Malware and spyware attack recovery system and method
First Claim
1. A method for malware recovery in a computer system comprising:
- a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
b) determining that an attack by a malicious program has occurred;
c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; and
e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof.
12 Assignments
0 Petitions
Accused Products
Abstract
A method and computer program product with encoded instructions provides for repeatedly making data backups for files by making a series of snapshots of file storage volumes containing the files. The method and computer product further provide for determining that a malware attack has occurred, identifying corrupted files and, for each corrupted file, scanning the series of snapshots to identify an uncorrupted version of the file. Each corrupted file is restored to an uncorrupted version thereof. An event log contains write events and snapshot creation events corresponding to creation of each of the snapshots. A forensic scan scans the event log to determine modifying writes made by the corrupted files and which modified further files. The further files are restored to unmodified versions thereof. A list of at-risk files includes the corrupted files and the further files and the forensic scan is repeated on the at-risk files.
-
Citations
51 Claims
-
1. A method for malware recovery in a computer system comprising:
-
a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
b) determining that an attack by a malicious program has occurred;
c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; and
e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method for malware recovery in a computer system comprising:
-
a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
b) determining that an attack by a malicious program has occurred;
c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
d) for each said corrupted file, scanning said series of snapshots to identify a most recent uncorrupted version of said uncorrupted versions of said file;
e) for each said corrupted file, restoring said file to said most recent uncorrupted version thereof;
f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots;
g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files;
h) restoring each of said further files to an unmodified version thereof;
i) defining a first list of at-risk files comprising said corrupted files and said further files; and
j) identifying additional files of said plurality of files that were modified by said at-risk files.
-
-
27. A computer program product with encoded instructions for performing operations comprising:
-
a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
b) determining that an attack by a malicious program has occurred;
c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; and
e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A computer program product with encoded instructions for performing operations comprising:
-
a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
b) determining that an attack by a malicious program has occurred;
c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
d) for each said corrupted file, scanning said series of snapshots to identify a most recent uncorrupted version of said uncorrupted versions of said file;
e) for each said corrupted file, restoring said file to said most recent uncorrupted version thereof;
f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots;
g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files;
h) restoring each of said further files to an unmodified version thereof;
i) defining a first list of at-risk files comprising said corrupted files and said further files; and
j) identifying additional files of said plurality of files that were modified by said at-risk files.
-
Specification