System and method for kernel-level pestware management

US 20070094496A1
Filed: 10/25/2005
Published: 04/26/2007
Est. Priority Date: 10/25/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for managing pestware on a protected computer comprising:

rerouting a call to create a process to a kernel-level process monitor;

identifying a file associated with the process;

analyzing the file so as to determine whether the file is a pestware file; and

preventing, in response to the file being identified as a pestware file, the process from being created.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing pestware on a protected computer are described. One embodiment is configured to reroute a call to create a process to a kernel-level process monitor, identify a file associated with the process and analyze the file so as to determine whether the file is a pestware file. If the file is a pestware file, then the process is prevented from being created. In variations, the kernel-level process monitor is a kernel-mode driver adapted to communicate with a pestware application residing in a user-level of memory.

Citations

19 Claims

1. A method for managing pestware on a protected computer comprising:
- rerouting a call to create a process to a kernel-level process monitor;
  
  identifying a file associated with the process;
  
  analyzing the file so as to determine whether the file is a pestware file; and
  
  preventing, in response to the file being identified as a pestware file, the process from being created.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the rerouting includes altering a table in an operating system of the protected computer so as to direct the call to create the process to the kernel-level process monitor.
  - 3. The method of claim 1, wherein the rerouting includes altering code in the operating system of the protected computer so as to direct the call to create the process to the kernel-level process monitor.
  - 4. The method of claim 3, wherein the altering the code includes adding a jump instruction to code of the operating system, wherein the jump instruction reroutes the call to create the process to the kernel-level process monitor.
  - 5. The method of claim 1 including:
    - initiating, in response to the analyzing determining that the file is not a pestware file, execution of code to create the process.
  - 6. The method of claim 1, wherein the analyzing includes comparing a least a portion of the file with pestware definitions.
  - 7. The method of claim 1, wherein the kernel-level process monitor is a kernel mode driver.

8. A system of managing pestware, comprising:
- a pestware detection module configured to analyze a file of a protected computer so as to determine whether the file is associated with pestware; and
  
  a kernel-level process monitor configured to notify the pestware detection module of an attempt to create a process that is associated with the file; and
  
  prevent the process from being created in response to the pestware detection module identifying the file as being associated with pestware.
- View Dependent Claims (9, 10, 11)
- - 9. The system of claim 8, wherein the pestware detection module resides in a user-level operating space of the protected computer.
  - 10. The system of claim 8, wherein the kernel-level process monitor is configured to initiate code to create the process in response to the pestware detection module determining that the file is not a pestware file.
  - 11. The system of claim 8, wherein the kernel-level process monitor is a kernel mode driver.

12. A computer readable medium encoded with instructions for managing pestware on a protected computer, the instructions comprising instructions for:
- generating a kernel-level process monitor at the protected computer; and
  
  altering an operating system of the protected computer so as to reroute a call to create a process from the operating system to the kernel-level process monitor;
  
  wherein the kernel-level process monitor is configured to prevent the process from being created in response to a file corresponding to the process being identified as a pestware file.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computer readable medium of claim 12 including instructions for initiating, in response to the analyzing determining that the file is not a pestware file, execution of code to create the process.
  - 14. The computer readable medium of claim 13 including instructions for comparing a least a portion of the file with pestware definitions.
  - 15. The computer readable medium of claim 12 wherein the instructions for generating a kernel-level process monitor include instructions for generating the kernel-level process monitor as a kernel mode driver.
  - 16. The computer readable medium of claim 12 wherein the instructions for altering include instructions for altering a table of the operating system so as to reroute the call to create the process from the operating system to the kernel-level process monitor.
  - 17. The computer readable medium of claim 16 wherein the instructions for altering the table include instructions for altering a system call table.
  - 18. The computer readable medium of claim 12 wherein the instructions for altering the table include instructions for altering an interrupt descriptor table.
  - 19. The computer readable medium of claim 12 wherein the instructions for altering include instructions for altering code of the operating system so as to reroute the call to create a process to the kernel-level process monitor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webroot Software Incorporated (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Burtscher, Michael

Application Number

US11/257,609
Publication Number

US 20070094496A1
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/561 Virus type analysis

G06F 21/564 by virus signature recognition

System and method for kernel-level pestware management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for kernel-level pestware management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links