Feedback-driven malware detector

US 20070038677A1
Filed: 07/27/2005
Published: 02/15/2007
Est. Priority Date: 07/27/2005
Status: Active Grant

First Claim

Patent Images

1. In a computer that includes an extensibility point that allows an application program to execute without input from a user, a method of obtaining feedback from the user to determine whether the application program is malware, the method comprising:

(a) monitoring the extensibility point that allows the application program to execute without input from the user;

(b) in response to determining that the application program is scheduled to be installed and added to the extensibility point;

(i) informing the user that the application program is scheduled to be installed and added to the extensibility point; and

(ii) obtaining input from the user regarding whether the application program should be installed; and

(c) transmitting a set of data that includes the input obtained from the user to a remote computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of a feedback-driven malware detector are directed to protecting a computer from programs that perform actions that are malicious or not expected by a user. In one embodiment, the feedback-driven malware detector performs a method that initially determines whether the state of an application program scheduled to be added to an extensibility point on a computer is already known. If the state of the object is not already known, the user is informed that an application program is being installed on the computer and that the application program is being added to an extensibility point. Then, input is obtained from the user that assists in determining whether the application program is malware.

176 Citations

20 Claims

1. In a computer that includes an extensibility point that allows an application program to execute without input from a user, a method of obtaining feedback from the user to determine whether the application program is malware, the method comprising:
- (a) monitoring the extensibility point that allows the application program to execute without input from the user;
  
  (b) in response to determining that the application program is scheduled to be installed and added to the extensibility point;
  
  (i) informing the user that the application program is scheduled to be installed and added to the extensibility point; and
  
  (ii) obtaining input from the user regarding whether the application program should be installed; and
  
  (c) transmitting a set of data that includes the input obtained from the user to a remote computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein informing the user that the application program is scheduled to be installed and added to the extensibility point includes displaying to the user the number of other users who previously allowed the application program to be installed.
  - 3. The method as recited in claim 1, further comprising:
    - (a) if the input obtained from the user indicates that the application program should not be installed, preventing the application program from being installed on the computer; and
      
      (b) conversely, if the input obtained from the user indicates that the application program should be installed, allowing the application program to be installed on the computer.
  - 4. The method as recited in claim 1, wherein informing the user that the application program is scheduled to be installed and added to the extensibility point includes generating a signature of the object that will be automatically executed if the application program is added to the extensibility point.
  - 5. The method as recited in claim 4, wherein the object from which the signature is generated is added to the program code from a file.
  - 6. The method as recited in claim 4, further comprising:
    - (a) comparing the signature to signatures generated from objects that are known to be associated with malware; and
      
      (b) if the signature matches a signature that is known to be associated with malware, informing the user that the application program is malware.
  - 7. The method as recited in claim 1, wherein the set of data transmitted to the remote computer includes:
    - (a) a signature of the object that is scheduled to be executed if the application program is added to the extensibility point;
      
      (b) metadata that describes attributes of the object; and
      
      (c) run-time attributes that identify the state of the computer.
  - 8. The method as recited in claim 7, wherein the signature is generated using a hashing algorithm.
  - 9. The method as recited in claim 1, wherein transmitting a set of data that includes the input obtained from the user includes satisfying requests for additional data;
    - and wherein the additional data includes program code that implements the application program.

10. In a computer that is operative to receive data over a communication network and includes a database capable of storing data, a method of determining whether an application program is malware, the method comprising:
- (a) receiving a set of data when an application program is scheduled to be installed and added to an extensibility point on a remote computer;
  
  (b) aggregating data that was obtained from a plurality of remote computers; and
  
  (c) performing an analysis of the aggregated data to determine whether the application program is malware.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method as recited in claim 10, further comprising:
    - (a) generating a signature from the set of data;
      
      (b) if the analysis indicates that the application program is malware, causing the signature to be added to a list of signatures of known malware that is distributed to the plurality of remote computers; and
      
      (c) if the analysis reveals that the application program is benevolent, causing the signature to be added to a list of signatures associated with benevolent application programs that is distributed to the plurality of remote computers.
  - 12. The method as recited in claim 10, wherein the set of data received includes:
    - (a) a signature of an object that will be executed if the application program is added to the extensibility point;
      
      (b) metadata that describes attributes of the object; and
      
      (c) run-time attributes of the state of the computer.
  - 13. The method as recited in claim 10, wherein aggregating together the data that was obtained from the plurality of remote computers includes using a database application to create a view that identifies the number of users who allowed the application program to be installed on his or her computers.
  - 14. The method as recited in claim 10, wherein performing an analysis of the aggregated data to determine whether the application program is malware is performed without reverse engineering program code that implements the application program.
  - 15. The method as recited in claim 10, wherein performing an analysis of the aggregated data to determine whether the application program is malware includes re-creating the run-time attributes of a computer in a laboratory setting and observing the functions performed by the application program.

16. In a computer networking environment that includes a backend server and a client computer that are communicatively connected, a software system for determining whether an application program that is scheduled to be installed and added to an extensibility point on the client computer is malware, the software system comprising:
- (a) a reporting module that causes a set of data to be transmitted to the backend server when the application program is scheduled to be added to an extensibility point on the client computer;
  
  (b) an analysis module that is operative to receive the set of data generated by the reporting module and use the data to determine whether the application program is malware; and
  
  (c) a database application that aggregates the set of data generated by the reporting module together with data previously received from other computers in the computer networking environment.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The software system as recited in claim 16, further comprising a backend database that is operative to store the set of data transmitted to the backend server;
    - and wherein the database application is further configured to aggregate a view of the data in the backend server that calculates the number of users who allowed the application program to be installed on his or her computers.
  - 18. The software system as recited in claim 16, further comprising a signature database operative to store:
    - (a) a list of signatures generated from known malware; and
      
      (b) a list of signatures generated from known benevolent application programs.
  - 19. The software system as recited in claim 18, wherein the signature database is updated with signatures generated from application programs that are being installed in the computer networking environment.
  - 20. The software system as recited in claim 18, wherein the reporting module is further configured to compare a signature generated from the application program to signatures stored in the signature database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Garms, Jason, Reasor, Sterling, Jones, Christopher, Newman, Andrew, Franczyk, Ronald

Granted Patent

US 7,730,040 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/565 by checking file integrity

Feedback-driven malware detector

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

176 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Feedback-driven malware detector

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

176 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links