Protecting computing systems from unauthorized programs

US 20060130144A1
Filed: 12/14/2004
Published: 06/15/2006
Est. Priority Date: 12/14/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method in a computing system for protecting the computing system from computer viruses, the method comprising:

executing a protection program on a computing system during startup to facilitate antivirus protection for the computing system, the executing occurring subsequent to booting of the computing system and prior to execution of other programs during the computing system startup; and

under control of the executing protection program, automatically preventing computer viruses from executing on the computing system during startup by, for each of multiple other programs that are to be executed during the computing system startup, before the other program is executed during the computing system startup, automatically determining if the other program is unchanged since a successful execution during a prior startup of the computing system; and

unless it is determined that the other program is unchanged, automatically determining if the other program is included in a set of programs previously identified as being authorized; and

unless it is determined that the other program is included in the set of authorized programs, automatically preventing the other program from being executed, so that unauthorized programs are not executed during computing system startup.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer-readable medium are described for assisting in protecting computing systems from unauthorized programs, such as by preventing computer viruses and other types of malware programs from executing during startup of a computing system and/or at other times. In some situations, computing system protection is provided by executing programs only if they have been confirmed as being authorized, which may be determined in various ways (e.g., if a program is automatically determined to be unchanged since a prior time when the program was authorized or to match a set of programs identified as being allowable, or if an appropriate user provides appropriate information). This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

Citations

47 Claims

1. A method in a computing system for protecting the computing system from computer viruses, the method comprising:
- executing a protection program on a computing system during startup to facilitate antivirus protection for the computing system, the executing occurring subsequent to booting of the computing system and prior to execution of other programs during the computing system startup; and
  
  under control of the executing protection program, automatically preventing computer viruses from executing on the computing system during startup by, for each of multiple other programs that are to be executed during the computing system startup, before the other program is executed during the computing system startup, automatically determining if the other program is unchanged since a successful execution during a prior startup of the computing system; and
  
  unless it is determined that the other program is unchanged, automatically determining if the other program is included in a set of programs previously identified as being authorized; and
  
  unless it is determined that the other program is included in the set of authorized programs, automatically preventing the other program from being executed, so that unauthorized programs are not executed during computing system startup.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein one or more of the multiple other programs each contains a computer virus, and wherein the automatic preventing of computer viruses from executing on the computing system during startup includes blocking execution of each of the one or more other programs without having identified that other program as containing a computer virus.
  - 3. The method of claim 1 wherein the automatic determining if an other program is unchanged since a successful execution during a prior startup includes determining that one or more current characteristics of the other program each match a corresponding characteristic of the other program at the prior startup, the one or more current characteristics including at least one of a file size of the other program, a checksum of the other program, a cyclical redundancy checking value for the other program, and at least a portion of the contents of the other program.
  - 4. The method of claim 1 wherein the automatic determining if an other program is unchanged since a successful execution during a prior startup includes determining that the other program is not unchanged if the other program has not previously executed successfully during startup of the computing system.
  - 5. The method of claim 1 wherein the automatic preventing of an other program from being executed includes, after the other program is determined to be changed since a successful execution during a prior startup, replacing the other program with a backup copy of the other program prior to the change.
  - 6. The method of claim 1 wherein the automatic preventing of an other program from being executed includes querying a user of the computing system to provide authorization to execute the other program and blocking execution of the other program if the authorization is not received from the user.
  - 7. The method of claim 1 wherein the automatic determining if an other program is included in the set of programs previously identified as being authorized includes interacting with a remote server that stores information about the set of authorized programs.
  - 8. The method of claim 7 wherein multiple copies of the protection program each execute on one of multiple distinct computing systems to facilitate antivirus protection for those computing systems, and wherein each of the protection program copies provide information to the remote server about programs that execute on the computing system on which the protection program executes, so that the remote server can dynamically expand the set of authorized programs based on the information provided from the multiple protection program copies in a distributed manner.
  - 9. The method of claim 1 further comprising, under control of the executing protection program, automatically preventing computer viruses from executing on the computing system after startup by, for each of multiple additional other programs that are to be executed after the computing system startup, automatically preventing the additional other program from being executed unless the additional other program is determined to be authorized.

10. A computer-implemented method for protecting a computing system from execution of unwanted programs, the method comprising:
- identifying one or more programs to be executed during startup of a computing system; and
  
  automatically preventing unwanted programs from being executed during the computing system startup by, for each of the identified programs, before the identified program is executed during the computing system startup, automatically determining whether the identified program is confirmed as being allowable for the computing system; and
  
  unless it is determined that the identified program is confirmed as being allowable, automatically preventing the identified program from being executed.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 11. The method of claim 10 wherein the automatic determining of whether an identified program is confirmed as being allowable for the computing system includes confirming that the program is allowable for the computing system if the program is identified as being unchanged since a prior startup of the computing system.
  - 12. The method of claim 11 wherein the identifying that a program is unchanged since a prior startup of the computing system includes determining that, for at least one characteristic related to contents of a program, an identified value of the characteristic for the program matches an identified value of the characteristic for a copy of the program that was executed during the prior startup.
  - 13. The method of claim 12 wherein the at least one characteristics related to the contents of a program include one or more of a file size of the program, a checksum of the program, a cyclical redundancy checking value for the program, and at least a portion of the contents of the program.
  - 14. The method of claim 12 wherein the at least one characteristics related to the contents of a program include metadata for the program that is distinct from the contents.
  - 15. The method of claim 10 wherein one or more predefined program characterizations each has a specified value for one or more indicated program characteristics of an allowable program, and wherein the automatic determining of whether an identified program is confirmed as being allowable for the computing system includes confirming that the identified program is allowable for the computing system if the identified program matches at least one of the predefined program characterizations.
  - 16. The method of claim 15 wherein an identified program is determined to match a program characterization if the identified program has identified values for the program characteristics indicated for that program characterization that match the specified values for those program characteristics for the program characterization.
  - 17. The method of claim 15 wherein the indicated program characteristics for each of the program characterizations include one or more of a file size of a program, a checksum of a program, a cyclical redundancy checking value for a program, and at least a portion of contents of a program.
  - 18. The method of claim 15 wherein the indicated program characteristics for each of the program characterizations include metadata for a program that is distinct from contents of the program.
  - 19. The method of claim 15 including defining at least some of the program characterizations based on programs identified as authorized for the computing system.
  - 20. The method of claim 15 including providing information to a distinct computing system about one or more of the identified programs so that the distinct computing system can define program characterizations based on information provided from multiple computing systems being protected from execution of unwanted programs.
  - 21. The method of claim 15 wherein the automatic determining of whether an identified program is confirmed as being allowable for the computing system includes providing information about the identified program to a distinct computing system in order to obtain an indication from the distinct computing system regarding whether the identified program is confirmed as being allowable for the computing system.
  - 22. The method of claim 15 including, before matching an identified program to at least one of the predefined program characterizations, obtaining information about at least some of the program characterizations from a distinct computing system.
  - 23. The method of claim 15 wherein the predefined program characterizations include multiple predefined program characterizations for multiple allowable programs, and wherein the predefined program characterizations are not specific to the computing system.
  - 24. The method of claim 10 wherein the automatic determining of whether an identified program is confirmed as being allowable for the computing system includes confirming that the identified program is allowable for the computing system based on an indication to allow the identified program received from a user associated with the computing system.
  - 25. The method of claim 10 wherein the automatic determining of whether an identified program is confirmed as being allowable for the computing system includes confirming that the identified program is not allowable for the computing system if the identified program is identified as being of one or more types of unwanted programs, the unwanted program types including a computer virus, a computer worm, a Trojan, malware, spyware, adware, a browser hijacker, a dialer, a rootkit, and a dropper.
  - 26. The method of claim 10 wherein the method further includes automatically preventing unwanted programs from being executed after the computing system startup by, for each of at least some programs whose execution is initiated after the computing system startup, automatically preventing the program from being executed unless it is determined that the program is confirmed as being allowable.
  - 27. The method of claim 10 wherein the automatic determining of whether an identified program is confirmed as being allowable for the computing system is performed dynamically during the computing system startup.
  - 28. The method of claim 10 wherein the automatic determining of whether an identified program is confirmed as being allowable for the computing system is performed by a protection program executed on the computing system.
  - 29. The method of claim 10 wherein the automatic determining of whether an identified program is confirmed as being allowable for the computing system is performed by a distinct computing system remote from the computing system.
  - 30. The method of claim 10 wherein the automatic preventing of an identified program from being executed includes blocking execution of the identified program.
  - 31. The method of claim 10 wherein the automatic preventing of an identified program from being executed includes replacing the identified program with a copy of the identified program that is allowable for the computing system.
  - 32. The method of claim 10 wherein an identified program has been changed by malware, and wherein the automatic preventing of the identified program from being executed includes replacing the identified program with a copy of the identified program prior to the change.
  - 33. The method of claim 10 wherein the automatic identifying of the programs to be executed during startup of a computing system includes analyzing configuration information for the computing system and/or dynamically identifying attempts to initiate execution of programs on the computing system.
  - 34. The method of claim 10 further comprising automatically preventing use of non-executable data by a program unless it is automatically determined that the data is allowable for the computing system.

35. A computer-readable medium whose contents enable a computing device to prevent execution of malware programs, by performing a method comprising:
- automatically protecting a computing device from malware programs by, for each of one or more programs identified to be executed on the computing device, attempting to automatically determine that the identified program is not a malware program; and
  
  unless the automatic determining confirms that the identified program is not a malware program, automatically preventing the identified program from executing.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The computer-readable medium of claim 35 wherein the attempting to automatically determine that an identified program is not a malware program includes confirming that the identified program is not a malware program if the identified program is determined to be allowable.
  - 37. The computer-readable medium of claim 35 wherein the computer-readable medium is a memory of a computing device.
  - 38. The computer-readable medium of claim 35 wherein the computer-readable medium is a data transmission medium transmitting a generated data signal containing the contents.
  - 39. The computer-readable medium of claim 35 wherein the contents are instructions that when executed cause the computing device to perform the method.
  - 40. The computer-readable medium of claim 35 wherein the contents include one or more data structures for use in preventing execution of malware programs, the data structures comprising multiple entries corresponding to programs determined to be allowable such that each entry includes a characterization of an allowable program, each characterization of an allowable program containing one or more of a file size of the program, a checksum of the program, a cyclical redundancy checking value for the program, and a portion of contents of the program.

41. A computing system configured to prevent unwanted changes affecting computing system execution, comprising:
- a target identifier component that is configured to identify one or more groups of data to be used during startup of a computing device;
  
  a target use authorizer component that is configured to, for each of the identified groups of data and before the identified group of data is used during the computing device startup, automatically determine whether the identified group of data is unchanged since a prior use of a copy of the identified group of data and/or whether a change of the identified group of data since the prior use was authorized; and
  
  a target use preventer component configured to, for each of the identified groups of data and unless it is determined that the identified group of data is unchanged since the prior use or that the change of the identified group of data since the prior use was approved by an authorized user, automatically prevent the identified group of data from being used during startup of the computing device.
- View Dependent Claims (42, 43, 44, 45, 46, 47)
- - 42. The computing system of claim 41 wherein the target use preventer component is further configured to allow an identified group of data to be used during startup of the computing device if the identified group of data matches an group of data previously identified as being allowable.
  - 43. The computing system of claim 42 further comprising a protection facilitator component that is configured to identify groups of data that are allowable.
  - 44. The computing system of claim 41 wherein each of the identified groups of data is a program to be executed during startup of the computing device.
  - 45. The computing system of claim 41 wherein the computing system is distinct from the computing device.
  - 46. The computing system of claim 41 wherein the target identifier component, the target use authorizer component, and the target use preventer component are each executing in memory of the computing system.
  - 47. The computing system of claim 41 wherein the target identifier component consists of a means for identifying one or more groups of data to be used during startup of a computing device, wherein the target use authorizer component consists of a means for, for each of the identified groups of data and before the identified group of data is used during the computing device startup, automatically determining whether the identified group of data is unchanged since a prior use of a copy of the identified group of data and/or whether a change of the identified group of data since the prior use was authorized, and wherein the target use preventer component consists of a means for, for each of the identified groups of data and unless it is determined that the identified group of data is unchanged since the prior use or that the change of the identified group of data since the prior use was approved by an authorized user, automatically preventing the identified group of data from being used during startup of the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GAMI LLC
Original Assignee
Delta Insights, LLC
Inventors
Wernicke, Charles R.

Application Number

US11/012,856
Publication Number

US 20060130144A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 21/56 Computer malware detection ...

Protecting computing systems from unauthorized programs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting computing systems from unauthorized programs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links