file signature by comparing the generated file signature to file signatures of known malware.

2. The computer system of claim 2, wherein the computer system determines whether the received file is malware based on the generated file signature by comparing the generated file signature to file signatures in a white list data store comprising a collection of records of trusted files, wherein each record includes a file signature of a trusted file.
- View Dependent Claims (3, 4, 5)
- - 3. The computer system of claim 2 further comprising a white list data store.
  - 4. The computer system of claim 2, wherein the white list data store is remote to the computer system, and wherein the computer system accesses the white list data store via the communication connection.
  - 5. The computer system of claim 2, wherein the computer system determines whether the received file is malware based on the generated file signature by further comparing the generated file signature to file signatures of known malware.

7. A method, executed on a computing device in response to receiving a file, for determining whether the received file is malware, the method comprising:
- determining whether the received file includes superficial data areas, and if so;
  
  filtering out those portions of the received file that are superficial data areas;
  
  generating a file signature based on the remaining portions of the received file that were not filtered out; and
  
  determining whether the received file is malware based on the generated file signature.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein determining whether the received file is malware based on the generated file signature comprises comparing the generated file signature to file signatures in a white list data store, the white list data store comprising a collection of records of trusted files, and wherein each record includes a file signature of a trusted file.
  - 9. The method of claim 8, wherein the white list data store resides on the computing device.
  - 10. The method of claim 8, wherein the white list data store is remote to the computing device.
  - 11. The method of claim 8, wherein determining whether the received file is malware based on the generated file signature further comprises comparing the generated file signature to file signatures of known malware.
  - 12. The method of claim 7, wherein determining whether the received file is malware based on the generated file signature comprises comparing the generated file signature to file signatures of known malware.

13. A computer-readable medium bearing computer-executable instructions which, when executed on a computing device capable of received files from an external source, carry out a method for determining whether a received file is malware, the method comprising:
- determining whether the received file includes superficial data areas, and if so;
  
  filtering out those portions of the received file that are superficial data areas;
  
  generating a file signature based on the remaining portions of the received file that were not filtered out; and
  
  determining whether the received file is malware based on the generated file signature.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein determining whether the received file is malware based on the generated file signature comprises comparing the generated file signature to file signatures in a white list data store, the white list data store comprising a collection of records of trusted files, and wherein each record includes a file signature of a trusted file.
  - 15. The method of claim 14, wherein the white list data store resides on the computing device.
  - 16. The method of claim 14, wherein the white list data store is remote to the computing device.
  - 17. The method of claim 14, wherein determining whether the received file is malware based on the generated file signature further comprises comparing the generated file signature to file signatures of known malware.
  - 18. The method of claim 13, wherein determining whether the received file is malware based on the generated file signature comprises comparing the generated file signature to file signatures of known malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Costea, Mihai, Field, Scott, Ulagaratchagan, Damodharan

Granted Patent

US 10,043,008 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/562 Static detection

Efficient white listing of user-modifiable files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient white listing of user-modifiable files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links