On-access scan of memory for malware

US 20060200863A1
Filed: 03/01/2005
Published: 09/07/2006
Est. Priority Date: 03/01/2005
Status: Active Grant

First Claim

Patent Images

1. In a computing device that includes a memory for storing information, a scan engine for identifying information indicative of malware, and a central processing unit that executes information loaded in memory on behalf of a process, a computer-implemented method of identifying malware from the information loaded in memory, comprising:

(a) regulating the ability of the process to access the information;

(b) tracking the state of the information loaded in memory; and

(c) causing the scan engine to scan the information for malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system, method, and computer-readable medium for identifying malware that is loaded in the memory of a computing device. Software routines implemented by the present invention track the state of pages loaded in memory using page table access bits available from a central processing unit. A page in memory may be in a state that is “unsafe” or potentially infected with malware. In this instance, the present invention calls a scan engine to search a page for malware before information on the page is executed.

Citations

20 Claims

1. In a computing device that includes a memory for storing information, a scan engine for identifying information indicative of malware, and a central processing unit that executes information loaded in memory on behalf of a process, a computer-implemented method of identifying malware from the information loaded in memory, comprising:
- (a) regulating the ability of the process to access the information;
  
  (b) tracking the state of the information loaded in memory; and
  
  (c) causing the scan engine to scan the information for malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as recited in claim 1, further comprising:
    - (a) if the process requests access to the information in a way that is not regulated, allowing the request to be satisfied; and
      
      (b) alternatively, if the process requests access to the information in a way that is regulated, invoking a software routine that handles the request.
  - 3. The method as recited in claim 2, wherein if satisfying the request has the potential to expose the computing device to the effects of malware, the software routine that handles the request:
    - (a) causes the scan engine to scan the information for malware; and
      
      (b) updates the data that regulates the ability of the process to access the information.
  - 4. The method as recited in claim 2, wherein if satisfying the request does not have the potential to expose the computing device to the effects of malware, the software routine updates the data that regulates the ability of the process to access the information.
  - 5. The method as recited in claim 1, wherein regulating the ability of the process to access the information includes changing the value of the page table access bits that control access to a page of the information.
  - 6. The method as recited in claim 5, further comprising:
    - (a) if the access bits associated with the page allow the type of access requested, allowing the request to be satisfied; and
      
      (b) alternatively, if access bits associated with the page do not allow the type of access requested, invoking a page fault handler.
  - 7. The method as recited in claim 6, wherein if satisfying the request has the potential to expose the computing device to the effects of malware, the page fault handler:
    - (a) causes the scan engine to scan the information for malware; and
      
      (b) if the scan engine does not identify malware on the page, updates the access bits associated with the page to indicate that the page is in a safe state.
  - 8. The method as recited in claim 7, wherein the page fault handler sets a writable access bit to false to indicate that the page is in a safe state.
  - 9. The method as recited in claim 6, wherein if satisfying the request does not have the potential to expose the computing device to the effects of malware, the page fault handler updates the access bits associated with the page to indicate that the page is not in a safe state.
  - 10. The method as recited in claim 9, wherein the page fault handler sets an executable access bit to false to indicate that the page is not in a safe state.
  - 11. The method as recited in claim 5, wherein:
    - (a) the page table access bits for the page include a present bit, a writable bit, and an executable bit;
      
      (b) the page may be in either a first state, a second state, or a third state;
      
      (c) a transition to the first state occurs when the page is loaded into memory;
      
      (d) a transition to the second state occurs when the page is in either the first state or the third state and the request to access the page will cause information to be written to the page; and
      
      (e) a transition to the third state occurs when the page is in either the first state or the second state and information on the page is scheduled for execution.
  - 12. The method as recited in claim 11, wherein the scan engine scans the page for malware before the page transitions to the third state.
  - 13. The method as recited in claim 5, wherein:
    - (a) the page table access bits for the page include a present bit, a writable bit, an executable bit, and a readable bit;
      
      (b) the page may be in either a first state, a second state, or a third state;
      
      (c) a transition to the first state occurs when the page is loaded into memory;
      
      (d) a transition to the second state occurs when the page is in either the first state or the third state and the request to access the page will cause information to be written to the page;
      
      (e) a transition to the third state occurs when the page is in either the first state or the second state and information on the page is either scheduled to be read or executed.
  - 14. The method as recited in claim 13, wherein the scan engine scans the page for malware before the page transitions to the third state.
  - 15. The method as recited in claim 1, wherein if the scan engine identifies malware in the information, performing exception processing that terminates the execution of the process or removes the malware from the computing device before execution continues.
  - 16. The method as recited in claim 1, wherein the scan engine detects heuristic factors from executable information that is loaded in memory to identify malware when performing the scan.

17. A software system for identifying malware on a computing device, the software system comprising:
- (a) a scan engine for scanning a page of information loaded in memory for a signature characteristic of malware;
  
  (b) a memory for storing information used by a program during execution; and
  
  (c) a page-tracking module operative to;
  
  (i) track the state of the page loaded in memory;
  
  (ii) in response to a request to access the page, determine if satisfying the request may expose the computing device to the effects of malware; and
  
  (iii) if satisfying the request to access the page may expose the computing device to the effects of malware, cause the scan engine to scan the page for malware.

18. The software system as recited in claim 18, further comprising a memory manager that provides an interface to the page-tracking module for changing the values of the page table access bits associated with the page of information.
- View Dependent Claims (19, 20)
- - 19. The software system as recited in claim 18, wherein the scan engine uses heuristics techniques to identify malware on a page of data.
  - 20. The software system as recited in claim 18, wherein the page tracking module is configured to track the state of the page loaded in memory using access bits available from the page table that define a program'"'"'s ability to access a page in the memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Ray, Kenneth D., Kramer, Michael, Field, Scott A.

Granted Patent

US 7,836,504 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 12/145 the protection being virtua...

G06F 21/562 Static detection

On-access scan of memory for malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

On-access scan of memory for malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links