Methods and systems for detection of forged computer files
First Claim
1. A method of determining whether a suspect file is malicious, comprising the operations of:
- parsing the suspect file to determine if the suspect file purports to be a system file, the suspect file being a purported system file when the suspect file includes at least one characteristic attribute of a system file;
performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file; and
handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with one or more embodiments of the present invention, a method of determining whether a suspect file is malicious includes the operations parsing the suspect file to determine if the suspect file purports to be a system file, performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file, and handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file. The suspect file is a purported system file when the suspect file includes at least one characteristic attribute of a system file.
81 Citations
20 Claims
-
1. A method of determining whether a suspect file is malicious, comprising the operations of:
-
parsing the suspect file to determine if the suspect file purports to be a system file, the suspect file being a purported system file when the suspect file includes at least one characteristic attribute of a system file;
performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file; and
handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer readable medium on which is stored a computer program for executing the following instructions:
-
parsing a suspect file to determine if the suspect file purports to be a system file, the suspect file being a purported system file when the suspect file includes at least one characteristic attribute of a system file;
performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file; and
handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file.
-
-
11. A malware resistant computer system, comprising:
-
a processing unit;
a removable media interface configured to provide access to a received removable media element;
a memory unit; and
a computer file system, wherein the processing unit executes a series of operations to detect malware in at least one of the memory unit and the computer file system, the operations comprising;
parsing a suspect file to determine if the suspect file purports to be a system file, the suspect file being a purported system file when the suspect file includes at least one characteristic attribute of a system file;
performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file; and
handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file.
-
-
12. A method, comprising:
-
receiving a suspect file;
examining the suspect file to determine if the file purports to be a system file;
examining the attributes of the purported system file to determine if the attributes are consistent with a system file; and
declaring the purported file to be a forgery when the attributes are not consistent with the attributes of a system file. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification