System and method for scanning memory for pestware
First Claim
1. A method for scanning executable memory of a protected computer for pestware comprising:
- enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory;
identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and
scanning at least one portion of memory that is located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the least one portion of memory.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for managing multiple related pestware processes on a protected computer are described. One embodiment is configured to identify a location of each of a plurality of files in at least one file storage device of the protected computer and store a list of the location of each of the plurality of files. The list of the plurality of files is then sorted so as to generate a sorted list. Each of the plurality of files is then sequentially accessed as listed in the sorted list so as to retrieve information from each of the plurality of files. Information from the plurality of files is then analyzed to determine whether any of the plurality of files are potential pestware files. In variations, the files in the file storage device are enumerated, and information from the files is accessed, by circumventing the operating system of the protected computer.
-
Citations
21 Claims
-
1. A method for scanning executable memory of a protected computer for pestware comprising:
-
enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory;
identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and
scanning at least one portion of memory that is located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the least one portion of memory. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for managing pestware comprising:
a pestware detection module configured to detect pestware on a protected computer, the protected computer including at least one file storage device and executable memory, wherein the pestware detection module is configured to;
enumerate a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory;
identify a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and
scan at least one portion of memory that is located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the at least one portion of memory. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A computer readable medium encoded with instructions to scan for pestware on a protected computer, the instructions including:
-
enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory;
identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and
scanning at least one portion of memory that is located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the least one portion of memory. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification