System and method for neutralizing locked pestware files

US 20060277183A1
Filed: 06/06/2005
Published: 12/07/2006
Est. Priority Date: 06/06/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for removing pestware files located on a storage device of a protected computer, the method comprising:

detecting a presence of a pestware file on the storage device while the operating system of the protected computer is limiting access to the pestware file via the operating system;

altering, while the operating system continues to limit access to the file via the operating system, at least a portion of a listing of a plurality of pointers, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the pestware file at a corresponding one of each of the plurality of locations; and

removing, while the operating system continues to limit access to the file via the operating system, the name of the pestware file from a directory entry of the pestware file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for scanning and deleting pestware on a protected computer are described. In one variation, the presence of a pestware file on the storage device is detected while an operating system of the protected computer is limiting access to the pestware file via the operating system. In order mitigate any undesirable consequences the pestware might cause, a listing of a plurality of pointers to data for the pestware file is altered while the operating system continues to limit access to the file via the operating system. In this way, the operating system will be unable to locate and launch the pestware file. In variations, the name of the pestware file from a directory entry of the pestware file. In systems where the files are organized in an NTFS format, an MFT bitmap may be removed as well.

Citations

21 Claims

1. A method for removing pestware files located on a storage device of a protected computer, the method comprising:
- detecting a presence of a pestware file on the storage device while the operating system of the protected computer is limiting access to the pestware file via the operating system;
  
  altering, while the operating system continues to limit access to the file via the operating system, at least a portion of a listing of a plurality of pointers, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the pestware file at a corresponding one of each of the plurality of locations; and
  
  removing, while the operating system continues to limit access to the file via the operating system, the name of the pestware file from a directory entry of the pestware file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19)
- - 2. The method of claim 1 including:
    - locating the listing of the plurality of pointers by locating a directory entry for the file.
  - 3. The method of claim 1, wherein the listing of the plurality of pointers is located in a data bitmap, and wherein files on the storage device are organized in accordance with an NTFS system.
  - 4. The method of claim 1, wherein the listing of the plurality of pointers are FAT entries in a FAT table.
  - 5. The method of claim 1, wherein the removing includes removing the name of the pestware file from the directory entry by removing the file entry from a master file table (MFT).
  - 6. The method of claim 1, wherein the removing includes removing the name of the pestware file from a directory entry, wherein files stored on the file storage device are organized in accordance with a FAT system.
  - 7. The method of claim 5, including altering an MFT bitmap so as to indicate to the operating system that an MFT entry for the pestware file is available for reuse.
  - 8. The method of claim 1, including:
    - deleting at least one of the plurality of portions of data for the pestware file.
  - 19. The computer readable medium of claim 1, wherein the removing includes removing the name of the pestware file from a directory entry, wherein files stored on the file storage device are organized in accordance with a FAT system.

9. A system for removing pestware files from a file storage device of a protected computer, the protected computer including an operating system, the system comprising:
- a pestware detection module configured to identify a file stored in the file storage device of the protected computer as a pestware file; and
  
  a file removal module configured to;
  
  alter, while the operating system prevents access to the pestware file via the operating system, a listing of a plurality of pointers, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the file storage device, and the file storage device stores each of a plurality of portions of data for the pestware file at a corresponding one of each of the plurality of locations, wherein the altered listing of pointers prevents the operating system from accessing the pestware file.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the file removal module is configured to remove, while the operating system continues to limit access to the pestware file via the operating system, the name of the pestware file from a directory entry for the pestware file.
  - 11. The system of claim 9, wherein files on the file storage device are organized according to an NTFS organization system and the listing of the plurality of pointers is located in a data bitmap for the file storage device.
  - 12. The system of claim 9, wherein the files on the file storage device are organized according to an FAT organization system and the listing of a plurality of pointers are FAT entries in a FAT table.
  - 13. The system of claim 9, wherein the file removal module is configured to:
    - delete at least one of the plurality of portions of data for the pestware file.

14. A computer readable medium encoded with instructions for removing pestware files from a storage device of a protected computer, the instructions including instructions for:
- detecting a presence of a pestware file on the storage device while the operating system of the protected computer is limiting access to the pestware file via the operating system;
  
  altering, while the operating system continues to limit access to the file via the operating system, a listing of a plurality of pointers, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the pestware file at a corresponding one of each of the plurality of locations; and
  
  removing, while the operating system continues to limit access to the file via the operating system, the name of the pestware file from the directory entry of the pestware file.
- View Dependent Claims (15, 16, 17, 18, 20, 21)
- - 15. The computer readable medium of claim 14 including instructions for locating the listing of the plurality of pointers by locating a directory entry for the file.
  - 16. The computer readable medium of claim 14, wherein the listing of the plurality of pointers is located in a data bitmap, and wherein files on the storage device are organized in accordance with an NTFS system.
  - 17. The computer readable medium of claim 14, wherein the listing of the plurality of pointers are FAT entries in a FAT table.
  - 18. The computer readable method of claim 14, wherein the removing includes removing the directory entry for the filename by removing the file entry from a master file table (MFT).
  - 20. The computer readable medium of claim 14, including instructions for altering the MFT bitmap so as to indicate to the operating system that an MFT entry for the file is available for reuse.
  - 21. The computer readable medium of claim 14 including instructions for deleting at least one of the plurality of portions of data for the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webroot Software Incorporated (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Burtscher, Michael, Nichols, Tony

Application Number

US11/145,593
Publication Number

US 20060277183A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

System and method for neutralizing locked pestware files

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for neutralizing locked pestware files

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links