On-access scan of memory for malware
First Claim
1. In a computing device that includes a memory for storing information, a scan engine for identifying information indicative of malware, and a central processing unit that executes information loaded in memory on behalf of a process, a computer-implemented method of identifying malware from the information loaded in memory, comprising:
- (a) regulating the ability of the process to access the information;
(b) tracking the state of the information loaded in memory; and
(c) causing the scan engine to scan the information for malware.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a system, method, and computer-readable medium for identifying malware that is loaded in the memory of a computing device. Software routines implemented by the present invention track the state of pages loaded in memory using page table access bits available from a central processing unit. A page in memory may be in a state that is “unsafe” or potentially infected with malware. In this instance, the present invention calls a scan engine to search a page for malware before information on the page is executed.
-
Citations
20 Claims
-
1. In a computing device that includes a memory for storing information, a scan engine for identifying information indicative of malware, and a central processing unit that executes information loaded in memory on behalf of a process, a computer-implemented method of identifying malware from the information loaded in memory, comprising:
-
(a) regulating the ability of the process to access the information;
(b) tracking the state of the information loaded in memory; and
(c) causing the scan engine to scan the information for malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A software system for identifying malware on a computing device, the software system comprising:
-
(a) a scan engine for scanning a page of information loaded in memory for a signature characteristic of malware;
(b) a memory for storing information used by a program during execution; and
(c) a page-tracking module operative to;
(i) track the state of the page loaded in memory;
(ii) in response to a request to access the page, determine if satisfying the request may expose the computing device to the effects of malware; and
(iii) if satisfying the request to access the page may expose the computing device to the effects of malware, cause the scan engine to scan the page for malware.
-
- 18. The software system as recited in claim 18, further comprising a memory manager that provides an interface to the page-tracking module for changing the values of the page table access bits associated with the page of information.
Specification