System and method for scanning obfuscated files for pestware
First Claim
1. A method for scanning files on a protected computer for pestware comprising:
- scanning a plurality of files in at least one file storage device of the protected computer;
identifying an obfuscated file from among the plurality of files in the at least one file storage device, wherein one or more potential pestware processes running in memory are associated with the obfuscated file;
analyzing the obfuscated file so as to identify, from among a plurality of processes running in the memory, the one or more potential pestware processes running in memory that are associated with the obfuscated file;
retrieving information from at least one of the one or more potential pestware processes running in memory; and
analyzing the information from the at least one of the one or more potential pestware processes running in memory so as to determine whether the one or more potential pestware processes running in memory is pestware.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for managing multiple related pestware processes on a protected computer are described. In one implementation, a plurality of files in a file storage device of a protected computer are scanned and obfuscated files are identified from among the plurality of files. To identify whether the obfuscated file is a pestware file, one or more potential pestware processes are identified as being associated with the obfuscated file, and the one or more associated process are scanned so as to determine whether the processes, and hence, the obfuscated file, are pestware. In variations, the obfuscated file is analyzed to identify the start address of the associated one or more processes, and the start address is utilized as a reference point from which information located at one or more offsets from the start address is analyzed so as to determine whether the one or more processes are known pestware.
-
Citations
20 Claims
-
1. A method for scanning files on a protected computer for pestware comprising:
-
scanning a plurality of files in at least one file storage device of the protected computer;
identifying an obfuscated file from among the plurality of files in the at least one file storage device, wherein one or more potential pestware processes running in memory are associated with the obfuscated file;
analyzing the obfuscated file so as to identify, from among a plurality of processes running in the memory, the one or more potential pestware processes running in memory that are associated with the obfuscated file;
retrieving information from at least one of the one or more potential pestware processes running in memory; and
analyzing the information from the at least one of the one or more potential pestware processes running in memory so as to determine whether the one or more potential pestware processes running in memory is pestware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for managing pestware comprising:
-
a pestware removal module configured to remove pestware on a protected computer, the protected computer including at least one file storage device and a program memory; and
a pestware detection module configured to;
scan a plurality of files in at least one file storage device of the protected computer;
identify an obfuscated file from among the plurality of files in the at least one file storage device, wherein one or more potential pestware processes running in memory are associated with the obfuscated file;
analyze the obfuscated file so as to identify, from among a plurality of processes running in the memory, the one or more potential pestware processes running in memory that are associated with the obfuscated file;
retrieve information from at least one of the one or more potential pestware processes running in memory; and
analyze the information from the at least one of the one or more potential pestware processes running in memory so as to determine whether the one or more potential pestware processes running in memory is pestware - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer readable medium encoded with instructions for scanning files on a protected computer for pestware, the instructions including instructions for:
-
scanning a plurality of files in at least one file storage device of the protected computer;
identifying an obfuscated file from among the plurality of files in the at least one file storage device, wherein one or more potential pestware processes running in memory are associated with the obfuscated file;
analyzing the obfuscated file so as to identify, from among a plurality of processes running in the memory, the one or more potential pestware processes running in memory that are associated with the obfuscated file;
retrieving information from at least one of the one or more potential pestware processes running in memory; and
analyzing the information from the at least one of the one or more potential pestware processes running in memory so as to determine whether the one or more potential pestware processes running in memory is pestware. - View Dependent Claims (18, 19, 20)
-
Specification